Transcript Case Study: A Forensic Lesson for Web Security (MSS, part one)

Bishop: Chapter 27
System Security
csci5233 Computer Security
1
Outline
•
Various systems require different configurations
and administration.
–
•
•
web server system, development system, corporate
data system, …
Policy
System Administration
–
–
–
–
–
Networks
Users
Authentication
Processes
Files
csci5233 Computer Security
2
Sample Network Organization
(from chapter 26, net security)
Demilitarized Zone (DMZ)
Inner Firewall
Intranet
Corporate data subnet
Customer data subnet
Mail server
Internal
DNS Server(internal)
Mail Server
DNS Server(DMZ)
Web Server
Log Server
Outer Firewall
Development subnet
Internet
csci5233 Computer Security
3
Policy
•
Limited Services
1. Traffic filtering: All incoming web
connections and all replies must pass the outer
firewall.
2. Authentication: All users (administrator,
developers) log in from an internal trusted
server running SSH.
 Only connections made through the firewall
over the HTTP and HTTPS ports, and those
from the internal trusted server are accepted.
csci5233 Computer Security
4
Policy
•
Limited Services (cont.)
3. No local updates: Web pages are never
updated locally. New pages are downloaded
through the SSH tunnel.
4. Log transmission: Log messages are
transmitted to the DMZ log server only.
5. DNS query: The web server may query the
DMZ DNS system for IP addresses.
csci5233 Computer Security
5
Policy (cont.)
•
Other than those services expressly mentioned
above, no other network services are provided by
the web server.
 To prevent the web server from being used by
hackers as a jumping board to launch attacks at
the network or the other servers
csci5233 Computer Security
6
Policy (cont.)
•
Data generated by the web server (e.g., by a CGI
script or a Java servlet) are enciphered and then
written into a spooling area, which can only be
retrieved by a trusted internal host using the SSH
tunnel. The public key of the principal who will
decipher the data must reside on the web server.
•
Web server services must be implemented
correctly.  high assurance
csci5233 Computer Security
7
Networks
•
The principle of separation of privilege:
–
•
•
•
Access to the web server should be limited even when
the firewalls fail.
The firewall and the SSH tunnel assures that only
connections made through the firewall over the
HTTP and HTTPS ports, and those from the
internal trusted server are accepted.
All connections from other sources should be
blocked.
All attempts to connect should be monitored.
csci5233 Computer Security
8
Networks
•
Questions:
–
–
–
–
Should FTP connections from the Internet be accepted
by the web server?
How about TELNET connections?
How if the web server administrator wants to work
from home?
Should connections from an internal host be accepted?
csci5233 Computer Security
9
Users
•
A valid assumption: The web server may be
compromised.
The number of user accounts on the web server
should be minimal. + the least privilege principle
•
•
Users
–
–
–
Sysadmin
User 1: A user with enough privileges to read (and serve)
web pages and to write to the web server transaction area
User 2: A user who can move files from the web
transaction area to the commerce transaction spooling
area
csci5233 Computer Security
10
Users
•
Questions:
–
–
–
Should multiple system administrator accounts be created
(one for each of the administrator)?
If yes, how can the actions of each of the administrators
be logged (for the sake of accountability)?
What are the advantages / disadvantages?
csci5233 Computer Security
11
Authentication
•
The SSH server uses cryptographic authentication
to ensure the source of the connection to the web
server is the trusted internal administrative host.
•
Other authentication methods may be used for the
purpose of authentication: smart cards, biometric,
one time password, etc.
•
Authenticated external access ?
csci5233 Computer Security
12
Processes
•
Each process running in the system is a potential
vulnerability. Why?
•
The web server system should run a minimum set
of processes.
–
–
–
–
–
•
Web server process: to serve web pages,
Commerce server: to support commerce operations
SSH server
Login server
Any essential OS services
Unnecessary processes/services should be
disabled.
csci5233 Computer Security
13
Processes
•
Issues:
1. Level of privileges assigned to each of the
processes
•
•
•
•
•
SSH server: sysadmin privileges
Login server: sysadmin
Web server: minimal privileges to read the web pages +
privilege to invoke scripts
The scripts: read web pages, write transaction data,
communicate with the DBMS
Commerce server: privileges to copy transaction files
from the web server area to the transaction spooling area
csci5233 Computer Security
14
Processes
•
Issues: (cont.)
2. File access
–
–
File system access control lists (ACLs) should function
effectively.
Be aware of chroot system call in UNIX  may be a
vulnerability allowing a malicious process to have illegal
access to the file system
3. Inter-process communications
– Processes should be able to communicate only through
known, well-defined communication channels.
csci5233 Computer Security
15
Files
•
Types of files
–
–
–
–
•
the web pages
Log files
Spooling area for the e-commerce transactions
Program and configuration files
The system programs and configuration
files will not change. They can be stored in
a CD-ROM to prevent alterations.
csci5233 Computer Security
16
Files
•
Questions
–
–
Should the CGI scripts be stored on the CDROM?
How about the web pages?
–
What files must be in a hard drive?
–
How often the transaction data should be
transferred out of the web server?
csci5233 Computer Security
17
Summary
•
•
The web server in the DMZ runs a minimal set of services.
Unalternable media
•
The web server process must accept connections from any
host on the Internet  public connections
The outer firewall can be configured to prevent DOS attacks
from the Internet.
•
•
Except for the web server process, the system accepts only
enciphered, authenticated connections from a known, trusted
host by known, trusted users  SSH connections
csci5233 Computer Security
18
Summary (cont.)
•
•
The web server and other servers in the DMZ run with
minimal privileges.
Unnecessary services and programs are removed from the
system to prevent accidental running.
•
A direct communication between the web server and the
backend servers are not allowed; a spooling area or proxy
server is used for the two sides to transfer data.
•
Data collected by the web server (such as transaction files)
are protected by encryption.
•
Administrative access to the web server is only allowed via
a trusted host + authentication
csci5233 Computer Security
19
Next
•
Potential Research Areas:
–
Network security
–
Web security
–
Wireless security
–
Web services security
–
...
csci5233 Computer Security
20