1. 1
Unix Web servers andUnix Web servers and
FirewallFirewall
PP 200 and P387 to
411 – Web Security by
Lincoln D. Stein
2. 2
Unix Server (..continue..)Unix Server (..continue..)
Monitor the integrity of System
Files and Binaries
Back up Your System
Monitor the integrity of System
Files and Binaries
Back up Your System
3. 3
Monitor the integrity of Systems Files
and Binaries
Monitor the integrity of Systems Files
and Binaries
It is to monitor whether the files have been
modified by intruders.
The approach is to run a program that
generates fingerprint of each ESSENTAIL
files. (such as the md5sum (md5 checksum))
Compare the files a few days later and see
whether any discrepancy.
It is to monitor whether the files have been
modified by intruders.
The approach is to run a program that
generates fingerprint of each ESSENTAIL
files. (such as the md5sum (md5 checksum))
Compare the files a few days later and see
whether any discrepancy.
.sys
and
.wi
n
4. 4
Back up the systemBack up the system
This is common to any system administrators
to perform regular backups of essential files.
tar program is a common utility to perform
backup.
This is common to any system administrators
to perform regular backups of essential files.
tar program is a common utility to perform
backup.
Tar is a
Unix
command
5. 5
Server Security Checklist (1)Server Security Checklist (1)
Have you installed all security-related patches?
Have you disabled all unnecessary services?
Have you run a security scanner on your system?
(lab 10)
Does the server do double duty as a user
workstation?
Do the Web server’s file permissions reasonable?
Have you installed all security-related patches?
Have you disabled all unnecessary services?
Have you run a security scanner on your system?
(lab 10)
Does the server do double duty as a user
workstation?
Do the Web server’s file permissions reasonable?
From
administrator’s
viewpoint
6. 6
Server Security Checklist (2)Server Security Checklist (2)
Is the Web server running as root? (/)
Is the Web server running any unnecessary
features?
Have you established the limit of users?
Do you monitor system and web pages logs?
Do you monitor the integrity of the host?
Do you backup your system?
Is the Web server running as root? (/)
Is the Web server running any unnecessary
features?
Have you established the limit of users?
Do you monitor system and web pages logs?
Do you monitor the integrity of the host?
Do you backup your system?
7. 7
Summary on Unix Web serversSummary on Unix Web servers
To harden a Unix Web server as
many as possible (patch, disable
features….)
To properly configure the Web
server (reduce number of users,
file/directory access rights…)
To Monitor the logs (error log and
system log, might run fingerprint)
To backup your files (use tar
command..)
To harden a Unix Web server as
many as possible (patch, disable
features….)
To properly configure the Web
server (reduce number of users,
file/directory access rights…)
To Monitor the logs (error log and
system log, might run fingerprint)
To backup your files (use tar
command..)
Learnt
last
week
8. 8
Web servers & Firewall - OverviewWeb servers & Firewall - Overview
What is a firewall?
How to select a firewall?
How to configure a firewall?
Automatic proxy configuration for
browsers?
Examining firewall logs for signs of server
compromise?
What is a firewall?
How to select a firewall?
How to configure a firewall?
Automatic proxy configuration for
browsers?
Examining firewall logs for signs of server
compromise?
This
week
9. 9
Two firewalls with the Internet –
restrict some incoming and outgoing traffic based on rules
Two firewalls with the Internet –
restrict some incoming and outgoing traffic based on rules
10. 10
What is a firewall? - 長城 ( 防人牆 )
from http://ljq.free163.net/shgc/wlcc.htm
What is a firewall? - 長城 ( 防人牆 )
from http://ljq.free163.net/shgc/wlcc.htm
11. 11
Waterwall – prevent enemy, protect castle
from edtech.floyd.edu/ ~lnewby/feudal_japan.htm
Waterwall – prevent enemy, protect castle
from edtech.floyd.edu/ ~lnewby/feudal_japan.htm
12. 12
What is a firewall?What is a firewall?
In a traditional LAN
system, all workstations
can access the Internet
with a result of equal
attack from the outside.
Just one of the weakest
host will break the system.
The firewall addresses this
problem by using a special
configurable machine
between the outside world
and internal machines to
control the traffic.
In a traditional LAN
system, all workstations
can access the Internet
with a result of equal
attack from the outside.
Just one of the weakest
host will break the system.
The firewall addresses this
problem by using a special
configurable machine
between the outside world
and internal machines to
control the traffic.
13. 13
The location of a firewallThe location of a firewall
All traffic must
go through the
proxy server
(firewall as well )
which then
decides to accept
or reject the
traffic.
All traffic must
go through the
proxy server
(firewall as well )
which then
decides to accept
or reject the
traffic.
14. 14
Two basic Firewall SystemsTwo basic Firewall Systems
There are two basic implementations for firewalls.
Dual home gateway firewall, the gateway machine
has two network interface cards each of them is
connected to the LAN (inter network) and the
Internet (Outer network)
Screened-host gateway uses a router to forward all
the traffic from/to the outer and inner networks.
There are two basic implementations for firewalls.
Dual home gateway firewall, the gateway machine
has two network interface cards each of them is
connected to the LAN (inter network) and the
Internet (Outer network)
Screened-host gateway uses a router to forward all
the traffic from/to the outer and inner networks.
15. 15
Dual-home gateway firewallDual-home gateway firewall
By default, the two
networks are
isolated.
However, there is a
need to communicate
between the inner
and outer networks
through the
specialised programs
called proxy (or
proxies, many
programs with
firewall features)
By default, the two
networks are
isolated.
However, there is a
need to communicate
between the inner
and outer networks
through the
specialised programs
called proxy (or
proxies, many
programs with
firewall features) block
16. 16
Screen-hosted gatewayScreen-hosted gateway
A network router is
used to control access
to the inner network.
The router restricts
communication
between the outer and
inner networks.
It ensures that the
packets from the
Internet can reach the
well secured proxy
which then examines
the data.
In fact, there is no effective
difference between dual-
home and screen-host
17. 17
Notes about firewallNotes about firewall
Many companies use firewall systems that are not
strictly firewalls. They are used to block
dangerous traffic only.
The essence of a firewall system is to allow or deny
passage to network traffic. They are application
level for particular communications protocols, such
as HTTP, e-mail, FTP (You need to configure the
rule)
For example, if you decided to block all active X,
you then program the proxy to check the contents
of all HTML and block those that have active X.
Many companies use firewall systems that are not
strictly firewalls. They are used to block
dangerous traffic only.
The essence of a firewall system is to allow or deny
passage to network traffic. They are application
level for particular communications protocols, such
as HTTP, e-mail, FTP (You need to configure the
rule)
For example, if you decided to block all active X,
you then program the proxy to check the contents
of all HTML and block those that have active X.
18. 18
Select a firewall system (1)Select a firewall system (1)
Because of the large number of competing
firewall vendors, it can be difficult to choose.
Below is a check list.
Operating system: Firewall products are available
that run on both Unix (linux) or Windows XP
systems. Neither has advantages over others. If
you are familiar with Unix, Choose it.
Protocols used: All firewalls will handle FTP, e-
mail, HTTP, NNTP telnet etc, but some might not
handle SNMP or Real Audio etc. Choose those
that can satisfy your need.
Because of the large number of competing
firewall vendors, it can be difficult to choose.
Below is a check list.
Operating system: Firewall products are available
that run on both Unix (linux) or Windows XP
systems. Neither has advantages over others. If
you are familiar with Unix, Choose it.
Protocols used: All firewalls will handle FTP, e-
mail, HTTP, NNTP telnet etc, but some might not
handle SNMP or Real Audio etc. Choose those
that can satisfy your need.
19. 19
Select a firewall system (2)Select a firewall system (2)
Filter types:Network filters based on application
level proxies gives the programmers control over
what passes across the firewall. Network filters
based on circuit-level proxies have better
performance such as IP packet-filtering system.
Logging: A firewall performs exhaustive logging
with tools to analyse the log and summarise the log.
Administration: Some firewalls are configured with
graphical user interfaces, others use text only.
Filter types:Network filters based on application
level proxies gives the programmers control over
what passes across the firewall. Network filters
based on circuit-level proxies have better
performance such as IP packet-filtering system.
Logging: A firewall performs exhaustive logging
with tools to analyse the log and summarise the log.
Administration: Some firewalls are configured with
graphical user interfaces, others use text only.
20. 20
Select a firewall system (3)Select a firewall system (3)
Simplicity: Good firewall systems are simple. The
proxies are small and easy to understand.
Tunneling: Some firewall systems provide the
ability to setup up an encrypting tunnel across the
Internet in order to securely connect two networks.
(Tunneling is the transmission of data intended for use only
within a private, usually corporate network through the
Internet in such a way that the routing nodes in the Internet
are unaware that the transmission is part of a private
network. VPN is an example.)
Simplicity: Good firewall systems are simple. The
proxies are small and easy to understand.
Tunneling: Some firewall systems provide the
ability to setup up an encrypting tunnel across the
Internet in order to securely connect two networks.
(Tunneling is the transmission of data intended for use only
within a private, usually corporate network through the
Internet in such a way that the routing nodes in the Internet
are unaware that the transmission is part of a private
network. VPN is an example.)
21. 21
ProductsProducts
Product Feature
AltaVista Uses a combination of packet filters, application
level proxies and circuit-level
BorderWare A Unix-only system for both application-level and
packet-level
CyberGuard Unix to support packet filtering, application and
circuit-level.
Eagle Uses application and circuit level proxy and is
available for NT and Unix machines
Firewall-1 Packet filtering an stateful inspection for NT and
Unix
Gauntlet Available a a software-only package or as a
turnkey combination.
No need to
memorise
22. 22
How to configure a firewall?How to configure a firewall?
As there are many commercial products with
different commands and approaches, here, we
would use a table for describing the routing
information and is independent on any
products.
Outgoing web access
1. How to allow people within your organisation
to safely browse the Web;
2. How to make your organisation’s public web
available to the rest of the world?
As there are many commercial products with
different commands and approaches, here, we
would use a table for describing the routing
information and is independent on any
products.
Outgoing web access
1. How to allow people within your organisation
to safely browse the Web;
2. How to make your organisation’s public web
available to the rest of the world?
23. 23
A simple example – packet filter – IE and FTPA simple example – packet filter – IE and FTP
Assume that you need to provide filter exceptions
for outgoing connections to the HTTP (port 80)
and FTP (port 21) and the data sent back in
response to those connections. (RULE)
Assume that you need to provide filter exceptions
for outgoing connections to the HTTP (port 80)
and FTP (port 21) and the data sent back in
response to those connections. (RULE)
Action Src Port Dest Port Flags Comment
Block * * * * * Block all
Allow [internal
user]
* * 80 * Browse outside
(iexplorer –
outgoing)
Allow * 80 * * ACK ie- Incoming
Allow [internal
user]
* * 21 * ftp - outgoing
Allow * 21 * * ACK ftp - incoming
important
24. 24
ExplanationExplanation
The first column indicates whether it is allowed or
blocked that traffic.
The second and third columns indicate which
traffic shows from the source. Here port number is
specified as well.
The fourth and fifth columns indicate that outgoing
(destination) traffic. Again, port number is
specified as well.
Flags indicates whether it is an
acknowledgement.
The first column indicates whether it is allowed or
blocked that traffic.
The second and third columns indicate which
traffic shows from the source. Here port number is
specified as well.
The fourth and fifth columns indicate that outgoing
(destination) traffic. Again, port number is
specified as well.
Flags indicates whether it is an
acknowledgement.
25. 25
Another simple example – block IE and
allow FTP
Another simple example – block IE and
allow FTP
Assume that you need to provide filter exceptions
for outgoing connections to the FTP (port 21) and
the data sent back in response to those
connections. We simply block all traffic expect
FTP.
Assume that you need to provide filter exceptions
for outgoing connections to the FTP (port 21) and
the data sent back in response to those
connections. We simply block all traffic expect
FTP.
Action Src Port Dest Port Flags Comment
Block * * * * * Block all
Allow [internal
user]
* * 21 * ftp - outgoing
Allow * 21 * * ACK ftp - incoming
important
26. 26
Picture – Gopher protocol is blocked, the table is in the ProxyPicture – Gopher protocol is blocked, the table is in the Proxy
26
27. 27
A simple example – application level –
outgoing, linux environment
A simple example – application level –
outgoing, linux environment
If the firewall uses application level proxy to provide Internet access,
we need to enable separate proxies for each of the protocols commonly
used on the Web such as HTTP, FTP, SSL. Below is an example for
FTP for a Class C network at 189.45.56
#rules for the FTP gateway
ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt
ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 3600
ftp-gw: deny-hosts unknown
ftp-gw: permit-hosts 189.45.56.*
#rules for the http/gopher gateway
http-gw: permit-hosts 189.45.56.*
If the firewall uses application level proxy to provide Internet access,
we need to enable separate proxies for each of the protocols commonly
used on the Web such as HTTP, FTP, SSL. Below is an example for
FTP for a Class C network at 189.45.56
#rules for the FTP gateway
ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt
ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 3600
ftp-gw: deny-hosts unknown
ftp-gw: permit-hosts 189.45.56.*
#rules for the http/gopher gateway
http-gw: permit-hosts 189.45.56.*
No need
to
memorise
, step by
step, but
have to
understand
28. 28
ExplanationExplanation
The first six lines of this file set up defaults for
the FTP proxy.
The line containing deny-host prohibits the use of
the proxy by any machine without a domain
name system entry (here unknown)
The line containing permit-host allows any hosts
in the internal network to use the proxy. Others
are prohibited by default. (here, permit-hosts
193.49.189.*, any at this network.)
The first six lines of this file set up defaults for
the FTP proxy.
The line containing deny-host prohibits the use of
the proxy by any machine without a domain
name system entry (here unknown)
The line containing permit-host allows any hosts
in the internal network to use the proxy. Others
are prohibited by default. (here, permit-hosts
193.49.189.*, any at this network.)
29. 29
Incoming Web accessIncoming Web access
Once we solve the problem of outgoing Web
services, we need to consider the incoming Web
access.
There are many possibilities (web server with
proxy, web server inside the LAN, web server
outside the LAN.) Here, we introduce:
– Judas server – Proxy and Web server
– Sacrificial Lamb – Web server outside firewall
– Private Affairs – Web server inside the firewall
– Doubly Fortified Server - use multi-level of proxy to
separate networks.
Once we solve the problem of outgoing Web
services, we need to consider the incoming Web
access.
There are many possibilities (web server with
proxy, web server inside the LAN, web server
outside the LAN.) Here, we introduce:
– Judas server – Proxy and Web server
– Sacrificial Lamb – Web server outside firewall
– Private Affairs – Web server inside the firewall
– Doubly Fortified Server - use multi-level of proxy to
separate networks.
30. 30
Judas – combine Proxy and Web
server
Judas – combine Proxy and Web
server
It is not a good
idea to combine
proxy and web
server together.
It is because Web
server cannot be
trusted to be bug
free.
Any security
holes will
degrade the
proxy.
It is not a good
idea to combine
proxy and web
server together.
It is because Web
server cannot be
trusted to be bug
free.
Any security
holes will
degrade the
proxy.
Not a
good
idea
31. 31
The Sacrificial LambThe Sacrificial Lamb
The safest place for
a public web server
is outside the
firewall. It is
intended to public
use.
Because
communication
between LAN and
the public web
server is restricted, it
is difficult to use file
sharing or remote
login to update the
material in the web
server.
The safest place for
a public web server
is outside the
firewall. It is
intended to public
use.
Because
communication
between LAN and
the public web
server is restricted, it
is difficult to use file
sharing or remote
login to update the
material in the web
server.
Access
by
outsiders
32. 32
The Private Affair ServerThe Private Affair Server
If the Web server
is not intended to
be publicly
available, all best
location is behind
the firewall.
It maintains
confidential or
sensitive
information.
If the Web server
is not intended to
be publicly
available, all best
location is behind
the firewall.
It maintains
confidential or
sensitive
information.
Filter
all first
33. 33
The Doubly Fortified ServerThe Doubly Fortified Server
If you consider your web server contains
highly confidential information, you
should place it out of the Internet with a
multiple level firewalls. (You have to set
up a private firewall system.)
If you consider your web server contains
highly confidential information, you
should place it out of the Internet with a
multiple level firewalls. (You have to set
up a private firewall system.)
34. 34
Running a reverse Web proxy
The primary mission of firewall proxies is to allow
people inside the organisation to make outgoing
connections to servers on the Internet.
Their desk-top software connects to a proxy on the
firewall; it relays the request to the Internet server
and forwards the server's response back.
It is also possible to use application-level proxies in
the reverse direction to grant people on the Internet
controlled access to a Web server.
36. 36
Hybrid Server
The hybrid approach is to combine two
together. One on an external scarified lamb
server; one on the firewall.
In this configuration, an internal server is
maintained behind the firewall and kept
completely inaccessible from the outside
world.
The hybrid approach is to combine two
together. One on an external scarified lamb
server; one on the firewall.
In this configuration, an internal server is
maintained behind the firewall and kept
completely inaccessible from the outside
world.
38. 38
SummarySummary
Firewall is to filter the unwanted traffic
It is to limit the Incoming and outgoing
traffic as well.
Criteria to select a firewall
Configure a firewall – application level
(IE, e-mail) or packet level (IP or TCP)
Incoming web access – Judas server,
Sacrificial lamb, Private affair, Doubly
fortified server, reverse web proxy etc.
Firewall is to filter the unwanted traffic
It is to limit the Incoming and outgoing
traffic as well.
Criteria to select a firewall
Configure a firewall – application level
(IE, e-mail) or packet level (IP or TCP)
Incoming web access – Judas server,
Sacrificial lamb, Private affair, Doubly
fortified server, reverse web proxy etc.