NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
A two-firewall DMZ c<strong>on</strong>figurati<strong>on</strong> improves protecti<strong>on</strong> over a router-firewall DMZ because the dedicated<br />
firewalls can have more complex and powerful security rule sets. In additi<strong>on</strong>, because a dedicated<br />
firewall is often able to analyze incoming and outgoing HTTP traffic, it can detect and defend against<br />
applicati<strong>on</strong> layer attacks aimed at the <strong>Web</strong> server. Depending <strong>on</strong> the rule sets of the firewalls and the<br />
level of traffic the DMZ receives, this type of DMZ may result in some performance degradati<strong>on</strong>.<br />
For organizati<strong>on</strong>s that desire the security of the two-firewall DMZ but do not have the resources to<br />
purchase two firewalls, another opti<strong>on</strong> exists called the “service leg” DMZ. In this c<strong>on</strong>figurati<strong>on</strong>, a<br />
firewall is c<strong>on</strong>structed with three (or more) network interfaces. One network interface attaches to the<br />
border router, another interface attaches to the internal network, and a third network interface c<strong>on</strong>nects to<br />
the DMZ (see Figure 8-3).<br />
Figure 8-3. Service Leg DMZ<br />
This c<strong>on</strong>figurati<strong>on</strong> subjects the firewall to an increased risk of service degradati<strong>on</strong> during a DoS attack<br />
aimed at the DMZ. In the standard single-firewall DMZ network c<strong>on</strong>figurati<strong>on</strong> discussed above, a DoS<br />
attack against the <strong>Web</strong> server generally affects <strong>on</strong>ly the <strong>Web</strong> server. In a service-leg DMZ network<br />
c<strong>on</strong>figurati<strong>on</strong>, the firewall bears the brunt of any DoS attack because it must examine any network traffic<br />
before the traffic reaches the <strong>Web</strong> server (or any other DMZ or internal network resource) [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>02a].<br />
However, it is increasingly likely that a DoS attack will take the form of a DDoS attack and c<strong>on</strong>sume all<br />
of the incoming network bandwidth and related devices (e.g., Internet border routers) before ever<br />
reaching a DMZ firewall.<br />
The advantages of a DMZ from a security standpoint are as follows:<br />
The <strong>Web</strong> server may be better protected, and network traffic to and from the <strong>Web</strong> server can be<br />
m<strong>on</strong>itored.<br />
Compromise of the <strong>Web</strong> server does not directly threaten the internal producti<strong>on</strong> network.<br />
Greater c<strong>on</strong>trol can be provided over the security of the <strong>Web</strong> server because traffic to and from the<br />
<strong>Web</strong> server can be c<strong>on</strong>trolled.<br />
The DMZ network c<strong>on</strong>figurati<strong>on</strong> can be optimized to support and protect the <strong>Web</strong> servers.<br />
8-3