Chapter 10 Securing the Web Environment 2024 PDF

WEB SERVER ADMINISTRATION Chapter 10 Securing the Web Environment _________________________________________________________________________________________ Dr. Kamal Aldin Yousif Fall-2024 OVERVIEW  Identify threats and vulnerabilities  Secure data transmission  Secure the operating system  Secure server applications  Authenticate Web users  Use a firewall  Use a proxy server  Use intrusion detection software _________________________________________________________________________________________ 2 Dr. Kamal Aldin Yousif Fall-2024 Identifying Threats and Vulnerabilities  Security vs simplicity , availability, user friendly  Focus is on threats from the Internet – the main source of attacks  Hackers motivations  The challenge of penetrating a system and vandalizing it.  Looking for valuable data.  Data can be credit card numbers, user names and passwords, other personal data  One of hacking ways –Information can be gathered while it is being transmitted.  Often, operating system flaws can assist the hacker (points of interest) – 3 Examining TCP/IP  The first vulnerability to the system. Why?  Designed to emphasize on ease of communication not complications of security.  Hackers often take advantage of the complication of TCP/IP –once a malicious code is injected, its hard to be defected.  The parts of the IP header most relevant to security threats  Source address  Destination address  Packet identification, flags, fragment offset  Total length  Protocol – TCP, UDP, ICMP 4 TCP- Delivering Data to Applications  IP –Network layer protocol that routs the packet (provides IP Address data to the header)  TCP – transport layer protocol (delivers data to applications using ports)  Important header fields [pg. 498]  Source and destination ports  Sequence number, data offset – show that data are segmented  Flags, such as SYN, ACK, FIN –state of data exchange Establishing a TCP connection 5 TCP- Delivering Data to Applications  SYN Flood – occurs at the server when the client continues to send packets with the SYN flag set but never acknowledges it – attack form to disable server response  UDP is an unreliable protocol because it does not guarantee the receipt of packets as TCP does  UDP is a Point of interest to attackers  UDP attack is difficult to be prevented because each UDP packet is sent independently.  ICMP is a Network layer protocol  responds to ping requests with echo. (IP Scan) [pg. 499]  For undelivered pkts destination-unreachable message is sent. _________________________________________________________________________________________ Dr. Kamal Aldin Yousif Fall-2024 6 Vulnerabilities Of DNS Security problems in DNS implementation standards:  BIND 8 is the most common implementation of DNS. It has serious bugs  Allow unauthorized users root access to a server. Cause disabling DNS functions and modifying IP address with incorrect ones.  BIND 9, the current version, has been more secure  Solves the issue of remotely accessing the DNS computer and causing a denial of service. _________________________________________________________________________________________ 7 Dr. Kamal Aldin Yousif Fall-2024 Vulnerabilities in Operating Systems  Operating systems are large and complex which means that there are more opportunities for attack.  Vulnerabilities are due to inattentive administrators and users running applications that allow attackers to compromise the system.  Some attacks, such as buffer overruns, can allow the attacker to take over the computer.  Remote access tools in Linux  rlogin (only in private NT)  Resources availability (storage Storage mapping) _________________________________________________________________________________________ 8 Dr. Kamal Aldin Yousif Fall-2024 Vulnerabilities in Web Servers [pg. 500-501]  Static HTML pages pose virtually no problem.  Dynamic webpages  Programming environments, forms, and databases add complexity that a hacker can exploit.  Programmers are more skilled in creating software that works correctly than preventing the software from being used incorrectly. Why?  Prevention is difficult because there are more ways to cause software to malfunction than there are to make it work correctly –example:  (e-commerce application case study – page 501) _________________________________________________________________________________________ 9 Dr. Kamal Aldin Yousif Fall-2024 Vulnerabilities of E-mail Servers  By design, e-mail servers are common vulnerability –accept data anonymously.  Sending an overwhelming number of messages at the same time can prevent valid users from accessing the server. DoS attack.  Viruses can be sent to e-mail users –how?  read an e-mail address book and then send messages to all addresses they find, potentially infecting the recipient computers.  Retrieving e-mail over the Internet often involves sending your user name and password as clear text  Attacker can discover these data and be able to re- direct or delete message while in transit. _________________________________________________________________________________________ 10 Dr. Kamal Aldin Yousif Fall-2024 What Is PKI? A PKI is an asymmetric cryptography security environment that supports the transmission, delivery, and receipt of digital communications over a non-secure communications channel. Its applications:  E-Commerce  E-Governance _________________________________________________________________________________________ 11 Dr. Kamal Aldin Yousif Fall-2024 WHAT DOES PKI DO?  Authenticates sender of digital communications  Protects integrity of digital communications  Key Pair  Private  Public  Trusted third party _________________________________________________________________________________________ 12 Dr. Kamal Aldin Yousif Fall-2024 How PKI Works in Digital Communications _________________________________________________________________________________________ 13 Dr. Kamal Aldin Yousif Fall-2024 How PKI works At the sender side:  Hash function is applied to the message.  The digest is encrypted using the public key  message signature  The signature that is appended to the plain- text message and sent At the receiver  The signature is decrypted using the private key  expected message  Message is applied with Hash function  actual digest  Both digests MUST be typical to approve 14 Securing Data Transmission  To secure data on a network that is accessible to others, you need to encrypt the data  SSL is the most common method of encrypting data between a browser and Web server.  Secure Shell (SSH) is a secure replacement for Telnet and FTP _________________________________________________________________________________________ 15 Dr. Kamal Aldin Yousif Fall-2024 Secure Sockets Layer (SSL)  It requires a digital certificate issued by a certification authority (CA) identifies an organization  To verify CA, The public key infrastructure (PKI) is used to define the system of CAs and certificates  PKI uses Public key cryptography  depends on two keys – associated to digital certificate  A public key is shared with everyone used to encrypt data  Private key kept on the server to decrypt data  Only the owner of the public key has the corresponding private key which is needed to decrypt the data _________________________________________________________________________________________ 16 Dr. Kamal Aldin Yousif Fall-2024 Establishing An SSL Connection Microsoft products such as IIS and Exchange 2000 are SSL-enabled, and Apache is designed to work with SSL _________________________________________________________________________________________ 17 Dr. Kamal Aldin Yousif Fall-2024 Using SSH for Tunneling  SSH is used for secure login by replacing Telnet  Tunneling allows you to use an unsecure protocol, such as POP3, through a secure connection, such as SSH  No need to change server settings when implement SSH.  To set up tunneling  Configure the SSH client so the local port is 55555 (or another port between 1024 and 65535)  Configure the SSH client to connect to POP3 port in 110  Use the SSH client to log on remotely to the server.  Configure email client with address of POP3 server (local computer IP and 55555 port). log in to the e-mail server Tunneling allow SSH client to send the data from local computer through the tunnel to POP3 port 110 on the server. _________________________________________________________________________________________ 18 Dr. Kamal Aldin Yousif Fall-2024 Securing The Operating System – How?  Configure servers to do single main task – i.e., mail, DB, Web server configured separately  Use the server for only specific tasks – backup, main, secondary server.  Minimize user accounts – any of them may be turned as an infected/ attacker node  Disable services that are not needed.  The best security is prevent any access to web server except by the browser.  Make sure that you have a secure password  Using upper case, lower case numbers and symbols.  Best Practice  is to Balance your security needs with ease of use. 19 Securing Windows – how?  Change the name of the administrator account to unrelated name to admin  There are many services that are not needed in Windows for most Internet-based server applications –disable them  Alerter  Computer browser  DHCP client  DNS client  cannot use the internet browser.  Messenger  Server  Workstation  mapping a drive to another computer to transfer files  Registry can be used to alter the configuration to make it more secure – example disabling short file names. –  Misconfiguring registry may cause the whole system to break down 20 _________________________________________________________________________________________ Dr. Kamal Aldin Yousif Fall-2024 Securing Linux – how?  As with Windows, make sure that you only run daemons (services) that you need.  Generally, daemons are disabled by default – this is why Linux systems are more secure than windows  The command netstat -l gives you a list of daemons that are running.  Use chkconfig to enable and disable daemons -example  chkconfig imap on would enable imap  Recommended services to be disabled at server  Printer service (lpd), NFS (Network File System), “r” services (root), such as rlogin, rexec, rsh, and rcp.  Most of these services allow sharing files in internet environment  Regular update of software patch – for improving security profiles _________________________________________________________________________________________ 21 Dr. Kamal Aldin Yousif Fall-2024 Securing Server Applications FTP and Telnet  Both Send credentials in plaintext.  SSH allows you to perform the same tasks as Telnet, but in a secure environment.  SSH does not prompt you for a user name, it uses the same user name created for the OS (Linux).  In Linux SSH is installed by default and can be used through command line.  In Windows, you need to install PuTTY tool that works as SSH client.  SSH also allow transferring FTP file in secure manner using sftp command. _________________________________________________________________________________________ 22 Dr. Kamal Aldin Yousif Fall-2024 Securing Server Applications Securing E-mail  Configured to be opened to the world – more susceptible to be breached.  In Linux, sendmail high complexity may cause misconfiguration for beginner admin  security threat  Qmail is an alternative  light and secure  In Windows, Exchange 2000 is also complex.  Ability to tunnel POP3 which prevents data from being seen  Exchange 2000 can also use SSL for the protocols–more secure  Sending large e-mail messages until the disk is full set a size limit for each mailbox  Use e-mail to send a virus or pose as a trusted associate  use an premium Internet security application  Email spoofing send email messages with a forged sender address  (how to prevent) modify windows registry to prevent Exchange from resolving a sender’s address for external mail. 23 Securing Server Applications Securing the Web Server  Enable the minimum features  If you don't need a programming language, do not enable it  Make sure programmers understand security issues  Implement SSL to encrypt sensitive data such as personal information or credit card numbers  Follow up with the product reviews (by users and experts) and consider the identified issues  How to Secure (apache/ exchange) 2000 1. using ssh that is running on a virtual server  secure client server communication. 24 2. Control the user access – limit users accessing server Securing Server Applications Securing the Web Server 3. Check and delete specific virtual directories in Microsoft exchange 2000 to avoid DoS using SYN flood attacks  Tools by Microsoft in exchange 2000  Urlscan  keeps harmful page requests away from reaching the server (restricting type and size of request).  Lockdown  adjust security settings based on the server role _________________________________________________________________________________________ 25 Dr. Kamal Aldin Yousif Fall-2024 Configuring User Authentication In IIS  Authentication can be on a Web server for the whole Web site or only for selected directories  Four types of authenticated access  Windows integrated authentication  Most secure approach  uses a cryptographic exchange and can authenticate a user without having the password sent to the server  requires IE  Digest authentication for Windows domain servers  Sends encrypted login credentials to server  Works with proxy servers  Requires Active Directory and IE _________________________________________________________________________________________ 26 Dr. Kamal Aldin Yousif Fall-2024 Configuring User Authentication In IIS  Four types of authenticated access  Basic authentication  User name and password in clear text  Works with IE, Netscape, and others  Passport authentication  Centralized form of authentication supported by Microsoft  Only available on Windows Server 2003 _________________________________________________________________________________________ 27 Dr. Kamal Aldin Yousif Fall-2024 Using A Firewall  A firewall implements a security policy (IP Filtering) between networks  Our focus is between the Internet and an organization's network  You need to limit access, especially from the Internet to your internal computers  Restrict access to Web servers, e-mail servers, and other related servers  Allow access from internal network to the internet _________________________________________________________________________________________ 28 Dr. Kamal Aldin Yousif Fall-2024 Types of Filtering in firewall  Packet filtering  Looks at each individual packet  Based on rules, it determines whether to let it pass through the firewall  Circuit-level filtering (stateful or dynamic filtering)  Controls complete communication session, not just individual packets  Allows traffic initialized from within the organization to return, yet restricts traffic initialized from outside  Application-level  Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e- mail _________________________________________________________________________________________ 29 Dr. Kamal Aldin Yousif Fall-2024 A Packet-filtering Firewall  Consists of a list of acceptance and denial rules – using:  iptables utility is a command-line utility available on Linux to filter packets by creating a script with rules that define your firewall.  A firewall independently filters what comes in and what goes out  It is best to start with a default policy that denies all traffic, in and out  Three types of packets to filter: TCP, UDP, ICMP  We can reject or drop a failed packet (page 533) example:  Drop – (best) thrown away without response _________________________________________________________________________________________  Reject – ICMP message (internet control) sent in response 30 Dr. Kamal Aldin Yousif Fall-2024 SUMMARY  User authentication controls access to one or more Web server directories  Firewalls control access policies between networks  A proxy server delivers content on behalf of a user or server application  Intrusion detection software identifies intrusions but typically does not prevent them _________________________________________________________________________________________ 31 Dr. Kamal Aldin Yousif Fall-2024 THANK YOU 32 return 33

Chapter 10 Securing the Web Environment 2024 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue