Embed Size (px)
Citation preview
1
Unix Web servers and Unix Web servers and FirewallFirewall
PP 200 and P387 to 411 – Web Security by
Lincoln D. Stein
2
Unix Server (..continue..)Unix Server (..continue..)
Monitor the integrity of System Files and Binaries
Back up Your System
Monitor the integrity of System Files and Binaries
Back up Your System
3
Monitor the integrity of Systems Files and Binaries
Monitor the integrity of Systems Files and Binaries
It is to monitor whether the files have been modified by intruders.
The approach is to run a program that generates fingerprint of each ESSENTAIL files. (such as the md5sum (md5 checksum))
Compare the files a few days later and see whether any discrepancy.
It is to monitor whether the files have been modified by intruders.
The approach is to run a program that generates fingerprint of each ESSENTAIL files. (such as the md5sum (md5 checksum))
Compare the files a few days later and see whether any discrepancy.
.sys and .win
4
Back up the systemBack up the system
This is common to any system administrators to perform regular backups of essential files.
tar program is a common utility to perform backup.
This is common to any system administrators to perform regular backups of essential files.
tar program is a common utility to perform backup. Tar is a
Unix command
5
Server Security Checklist (1)Server Security Checklist (1)
Have you installed all security-related patches?Have you disabled all unnecessary services?Have you run a security scanner on your system?
(lab 10)Does the server do double duty as a user
workstation?Do the Web server’s file permissions reasonable?
Have you installed all security-related patches?Have you disabled all unnecessary services?Have you run a security scanner on your system?
(lab 10)Does the server do double duty as a user
workstation?Do the Web server’s file permissions reasonable?
From administrator’s
viewpoint
6
Server Security Checklist (2)Server Security Checklist (2)
Is the Web server running as root? (/)Is the Web server running any unnecessary
features?Have you established the limit of users?Do you monitor system and web pages logs?Do you monitor the integrity of the host?Do you backup your system?
Is the Web server running as root? (/)Is the Web server running any unnecessary
features?Have you established the limit of users?Do you monitor system and web pages logs?Do you monitor the integrity of the host?Do you backup your system?
7
Summary on Unix Web serversSummary on Unix Web servers
To harden a Unix Web server as many as possible (patch, disable features….)
To properly configure the Web server (reduce number of users, file/directory access rights…)
To Monitor the logs (error log and system log, might run fingerprint)
To backup your files (use tar command..)
To harden a Unix Web server as many as possible (patch, disable features….)
To properly configure the Web server (reduce number of users, file/directory access rights…)
To Monitor the logs (error log and system log, might run fingerprint)
To backup your files (use tar command..)
Learnt last
week
8
Web servers & Firewall - OverviewWeb servers & Firewall - Overview
What is a firewall? How to select a firewall? How to configure a firewall? Automatic proxy configuration for
browsers? Examining firewall logs for signs of server
compromise?
What is a firewall? How to select a firewall? How to configure a firewall? Automatic proxy configuration for
browsers? Examining firewall logs for signs of server
compromise?
This week
9
Two firewalls with the Internet – restrict some incoming and outgoing traffic based on rules
Two firewalls with the Internet – restrict some incoming and outgoing traffic based on rules
10
What is a firewall? - 長城 ( 防人牆 ) from http://ljq.free163.net/shgc/wlcc.htm
What is a firewall? - 長城 ( 防人牆 ) from http://ljq.free163.net/shgc/wlcc.htm
11
Waterwall – prevent enemy, protect castle from edtech.floyd.edu/ ~lnewby/feudal_japan.htm
Waterwall – prevent enemy, protect castle from edtech.floyd.edu/ ~lnewby/feudal_japan.htm
12
What is a firewall?What is a firewall? In a traditional LAN
system, all workstations can access the Internet with a result of equal attack from the outside.
Just one of the weakest host will break the system.
The firewall addresses this problem by using a special configurable machine between the outside world and internal machines to control the traffic.
In a traditional LAN system, all workstations can access the Internet with a result of equal attack from the outside.
Just one of the weakest host will break the system.
The firewall addresses this problem by using a special configurable machine between the outside world and internal machines to control the traffic.
13
The location of a firewallThe location of a firewall
All traffic must go through the proxy server (firewall as well ) which then decides to accept or reject the traffic.
All traffic must go through the proxy server (firewall as well ) which then decides to accept or reject the traffic.
14
Two basic Firewall SystemsTwo basic Firewall Systems
There are two basic implementations for firewalls. Dual home gateway firewall, the gateway machine
has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)
Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks.
There are two basic implementations for firewalls. Dual home gateway firewall, the gateway machine
has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)
Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks.
15
Dual-home gateway firewallDual-home gateway firewall
By default, the two networks are isolated.
However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies, many programs with firewall features)
By default, the two networks are isolated.
However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies, many programs with firewall features) block
16
Screen-hosted gatewayScreen-hosted gateway A network router is
used to control access to the inner network. The router restricts communication between the outer and inner networks.
It ensures that the packets from the Internet can reach the well secured proxy which then examines the data.
In fact, there is no effective difference between dual-
home and screen-host
17
Notes about firewallNotes about firewall
Many companies use firewall systems that are not strictly firewalls. They are used to block dangerous traffic only.
The essence of a firewall system is to allow or deny passage to network traffic. They are application level for particular communications protocols, such as HTTP, e-mail, FTP (You need to configure the rule)
For example, if you decided to block all active X, you then program the proxy to check the contents of all HTML and block those that have active X.
Many companies use firewall systems that are not strictly firewalls. They are used to block dangerous traffic only.
The essence of a firewall system is to allow or deny passage to network traffic. They are application level for particular communications protocols, such as HTTP, e-mail, FTP (You need to configure the rule)
For example, if you decided to block all active X, you then program the proxy to check the contents of all HTML and block those that have active X.
18
Select a firewall system (1)Select a firewall system (1)
Because of the large number of competing firewall vendors, it can be difficult to choose. Below is a check list.Operating system: Firewall products are available
that run on both Unix (linux) or Windows XP systems. Neither has advantages over others. If you are familiar with Unix, Choose it.
Protocols used: All firewalls will handle FTP, e-mail, HTTP, NNTP telnet etc, but some might not handle SNMP or Real Audio etc. Choose those that can satisfy your need.
Because of the large number of competing firewall vendors, it can be difficult to choose. Below is a check list.Operating system: Firewall products are available
that run on both Unix (linux) or Windows XP systems. Neither has advantages over others. If you are familiar with Unix, Choose it.
Protocols used: All firewalls will handle FTP, e-mail, HTTP, NNTP telnet etc, but some might not handle SNMP or Real Audio etc. Choose those that can satisfy your need.
19
Select a firewall system (2)Select a firewall system (2)
Filter types:Network filters based on application level proxies gives the programmers control over what passes across the firewall. Network filters based on circuit-level proxies have better performance such as IP packet-filtering system.
Logging: A firewall performs exhaustive logging with tools to analyse the log and summarise the log.
Administration: Some firewalls are configured with graphical user interfaces, others use text only.
Filter types:Network filters based on application level proxies gives the programmers control over what passes across the firewall. Network filters based on circuit-level proxies have better performance such as IP packet-filtering system.
Logging: A firewall performs exhaustive logging with tools to analyse the log and summarise the log.
Administration: Some firewalls are configured with graphical user interfaces, others use text only.
20
Select a firewall system (3)Select a firewall system (3)
Simplicity: Good firewall systems are simple. The proxies are small and easy to understand.
Tunneling: Some firewall systems provide the ability to setup up an encrypting tunnel across the Internet in order to securely connect two networks. (Tunneling is the transmission of data intended for use only within a private, usually corporate network through the Internet in such a way that the routing nodes in the Internet are unaware that the transmission is part of a private network. VPN is an example.)
Simplicity: Good firewall systems are simple. The proxies are small and easy to understand.
Tunneling: Some firewall systems provide the ability to setup up an encrypting tunnel across the Internet in order to securely connect two networks. (Tunneling is the transmission of data intended for use only within a private, usually corporate network through the Internet in such a way that the routing nodes in the Internet are unaware that the transmission is part of a private network. VPN is an example.)
21
Products Products
Product FeatureAltaVista Uses a combination of packet filters, application
level proxies and circuit-level
BorderWare A Unix-only system for both application-level and packet-level
CyberGuard Unix to support packet filtering, application and circuit-level.
Eagle Uses application and circuit level proxy and is available for NT and Unix machines
Firewall-1 Packet filtering an stateful inspection for NT and Unix
Gauntlet Available a a software-only package or as a turnkey combination.
No need to memorise
22
How to configure a firewall?How to configure a firewall?
As there are many commercial products with different commands and approaches, here, we would use a table for describing the routing information and is independent on any products.
Outgoing web access1. How to allow people within your organisation
to safely browse the Web;
2. How to make your organisation’s public web available to the rest of the world?
As there are many commercial products with different commands and approaches, here, we would use a table for describing the routing information and is independent on any products.
Outgoing web access1. How to allow people within your organisation
to safely browse the Web;
2. How to make your organisation’s public web available to the rest of the world?
23
A simple example – packet filter – IE and FTPA simple example – packet filter – IE and FTP
Assume that you need to provide filter exceptions for outgoing connections to the HTTP (port 80) and FTP (port 21) and the data sent back in response to those connections. (RULE)
Assume that you need to provide filter exceptions for outgoing connections to the HTTP (port 80) and FTP (port 21) and the data sent back in response to those connections. (RULE)
Action Src Port Dest Port Flags Comment
Block * * * * * Block all
Allow [internal user]
* * 80 * Browse outside (iexplorer – outgoing)
Allow * 80 * * ACK ie- Incoming
Allow [internal user]
* * 21 * ftp - outgoing
Allow * 21 * * ACK ftp - incoming
important
24
ExplanationExplanation
The first column indicates whether it is allowed or blocked that traffic.
The second and third columns indicate which traffic shows from the source. Here port number is specified as well.
The fourth and fifth columns indicate that outgoing (destination) traffic. Again, port number is specified as well.
Flags indicates whether it is an acknowledgement.
The first column indicates whether it is allowed or blocked that traffic.
The second and third columns indicate which traffic shows from the source. Here port number is specified as well.
The fourth and fifth columns indicate that outgoing (destination) traffic. Again, port number is specified as well.
Flags indicates whether it is an acknowledgement.
25
Another simple example – block IE and allow FTP
Another simple example – block IE and allow FTP
Assume that you need to provide filter exceptions for outgoing connections to the FTP (port 21) and the data sent back in response to those connections. We simply block all traffic expect FTP.
Assume that you need to provide filter exceptions for outgoing connections to the FTP (port 21) and the data sent back in response to those connections. We simply block all traffic expect FTP.
Action Src Port Dest Port Flags Comment
Block * * * * * Block all
Allow [internal user]
* * 21 * ftp - outgoing
Allow * 21 * * ACK ftp - incoming
important
26
Picture – Gopher protocol is blocked, the table is in the ProxyPicture – Gopher protocol is blocked, the table is in the Proxy
26
27
A simple example – application level – outgoing, linux environment
A simple example – application level – outgoing, linux environment
If the firewall uses application level proxy to provide Internet access, we need to enable separate proxies for each of the protocols commonly used on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a Class C network at 189.45.56#rules for the FTP gatewayftp-gw: denial-msg /usr/local/ect/ftp-deny.txtftp-gw: welcome-msg /us/local/ect/ftp-welcome.txtftp-gw: help-msg /usr/local/etc/ftp-help.txtftp-gw: timeout 3600ftp-gw: deny-hosts unknownftp-gw: permit-hosts 189.45.56.*#rules for the http/gopher gatewayhttp-gw: permit-hosts 189.45.56.*
If the firewall uses application level proxy to provide Internet access, we need to enable separate proxies for each of the protocols commonly used on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a Class C network at 189.45.56#rules for the FTP gatewayftp-gw: denial-msg /usr/local/ect/ftp-deny.txtftp-gw: welcome-msg /us/local/ect/ftp-welcome.txtftp-gw: help-msg /usr/local/etc/ftp-help.txtftp-gw: timeout 3600ftp-gw: deny-hosts unknownftp-gw: permit-hosts 189.45.56.*#rules for the http/gopher gatewayhttp-gw: permit-hosts 189.45.56.*
No need to
memorise , step by step, but have to understand
28
ExplanationExplanation The first six lines of this file set up defaults for
the FTP proxy. The line containing deny-host prohibits the use of
the proxy by any machine without a domain name system entry (here unknown)
The line containing permit-host allows any hosts in the internal network to use the proxy. Others are prohibited by default. (here, permit-hosts 193.49.189.*, any at this network.)
The first six lines of this file set up defaults for the FTP proxy.
The line containing deny-host prohibits the use of the proxy by any machine without a domain name system entry (here unknown)
The line containing permit-host allows any hosts in the internal network to use the proxy. Others are prohibited by default. (here, permit-hosts 193.49.189.*, any at this network.)
29
Incoming Web accessIncoming Web access
Once we solve the problem of outgoing Web services, we need to consider the incoming Web access.
There are many possibilities (web server with proxy, web server inside the LAN, web server outside the LAN.) Here, we introduce:– Judas server – Proxy and Web server– Sacrificial Lamb – Web server outside firewall– Private Affairs – Web server inside the firewall– Doubly Fortified Server - use multi-level of proxy to
separate networks.
Once we solve the problem of outgoing Web services, we need to consider the incoming Web access.
There are many possibilities (web server with proxy, web server inside the LAN, web server outside the LAN.) Here, we introduce:– Judas server – Proxy and Web server– Sacrificial Lamb – Web server outside firewall– Private Affairs – Web server inside the firewall– Doubly Fortified Server - use multi-level of proxy to
separate networks.
30
Judas – combine Proxy and Web server
Judas – combine Proxy and Web server
It is not a good idea to combine proxy and web server together.
It is because Web server cannot be trusted to be bug free.
Any security holes will degrade the proxy.
It is not a good idea to combine proxy and web server together.
It is because Web server cannot be trusted to be bug free.
Any security holes will degrade the proxy.
Not a good idea
31
The Sacrificial LambThe Sacrificial Lamb The safest place for
a public web server is outside the firewall. It is intended to public use.
Because communication between LAN and the public web server is restricted, it is difficult to use file sharing or remote login to update the material in the web server.
The safest place for a public web server is outside the firewall. It is intended to public use.
Because communication between LAN and the public web server is restricted, it is difficult to use file sharing or remote login to update the material in the web server.
Access by
outsiders
32
The Private Affair ServerThe Private Affair Server
If the Web server is not intended to be publicly available, all best location is behind the firewall.
It maintains confidential or sensitive information.
If the Web server is not intended to be publicly available, all best location is behind the firewall.
It maintains confidential or sensitive information.
Filter all first
33
The Doubly Fortified ServerThe Doubly Fortified Server If you consider your web server contains
highly confidential information, you should place it out of the Internet with a multiple level firewalls. (You have to set up a private firewall system.)
If you consider your web server contains highly confidential information, you should place it out of the Internet with a multiple level firewalls. (You have to set up a private firewall system.)
34
Running a reverse Web proxy
The primary mission of firewall proxies is to allow people inside the organisation to make outgoing connections to servers on the Internet.
Their desk-top software connects to a proxy on the firewall; it relays the request to the Internet server and forwards the server's response back.
It is also possible to use application-level proxies in the reverse direction to grant people on the Internet controlled access to a Web server.
35
Flow of Information – Bastion
(firewall) Flow of Information – Bastion
(firewall)
36
Hybrid Server
The hybrid approach is to combine two together. One on an external scarified lamb server; one on the firewall.
In this configuration, an internal server is maintained behind the firewall and kept completely inaccessible from the outside world.
The hybrid approach is to combine two together. One on an external scarified lamb server; one on the firewall.
In this configuration, an internal server is maintained behind the firewall and kept completely inaccessible from the outside world.
37
Hybrid approach – Bastion (firewall here)
Hybrid approach – Bastion (firewall here)
38
SummarySummary Firewall is to filter the unwanted traffic It is to limit the Incoming and outgoing
traffic as well. Criteria to select a firewall Configure a firewall – application level
(IE, e-mail) or packet level (IP or TCP) Incoming web access – Judas server,
Sacrificial lamb, Private affair, Doubly fortified server, reverse web proxy etc.
Firewall is to filter the unwanted traffic It is to limit the Incoming and outgoing
traffic as well. Criteria to select a firewall Configure a firewall – application level
(IE, e-mail) or packet level (IP or TCP) Incoming web access – Judas server,
Sacrificial lamb, Private affair, Doubly fortified server, reverse web proxy etc.
39
Next Week
Policy and Law
