If you plan to run a web server, you’d better be prepared to see it attacked. Securing a web server is a non-trivial task that requires an understanding of the web server’s relationship with the network. By being aware of what security measures are on the web server, you can balance the security necessary within your applications. In this chapter, we will look at how to ensure the network is secure, and then go through the steps for making a secure and dynamite web server. We will also address what to do in the event of an attack.
Protecting Your Web Server – Network Security
See that telephone cable coming out of your DSL/cable modem? That’s the Internet. Before we can set up a web server, we must first prepare the network. You don’t want to plug the web server into the Internet with a ‘Hack Me’ sign on it, do you? We must take some precautions first.
A firewall is a device sitting between a private network and a public network. Part of what helps make a private network private is, in fact, the firewall. The firewall’s job is to control traffic between computer networks with different zones of trust for example, an internal, trusted zone, such as a private network, and an external, non-trusted zone, such as the Internet.
Different trust zones meet in what is known as trust boundaries. It is like a junction in the network and, as mentioned earlier, junction require added security attention. We need to make sure that all the gaps are filled and that the firewall allows the right kind of traffic. We do this with firewall rules. Firewall rules establish a security policy governing what traffic is allowed to flow through the firewall and in what direction.
The ultimate goal is to provide a controlled interface between the different trust zones and enforce common security policy on the traffic that flows between them based on the following security principles:
Principle of least privilege
A user should be allowed to do only what she is required to do.
Separation of duties
Define roles for users and assign different levels of access control. Control how the application is developed, tested, and deployed and who has access to application data.
Firewalls are good at making quick decisions about whether one machine should be allowed to talk to another. The easiest way for the firewall to do this is to base its decisions on source address and destination address.
Protecting Your Web Server – Security concerns
what’s this rule for? Far too often firewalls are found with rules that nobody remembers adding. This happens because administrators fear something will break if they remove them. When firewall rules are introduced, there should be a well-defined procedure for keeping track of each rule and its purpose.
Another problem is that to see whether a firewall is actually doing what it is supposed to be doing you need to beat on it with a penetration-testing tool and monitor it with intrusion detection software. In other words, you have to hack it to see if it breaks.
That’s just web traffic, right? Port 80 is sometimes called the firewall bypass port. This is because many times any traffic will be allowed in and out of the firewall on port 80. Firewall administrators open port 80 for web traffic, and developers take advantage of the open port by running things such as web services through it so much for firewall security.
SSL must be terminated before the firewall so that the firewall can inspect the data and make decisions about the content being sent or received. Otherwise, the data is encrypted with SSL. For example, If the firewall or some proxy in front or behind the firewall terminates SSL, the user won’t see a lock in her browser and may become confused or concerned that she cannot do secure online banking.
There is a crafty solution to the SSL problem: an SSL proxy server. A proxy server can set up its own outbound SSL connection to the server the user wants to contact. The proxy server then negotiates a separate SSL connection with the users browser. The users browser doesn’t know what is on the other side of the proxy, so it cannot get to the other side without the proxy’s help.
The proxy then impersonates the destination web server by “on the fly” generating and signing a certificate for that web destination. The only way that this works is if the users browser trusts the proxy as a certificate authority. Meaning that if the users browser has a Certificate Authority (CA) certificate from the company in its trusted store of certificates, then the browser will accept the proxy’s generated certificate as legit.
Once this sort of proxy is set up, it is possible to thoroughly inspect all content flowing through without any worry about encryption getting in the way.
Protecting Your Web Server – Network tiers and the DMZ
Multiple firewalls can be used to build tiers within trust boundaries. By building a tier with a firewall all the rules controlling access to that tier can be managed on each end. This allows for a flexible yet restrictive network configuration.
Where we see this type of configuration most is in the setup of a traditional demilitarized zone (DMZ) style firewall configuration. Figure 1 shows a typical tiered network.
Figure 1 A tiered network architecture
If an attack happens within the DMZ it is isolated to this segment of the network, thereby limiting the damage an attacker can do. The secondary firewall protects the internal network in the event a DMZ machine is compromised.
Separation of duties
Noe this going to make a fine web server. However, you might be thinking it’s big enough to do everything (Web, FTP, news, mail, and so on), and it might be. But, the problem is that if the machine is compromised, everything is compromised. You don’t want that; that would be bad.
Thus it is a good practice to isolate these services and spread out functionality by creating a separate hardened machine for each major Internet service:
- Proxies and gateway servers
- Web servers
- Application servers
- Database servers
- Logging servers
- Email servers
- FTP servers
Running these services separately limits the impact of an attack and reduces the surface area with which the attacker has to work. Yep, that’s right. Now you have an excuse to buy more machines! Remember, you are the one who wanted to get into the web site hosting business, right?
At the very least, there should be a point on your network before the web server that you can use as a point of inspection and detection. You may not need a full DMZ type setup, but if you are going to play on the Internet, I advise that you at least have a well-configured router and a firewall. Now that the network is prepared we can go back to building that web server.