NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS Block all inbound traffic to the Web server except traffic which is required, such as TCP ports 80 (HTTP) and/or <strong>44</strong>3 (HTTPS) Block all inbound traffic with an internal IP address (to prevent IP spoofing attacks) Block client connections from the Web server to the Internet and the organization’s internal network (this will reduce the impact of some successful compromises) Block (in conjunction with the intrusion detection or prevention system [see Section 8.2.2]) IP addresses or subnets that the IDS or IPS reports are attacking the organizational network Notify the network or Web server administrator or appropriate security personnel of suspicious activity through an appropriate means (e.g., page, e-mail, network trap) Provide content filtering Protect against DoS attacks Detect malformed or known attack URL requests Log critical events, including the following details: • Time/date • Interface IP address • Manufacturer-specific event name • Standard attack event (if one exists) • Source and destination IP addresses • Source and destination port numbers • Network protocol. Most firewalls perform some type of logging of the traffic they receive. For most firewalls, the default logging configuration is suitable, provided logging is enabled. Administrators should consult the manufacturer’s documentation if they believe they require additional information to be logged. Certain firewalls include an ability to track and log information for each rule, which enables accountability to a very specific extent. Many firewalls support the ability to selectively decide what information to log. If a firewall receives a series of similar packets from the same location, it may decide not to log any additional packets after the first one. Although this is a valuable feature, consider the consequences: each packet that is dropped and not logged is potential evidence of malicious intent. The principle of logging, a fundamental aspect of accountability, is discussed in detail in Section 9.1. As with OSs and other security-enforcing elements, a firewall requires updates. This includes updating firmware for hardware and router-based firewalls. Specific instructions on how to update a firewall are found in the manufacturer’s documentation. Administrators should check for firewall updates frequently. 8-8
GUIDELINES ON SECURING PUBLIC WEB SERVERS 8.2.2 Intrusion Detection and Prevention Systems An IDS is an application that monitors the events occurring in a system or network and analyzes them for signs of potential incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. 68 An IPS has all the capabilities of an IDS and can also attempt to stop potential incidents. Because IDS and IPS systems offer many of the same capabilities, they are often collectively called intrusion detection and prevention systems (IDPS). When an IDPS detects a potential incident, it notifies administrators through IDPS console messages, emails, pages, or other mechanisms. The two types of IDPSs most relevant for Web security are host-based and network-based. 69 A hostbased IDPS monitors the characteristics of a single host and the events occurring within that host to identify and stop suspicious activity. Host-based IDPS software must be installed on each individual computer that is to be monitored or protected. Host-based IDPSs are very closely integrated with the OSs of the host computers they protect. Thus, a host-based IDPS must be designed specifically for each OS (and often each version of that OS). Host-based IDPSs monitor various aspects of hosts, such as network traffic, system logs, running processes, file access and modification, and system and application configuration changes. Host-based IDPSs are especially useful when most of the network traffic to and from a Web server is encrypted (e.g., SSL/TLS is in use) because the functionality and capability of network-based IDPSs (see below) is severely limited when network traffic is encrypted. Also, because they are located on the server, host-based IDPSs can detect some attacks and penetration attempts not recognized by networkbased IDPSs. Unfortunately, host-based IDPSs can have a negative effect on host performance. In general, enabling more extensive detection capabilities and having more events to monitor both have a negative impact on the performance of the host. Host-based IDPSs may not detect some network-based attacks, such as certain DoS attacks. If a host-based IDPS is on a Web server that is compromised, it is very likely that the attacker will also compromise the IDPS itself. A network-based IDPS monitors network traffic for particular network segments or network devices and analyzes the network and application protocol activity to identify and stop suspicious activity. Most network-based IDPSs use predefined “attack signatures” to detect and identify attacks. Attack signatures are patterns that correspond to known types of intrusions. Network-based IDPSs also use other detection methods to identify anomalous activity, protocol violations, and other unusual activity. Unlike a host-based IDPS, a network-based IDPS can monitor network activity for many hosts simultaneously. Network-based IDPSs can usually detect more network-based attacks and can more easily provide a comprehensive picture of the current attacks against a network. Because network-based IDPSs are installed on dedicated hosts, they do not have a negative effect on the performance of the Web server host and are not immediately compromised by a successful attack on the Web server. Network-based IDPSs do have some limitations. The timing of an attack can have a significant impact on the ability of a network-based IDPS to detect an attack. For example, if an attacker spreads out the timing of an attack over a period of hours or days, the attack may not be detected by the IDPS. Network configuration, such as the use of asymmetric routing, can have a negative impact on the ability of a 68 69 For more information about IDPSs, see <strong>NIST</strong> SP <strong>800</strong>-94, Guide to Intrusion Detection and Prevention Systems (IDPS) (http://csrc.nist.gov/publications/nistpubs/). Other major IDPS categories include wireless IDPS, which examines wireless networking protocols only, and network behavior anomaly detection software, which monitors network traffic flows for flow anomalies. Neither of these types of IDPS technologies analyzes Web activity. 8-9
Page 1 and 2:
Special Publication 800</st
Page 3 and 4:
GUIDELINES ON SECURING PUBLIC WEB S
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44: GUIDELINES ON SECURING PUBLIC WEB S
Page 93: GUIDELINES ON SECURING PUBLIC WEB S
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?