NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS Datagram Protocol (UDP) as well as IP. The most powerful firewalls are application layer or proxy firewalls that are able to understand and filter Web content. 67 A common misperception about firewalls (and routers acting as firewalls) is that they eliminate all risk and can protect against misconfiguration of the Web server or poor network design. Unfortunately, this is not the case. Firewalls and routers themselves are vulnerable to misconfiguration and software vulnerabilities. In addition, many firewalls have limited insight into the application layer where many attacks occur. Thus, Web servers in particular are vulnerable to many attacks, even when located behind a secure, well-configured firewall. A firewall (or router acting as a firewall) that is protecting a Web server should be configured to block all access to the Web server from the Internet except the necessary ports, such as TCP ports 80 (HTTP) and <strong>44</strong>3 (HTTPS). A firewall is the first line of defense for a Web server; however, to be truly secure, organizations need to implement layered protection for their Web servers (and networks). Most importantly, organizations should strive to maintain all systems in a secure posture and not depend solely on firewalls, routers, or any other single component to stop attackers. A modern enterprise router is able to function as a network and transport layer filter (e.g., a basic firewall). A router functioning as a network/transport layer firewall can provide filtering based on several pieces of information [<strong>NIST</strong>02a], including the following: Source IP address Destination IP address Traffic type TCP/UDP port number and state. The strength of routers is in their cost. Most organizations already have a border router that can be configured to provide network/transport layer firewall capabilities. The weaknesses of routers include the following: Susceptibility to application layer attacks (e.g., cannot examine Web content for embedded malicious code) Susceptibility to attacks via allowed ports Difficulty of configuration and administration Limitations in logging capabilities Processing capabilities that may be more limited and overtaxed by complex rule sets (i.e., access control lists) Insufficient rule set expressiveness and filtering capabilities. 67 For more information about firewalls, see <strong>NIST</strong> SP <strong>800</strong>-41, <strong>Guidelines</strong> on Firewalls and Firewall Policy (http://csrc.nist.gov/publications/nistpubs/). 8-6
GUIDELINES ON SECURING PUBLIC WEB SERVERS The only “pure” network layer firewalls available today are small office/home office (SOHO) firewall appliances and personal firewalls [<strong>NIST</strong>02a] that may only perform basic packet-level filtering. Stateful inspection firewalls are transport layer devices that incorporate “awareness” of the state of a TCP connection. Stateful inspection firewalls maintain internal information, such as the state of the connections passing through them and the contents of some of the data streams. This allows better and more accurate rule sets and filtering to be specified. Stateful inspection firewalls add the capability to enforce rules based on connection state to the capabilities of a filtering router. Application layer firewalls (sometimes called application-proxy gateway firewalls) are advanced firewalls that combine network and transport layer access control with application layer functionality. Application layer firewalls permit no traffic directly between the Internet and the internal network. They can usually perform extensive logging and access control. Application layer firewalls are considered the most secure type of firewall and have numerous advantages over packet filtering routers and stateful inspection firewalls, including the following: Logging capabilities Filtering capabilities (can filter specific types of Web content and specific HTTP commands) Protocol conformance Validation of protocol behaviors Integrated signature-based detection of application layer attacks Ease of configuration User authentication capabilities. The primary disadvantages that application layer firewalls have when compared to packet filtering routers and stateful inspection firewalls are as follows: Speed of throughput (if platform is not adequately sized) Cost (if high-end hardware is required to operate efficiently) Inadequate support for less popular and new protocols. Although not strictly a limitation, some application layer firewalls are implemented on hosts running general-purpose OSs (e.g., Windows, Linux, Unix). This arrangement introduces an added layer of complexity and some additional risk because the general-purpose OS must also be secured in addition to the firewall software itself. Application layer firewalls are increasingly being deployed as appliancebased devices, which may use specialized OSs. Routers and stateful inspection firewalls also typically run on specialized OSs. To successfully protect a Web server using a firewall, ensure that the firewall is patched to the latest or most secure level (both the application and the underlying OS) and is configured to perform the following: Control all traffic between the Internet and the Web server 8-7
Page 1 and 2:
Special Publication 800</st
Page 3 and 4:
GUIDELINES ON SECURING PUBLIC WEB S
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42: GUIDELINES ON SECURING PUBLIC WEB S
Page 91: GUIDELINES ON SECURING PUBLIC WEB S
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

Create successful ePaper yourself

Delete template?

Save as template?