NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
7. Using Authenticati<strong>on</strong> and Encrypti<strong>on</strong> Technologies<br />
<strong>Public</strong> <strong>Web</strong> servers often support a range of technologies for identifying and authenticating users with<br />
differing privileges for accessing informati<strong>on</strong>. Some of these technologies are based <strong>on</strong> cryptographic<br />
functi<strong>on</strong>s that can provide an encrypted channel between a <strong>Web</strong> browser client and a <strong>Web</strong> server that<br />
supports encrypti<strong>on</strong>.<br />
Without user authenticati<strong>on</strong>, organizati<strong>on</strong>s will not be able to restrict access to specific informati<strong>on</strong> to<br />
authorized users. All informati<strong>on</strong> that resides <strong>on</strong> a public <strong>Web</strong> server will then be accessible by any<strong>on</strong>e<br />
with access to the server. In additi<strong>on</strong>, without some process to authenticate the server, users will not be<br />
able to determine if the server is the “authentic” <strong>Web</strong> server or a counterfeit versi<strong>on</strong> operated by a<br />
malicious entity.<br />
Encrypti<strong>on</strong> can be used to protect informati<strong>on</strong> traversing the c<strong>on</strong>necti<strong>on</strong> between a <strong>Web</strong> browser client<br />
and a public <strong>Web</strong> server. Without encrypti<strong>on</strong>, any<strong>on</strong>e with access to the network traffic can determine,<br />
and possibly alter, the c<strong>on</strong>tent of sensitive informati<strong>on</strong>, even if the user accessing the informati<strong>on</strong> has<br />
been authenticated carefully. This may violate the c<strong>on</strong>fidentiality and integrity of critical informati<strong>on</strong>.<br />
7.1 Determining Authenticati<strong>on</strong> and Encrypti<strong>on</strong> Requirements<br />
Organizati<strong>on</strong>s should periodically examine all informati<strong>on</strong> accessible <strong>on</strong> the public <strong>Web</strong> server and<br />
determine the necessary security requirements. While doing so, the organizati<strong>on</strong> should identify<br />
informati<strong>on</strong> that shares the same security and protecti<strong>on</strong> requirements. For sensitive informati<strong>on</strong>, the<br />
organizati<strong>on</strong> should determine the users or user groups that should have access to each set of resources.<br />
For informati<strong>on</strong> that requires some level of user authenticati<strong>on</strong>, the organizati<strong>on</strong> should determine which<br />
of the following technologies or methods would provide the appropriate level of authenticati<strong>on</strong> and<br />
encrypti<strong>on</strong>. Each has its own unique benefits and costs that should be weighed carefully with client and<br />
organizati<strong>on</strong>al requirements and policies. It may be desirable to use some authenticati<strong>on</strong> methods in<br />
combinati<strong>on</strong>.<br />
This guide discusses the authenticati<strong>on</strong> mechanisms most comm<strong>on</strong>ly associated with public <strong>Web</strong> servers<br />
and <strong>Web</strong> applicati<strong>on</strong>s. More advanced authenticati<strong>on</strong> mechanisms can be supported by these servers and<br />
applicati<strong>on</strong>s and are discussed in <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-63. 46<br />
7.2 Address-Based Authenticati<strong>on</strong><br />
The simplest authenticati<strong>on</strong> mechanism that is supported by most <strong>Web</strong> servers is address-based<br />
authenticati<strong>on</strong>. Access c<strong>on</strong>trol is based <strong>on</strong> the IP address and/or hostname of the host requesting<br />
informati<strong>on</strong>. Although it is easy to implement for small groups of users, address authenticati<strong>on</strong> can be<br />
unwieldy for <strong>Web</strong> sites that have a large potential user populati<strong>on</strong> (i.e., most public <strong>Web</strong> servers). It is<br />
susceptible to several types of attacks, including IP spoofing and DNS pois<strong>on</strong>ing. This type of<br />
authenticati<strong>on</strong> should be used <strong>on</strong>ly where minimal security is required, unless it is used in c<strong>on</strong>juncti<strong>on</strong><br />
with str<strong>on</strong>ger authenticati<strong>on</strong> methods.<br />
46<br />
<str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-63, Electr<strong>on</strong>ic Authenticati<strong>on</strong> Guideline, is available at http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/.<br />
7-1