IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
numerical IP addresses or subnetworks but to certain computer names or
domain names instead, attention should also be paid to the risk of DNS
spoofing.
If the WWW browser accesses the WWW server via a proxy server, it should
be borne in mind that the WWW server only finds out the IP address of the
proxy. A proxy can only be considered trustworthy, however, if all IT systems
and users hidden behind it are also trustworthy.
If access to WWW files is restricted to specified IP addresses, subnetworks or
domains, it may therefore be advantageous to give these additional protection
with a password.
Password protection
In order to protect WWW files with passwords, it is first necessary to create a
password file in which the authorised users and their passwords will be
entered. It is vital that this file should not be stored in areas of the WWW
server which could possibly be accessed from the outside. The file must be
readable for the Web server, however. It is advisable to create a separate
directory for these password files. Only the owner of the file and the WWW
server are allowed to access the files stored in that directory.
One problem with the protection of WWW files by means of passwords is that
the authorised users have to handle their passwords carefully; for example
they must not pass them on, but must keep them safely, change them regularly
and select them with care (see S 2.11 Provisions governing the use of
passwords). Another problem is whether and how passwords can be protected
against interception during transmission. Passwords must under no
circumstances be transmitted within a URL.
If possible it is advisable to use authentication via addresses in addition.
Encryption
Another possibility is storing files in encrypted form on a WWW server, such
that only users who are in possession of the correct cryptographic key are able
to read the files. This approach does require a corresponding system of key
management, however, which may be complex and costly.
Procedures such as SSL or S-HTTP can be used to prevent interception of the
files and passwords during transmission.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000