NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

GUIDELINES ON SECURING PUBLIC WEB SERVERS
7. Using Authentication and Encryption Technologies
Public Web servers often support a range of technologies for identifying and authenticating users with
differing privileges for accessing information. Some of these technologies are based on cryptographic
functions that can provide an encrypted channel between a Web browser client and a Web server that
supports encryption.
Without user authentication, organizations will not be able to restrict access to specific information to
authorized users. All information that resides on a public Web server will then be accessible by anyone
with access to the server. In addition, without some process to authenticate the server, users will not be
able to determine if the server is the “authentic” Web server or a counterfeit version operated by a
malicious entity.
Encryption can be used to protect information traversing the connection between a Web browser client
and a public Web server. Without encryption, anyone with access to the network traffic can determine,
and possibly alter, the content of sensitive information, even if the user accessing the information has
been authenticated carefully. This may violate the confidentiality and integrity of critical information.
7.1 Determining Authentication and Encryption Requirements
Organizations should periodically examine all information accessible on the public Web server and
determine the necessary security requirements. While doing so, the organization should identify
information that shares the same security and protection requirements. For sensitive information, the
organization should determine the users or user groups that should have access to each set of resources.
For information that requires some level of user authentication, the organization should determine which
of the following technologies or methods would provide the appropriate level of authentication and
encryption. Each has its own unique benefits and costs that should be weighed carefully with client and
organizational requirements and policies. It may be desirable to use some authentication methods in
combination.
This guide discusses the authentication mechanisms most commonly associated with public Web servers
and Web applications. More advanced authentication mechanisms can be supported by these servers and
applications and are discussed in <strong>NIST</strong> SP <strong>800</strong>-63. 46
7.2 Address-Based Authentication
The simplest authentication mechanism that is supported by most Web servers is address-based
authentication. Access control is based on the IP address and/or hostname of the host requesting
information. Although it is easy to implement for small groups of users, address authentication can be
unwieldy for Web sites that have a large potential user population (i.e., most public Web servers). It is
susceptible to several types of attacks, including IP spoofing and DNS poisoning. This type of
authentication should be used only where minimal security is required, unless it is used in conjunction
with stronger authentication methods.
46
<strong>NIST</strong> SP <strong>800</strong>-63, Electronic Authentication Guideline, is available at http://csrc.nist.gov/publications/nistpubs/.
7-1