A Web server opens up your business to the outside world, so how do you keep out those parts of the world you don't like?
Web servers "tend to be easy targets because of where they are located on the network," says Wayne Weisse, sales manager for advanced technology solutions at Network Associates, yet they are important to companies, not least for branding reasons. Denial of service attacks result in unavailability; common hacking tools can be used to deface the site; and Web servers can be used as launch pads for attacks on internal systems via privilege escalation.
"There's still a lot of complacency," says Chris Thomas, senior consultant at Computer Associates' data protection group. People don't think they'll be a target, he says, but the bad guys are looking at random for vulnerabilities: "On the Internet, you're just an IP address." And that's the good news. In this article, we'll take a look at how to make sure your Web server stays secure.
Architecture
"A lot of this comes down to how you design a Web application and the security management within your organisation," says Neil Campbell, head of Dimension Data Australia's security practice.
Worms generally succeed because of poor patch management; hackers generally succeed because of poor application and architecture design, he says. "It's probably not something you did today, it's something you did 9-12 months ago."
The typical three-tier architecture is a good start, he says, and a reverse proxy helps by obfuscating any flaws in the Web server. Campbell also recommends an "inventive" approach to the protection of sensitive data. For example, if it really is necessary to store customers' credit card details (and such information should never be stored on the Web server itself), consider storing parts of each number in different databases, with each database using different encryption. "You don't want a single compromise to lead to a complete breakdown in security," he says.
Segregation of functions is an important starting point, according to Bill Mania, systems director at Hostway, one of the world's five largest hosting companies.
Web servers should just be Web servers, he says, because running other applications on them opens up the possibility of "inappropriate exchange" where a vulnerability in one program can put another at risk.
Andrew Gordon, managed services architect at Trend Micro extends this idea to warn that any scripts shouldn't run on the server itself. Any scripting should be diverted to the back-end database, which in turn should never run on the same machine as the Web server.
The more routes or connection types there are on a server, the greater the risk of compromise. "Have one front door and one back door," Gordon says.
A Web server may use a variety of services running on other systems, so a full inventory should be prepared. Access to these services can then be controlled appropriately, says Lee Hickin, senior technical consultant, RSA Security.
Looking at the problem from a hosting provider's perspective, Patrick Cusack, CTO of Hothouse Interactive, says "Don't overlook securing the back of your servers from the client's internal network." It isn't unusual for Web servers to connect to other systems for data feeds or transaction processing. "Don't assume they have put a firewall at their end," he says, as worms and other nasties can enter through that route. "It's happened to us," he warns.
|
“Operating systems are all crook. We hear the most about Microsoft’s shortcomings, but it’s not fair—they are just the biggest target.”
--Patrick Cusack, CTO, Hothouse Interactive |
The relative merits of operating systems and Web servers was the most controversial issue we canvassed.
"They're all crook," says Cusack. Microsoft's popularity means we hear the most about its shortcomings, but "it's not fair--they are just the biggest target," he explains, "There are thousands of Linux patches" and it takes more hands-on effort to keep a Linux system secure, says Cusack. Optus--one of his clients--has rigorous guidelines for productions systems, "and it's a lot of work locking down a Linux system." Six hundred patches are needed to get Linux up to the Optus standard operating environment, so building a server from scratch would take four days, he says. Solaris is similar, but it is effectively more secure because most people working on that operating system are fully competent, which cannot be said for other platforms, he asserts. So his advice is "stick with the devil you know," whatever platform that happens to be.
Ian Gillott, innovation team manager at Santos, concedes that many Microsoft servers aren't set up by experts, but enterprise operations pay for expertise and their servers are well set up. Santos' technicians are of the same high skill level for Microsoft or Solaris, he says.
Unix and Linux are the most secure platforms, according to Gordon. They have fewer well-known vulnerabilities and can handle higher loads, while Windows is subject to frequent patches and exploits that attack those flaws. Not surprisingly, Gordon recommends the use of antivirus software on Windows servers, but says perimeter defences are more important.
IIS isn't intrinsically more vulnerable than other Web servers, says Robert Pregnell, Symantec's senior regional product manager, but it is supplied with an operating system and may be installed without the user's knowledge. This known configuration combined with known vulnerabilities makes it an easy target.
All operating systems and Web servers have weaknesses, says Mark Gardner, general manager, strategies and solutions at SecureNet, but "they're all credible platforms" and "your best bet is diversity". Good management is more important than the platform you choose.
Successful, secure implementations of IIS or Apache are possible, says Campbell, but that requires planning and security management. "It's about the people that are planning it," he says. Gordon notes that finding good staff is easier these days, as one result of the dot bomb was a shakeout of low-quality staff who returned to their previous occupations.
"There will always be holes in operating systems," says Ali Alfarafi, director of software, Hewlett Packard. Ben English, security and product marketing manager at Microsoft, expresses a similar sentiment in a slightly different way: "[Security] is a huge industry problem, it isn't [just] a Microsoft problem."
But "there's no quick fix because of the inertia...in the user community," says Richard Turner, vice president Asia-Pacific, RSA Security. "Organisations are reluctant to upgrade equipment while it is working" even though they want secure products rather than security products.
Configuration
"The biggest vulnerability is a poorly configured Web server," says Turner.
So the first step is to "secure the build"--follow the guidelines to lock down the operating system and secure the Web server, for example by installing all patches and removing all unnecessary facilities. "Be tight" advises Gardner, turn off all services that aren't required. "Load the operating system with an eye to published vulnerabilities," says Cusack.
Also ensure the server process is given the minimum required permissions, says Thomas, and then any subsequent compromises will be less of a problem.
"Security is a passion-killer," says Gardner, warning that failing to resist pressure to roll out services before they are ready can lead to breaches.
|
"The biggest vulnerability is a poorly configured Web server."
--Richard Turner, Vice President Asia-Pacific, RSA Security |
The good news is that at least some vendors are trying to reduce the risk of misconfiguration.
"There's a lot of activity going on at Microsoft to make sure it is secure out of the box," says English.
The company's "secure by default" effort aims to reduce Windows' attack surface by turning off all services by default, and running them with minimal privileges. A wizard is provided to help set up their servers in a secure manner, and English claims Windows 2003 has one-half to one-quarter of its predecessor's attack surface, depending on the use to which it is put.
While he concedes it was historically true that Windows required competent configuration for security, now "we're locking everything down by default."
Patching
Whether you are using open source or commercial software, you need to keep current, says Mania.
Patch management is "by far the biggest concern for our customers," according to English. Microsoft is formalising the process for enterprise customers by publishing a patch management guide based on ITIL, and providing smaller organisations with tools such as Microsoft Baseline Security Analyzer to scan for misconfigurations and patch status. One analyst firm suggests 95 percent of incidents are preventable by keeping up with patches, English says.
Patching is important, agrees Allan Bell, Asia-Pacific marketing director at Network Associates, but it's very hard to stay current without interrupting business. There are also quality assurance issues to be addressed.
Patch management is difficult, says Campbell. "It takes a lot of discipline to keep up." Organisations need to identify, test, and deploy relevant patches--"It's a very big ask to expect rapid testing and implementation." You must either accept that patches may cause other problems, or look for an alternative to prompt patching. Campbell favours the former course of action, but that requires a plan for backing out patches that prove troublesome in your environment as well as a good disaster recovery plan. Disk imaging products run at 600-700MB per minute at best, he says, so restoring the previous image to multiple servers will take time. Clustering or a redundant site makes the job easier by reducing the time your Web site is completely offline. The danger is that you might not notice the ill effects of a patch for some time, so re-imaging might not be an option unless you are scrupulous in keeping data off of the system volumes.
Turner says public Web sites should be patched quickly rather than waiting for thorough pre-production testing. What would you do if the manufacturer told you that the lock on your front door could be opened by anyone? You'd change it straight away, without checking that every key worked properly, he suggests.
"The level of expertise and knowledge required is cumulative," Gardner says. Knowledge of various types of attack remains in the hacker community, and SecureNet sees perhaps five attacks a day that attempt to exploit two-year-old vulnerabilities, launched just in case something has been overlooked when a server is upgraded or rebuilt. "We still see loosely managed systems," he says.
Patching is "really hard for an amateur," says Cusack, citing one customer who spent three days and nights trying to bring up a server. He kept leaving out a critical patch, and each time the server was put online it was immediately brought down by an attack.
An ongoing task is to continually monitor security lists and vendors' patches. "That's got to be someone's job," Cusack asserts.
Firewalls, IDS, IPS
Infrastructure management for security purposes is "not very well understood in the industry," says Alfarafi, but it includes tools to detect firewall breaches, the alteration of logs, and unusual application use--as occurs in denial of service (DoS) attacks--with reporting to an operator or an automated system that can block the activity. "We use some of this within HP," he says. For example, transactions can be (at least partially) secured by rejecting any that originate from an incorrect port.
These steps mean you will be alerted even if inside information is used for an attack. "Link that to identity management and you have a very powerful tool," he says.
With Web services and interactive Web sites, redirection to another server is normal behaviour (eg, to a payment processing gateway), so protection mechanisms such as firewalls must understand protocols and applications to allow selectivity, says Scott Ferguson, regional director of Check Point. You need to look at traffic at network and application layers to distinguish attempted attacks from legitimate traffic, he says.
|
"Application filtering at layer 7 is probably one of the most important security features."
--Eric Krieger, Regional Sales Manager, Secure Computing |
Gordon's advice is to lock down unused ports, regardless of platform. Ports 80 and 443 are usually all you need open, he says.
Microsoft's ISA (Internet Security and Acceleration) locks down ports and allows application-level filtering, says English. This allows it to inspect requests on port 80 for malformed addresses containing buffer overruns or other exploits. One of ISA's advantages is that integrates with Active Directory, so when users are deleted, they are automatically removed from all systems including ISA, blocking them completely.
This is one reason why Santos uses ISA to provide secure access to its intranet for travelling staff, especially when they are in Middle East or African countries where dialup access is unavailable for legal or infrastructure reasons and Internet cafes are the only option.
Active Directory was an important reason for the previously all-Unix company switching to Microsoft, says Gillott. "It's a complete package for us" that makes administration easier and reduces the risk of overlooking any particular configuration issue. The company made the switch following a third-party security screening process, he says.
"We knew port 80 was always going to be an issue," says Eric Krieger, regional sales manager at Secure Computing. The majority of traffic has moved to port 80, he says, adding that SSL encryption makes content invisible to most firewalls, and e-mail-borne attacks may pass stateful inspection.
The company's Sidewinder product is a proxy-based firewall that can support multiple servers. "From a security perspective, a Web server is about moving data into a firewall-evading tunnel," Krieger says. "Application filtering at layer 7 is probably one of the most important security features."
Sidewinder keeps port 80 open but checks content at the application level. Around 90 percent of Sidewinder sales are as an appliance on Dell hardware. An annual maintenance fee covers upgrades and updates, "but we've never, ever released a security patch," stresses Krieger.
"There is some disillusionment with intrusion detection systems," say Campbell, largely because of organisations' inability to deal with the data they collect, hence the move to intrusion protection systems which examine traffic for attack signatures and drop offending packets. "Signature-based approaches are quite mature," he says.
The use of a host-based intrusion prevention system (IPS) gives you "virtual patching", says Campbell. It can give immediate response to new vulnerabilities, stretching the time between patch cycles. "It gives you a better chance to patch and test," he says. However, Gordon warns that vigilance is still essential "[unless] you keep up to date, if you don't...patch [the server]."
A layered approach provides protection in depth, says Weisse. McAfee Entercept forms the last line of defence behind the firewall and other measures by creating a "shield" around the operating system kernel that can detect buffer overflows and doubtful system requests. Blaster and other attacks were blocked in this way without signature updates and even on servers that had not been patched, he claims, so this type of technology reduces the urgency of patching.
Since it runs at such a low level, Entercept protects the server from attacks concealed from other technologies by encryption, as it monitors their attempted actions. This approach provides protection from "day zero" attacks--occurring before the software vendor has released a patch for the vulnerability and before new signatures are available for other security technologies.
Entercept also has the ability to lock down critical files, registry keys and settings so they can't be altered, even with root privileges, although it also stops intruders from gaining those privileges in the first place, says Weisse.
The normal behaviour of a Web server is pretty simple, observes Bell, so it is quite easy to spot any exceptions. McAfee's IntruShield (and similar programs from other vendors) generates baselines for specific hosts, then accurately detects anomalies for every protocol and only allows legitimate packets through. "You need both lines of defence" (ie, at the network and system levels), he says.
Each layer reduces the load on the next. Firewalls keep out a lot of the noise, making life easier for the IPS. But that won't usually detect an encrypted attack, though the host-based defences will. Since much of the unnecessary activity has already been blocked, the host-based software won't impose as much of a load on the system as it would if it was the sole defence, explains Weisse.
Weisse suggests a three-phase implementation of these tools, starting with learning and detection mode to provide a baseline. The next step is to secure selected parts of the system, such as key operating system files. Finally, "vault mode" means even users with administration rights are unable to change files and configurations unless authorised by Entercept.
Firewalls and intrusion detection/prevention aren't "fit and forget" devices, warns Gardner; subscribing to signature updates is an important part of maintaining security.
"Security appliances offer significant advantages over a firewall" says Pregnell, as they incorporate IDS, content filtering, and other technologies. However, the appliance is still a perimeter device and the Web server itself must also be protected. He suggests subscribing to a service that will give early warning of vulnerabilities, keeping up to date with patches, and the installation of a host-based IDS that can stop or block rogue software (though that is less important with a well-configured appliance). Used in concert, these measures will make the server as secure as possible.
"Forensic monitoring is where it really gets serious, and proactive recognition of new security issues is nirvana," says Cusack. He uses the Huntsman security system (from Australian vendor Tier-3), which can collect, analyse, respond to, and report malicious attacks. "It's fantastic," he says, "but a bit over the top for anyone not trying to deliver banking or telco-grade security."
Many companies do not install forensic software because they think "it costs too much," he says, but it is important to relate the cost to the value of the business it is protecting. One healthcare fund does 10 percent of its business online, he says, which is more than its two biggest branches combined. "Maybe five percent of Web sites" can justify the expenditure, he suggests, but many of his clients are in that space.
