NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
The <strong>on</strong>ly “pure” network layer firewalls available today are small office/home office (SOHO) firewall<br />
appliances and pers<strong>on</strong>al firewalls [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>02a] that may <strong>on</strong>ly perform basic packet-level filtering.<br />
Stateful inspecti<strong>on</strong> firewalls are transport layer devices that incorporate “awareness” of the state of a TCP<br />
c<strong>on</strong>necti<strong>on</strong>. Stateful inspecti<strong>on</strong> firewalls maintain internal informati<strong>on</strong>, such as the state of the<br />
c<strong>on</strong>necti<strong>on</strong>s passing through them and the c<strong>on</strong>tents of some of the data streams. This allows better and<br />
more accurate rule sets and filtering to be specified. Stateful inspecti<strong>on</strong> firewalls add the capability to<br />
enforce rules based <strong>on</strong> c<strong>on</strong>necti<strong>on</strong> state to the capabilities of a filtering router.<br />
Applicati<strong>on</strong> layer firewalls (sometimes called applicati<strong>on</strong>-proxy gateway firewalls) are advanced firewalls<br />
that combine network and transport layer access c<strong>on</strong>trol with applicati<strong>on</strong> layer functi<strong>on</strong>ality. Applicati<strong>on</strong><br />
layer firewalls permit no traffic directly between the Internet and the internal network. They can usually<br />
perform extensive logging and access c<strong>on</strong>trol.<br />
Applicati<strong>on</strong> layer firewalls are c<strong>on</strong>sidered the most secure type of firewall and have numerous advantages<br />
over packet filtering routers and stateful inspecti<strong>on</strong> firewalls, including the following:<br />
Logging capabilities<br />
Filtering capabilities (can filter specific types of <strong>Web</strong> c<strong>on</strong>tent and specific HTTP commands)<br />
Protocol c<strong>on</strong>formance<br />
Validati<strong>on</strong> of protocol behaviors<br />
Integrated signature-based detecti<strong>on</strong> of applicati<strong>on</strong> layer attacks<br />
Ease of c<strong>on</strong>figurati<strong>on</strong><br />
User authenticati<strong>on</strong> capabilities.<br />
The primary disadvantages that applicati<strong>on</strong> layer firewalls have when compared to packet filtering routers<br />
and stateful inspecti<strong>on</strong> firewalls are as follows:<br />
Speed of throughput (if platform is not adequately sized)<br />
Cost (if high-end hardware is required to operate efficiently)<br />
Inadequate support for less popular and new protocols.<br />
Although not strictly a limitati<strong>on</strong>, some applicati<strong>on</strong> layer firewalls are implemented <strong>on</strong> hosts running<br />
general-purpose OSs (e.g., Windows, Linux, Unix). This arrangement introduces an added layer of<br />
complexity and some additi<strong>on</strong>al risk because the general-purpose OS must also be secured in additi<strong>on</strong> to<br />
the firewall software itself. Applicati<strong>on</strong> layer firewalls are increasingly being deployed as appliancebased<br />
devices, which may use specialized OSs. Routers and stateful inspecti<strong>on</strong> firewalls also typically<br />
run <strong>on</strong> specialized OSs.<br />
To successfully protect a <strong>Web</strong> server using a firewall, ensure that the firewall is patched to the latest or<br />
most secure level (both the applicati<strong>on</strong> and the underlying OS) and is c<strong>on</strong>figured to perform the<br />
following:<br />
C<strong>on</strong>trol all traffic between the Internet and the <strong>Web</strong> server<br />
8-7