WEBP security 1 What do we mean by secure 100 security Trading off security versus convenience Particular vulnerabilities of the Internet The wild west WEBP security 2 Vulnerability of web systems ID: 628116
Download Presentation The PPT/PDF document "Web server security Dr Jim Briggs" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Web server security
Dr Jim Briggs
WEBP security
1Slide2
What do we mean by secure?
100% security
Trading off security versus convenienceParticular vulnerabilities of the InternetThe "wild west"
WEBP security
2Slide3
Vulnerability of web systems
Open to the outside world
Aim to attract strangers!
Left unattended (largely)
Lots of potential security holes
Running other people's buggy software
Running own buggy software (even worse!)
Large amount of code (often)
Visitors are largely anonymous and can be very remote
Communication can be eavesdropped (unless encrypted)
Difficult (impossible?) to test exhaustively
WEBP security
3Slide4
Server risks
Bugs or misconfiguration problems in the Web server that allow unauthorized remote users to:
Steal confidential documents not intended for their eyes.
Execute commands on the server host machine, allowing them to modify the system.
Gain information about the Web server's host machine that will allow them to break into the system.
Launch denial-of-service attacks, rendering the machine temporarily unusable.
WEBP security
4Slide5
Client risks
Browser-side risks, including:
Active content (e.g. Java, JavaScript, ActiveX) that
crashes the browser
damages the user's system
breaches the user's privacy, or
merely creates an annoyance
The misuse of personal information knowingly or unknowingly provided by the end-user
passwords
credit card numbers
other sensitive data
WEBP security
5Slide6
Network risks
Interception of network data sent from browser to server or vice versa via network eavesdropping.
Eavesdroppers can operate from any point on the pathway between browser and server including:
The network on the browser's side of the connection
The network on the server's side of the connection (including intranets).
The end-user's Internet service provider (ISP)
The server's ISP
Either ISPs' regional access provider
WEBP security
6Slide7
General security techniques
Keep your software up to date with security patches
Try not to use unsafe techniques (e.g. CGI, SSI)
If you have to use them, test them thoroughly
Include own use of hacker tools
Design and implement an access control policy (both via the web and to the host server)
Log everything; monitor the logs; and investigate suspicious activity
WEBP security
7Slide8
Specific server side issues
Back door access to the server
Remote/local login
FTP
Alternative web sites hosted on same machine
Don't run the server as "root"
Turn off un-needed …
features in software
IP ports
Firewalls
WEBP security
8Slide9
Denial of service (DoS) attacks
Definition:
attack designed to render a computer or network incapable of providing normal services
Typical attacks
Bandwidth attacks
flood network with high volume of traffic
consequence – all available network resources are consumed and legitimate user requests
can not
get through
Connectivity attacks
flood computer with high volume of connection requestsconsequence – all available operating system resources are consumed, and computer
can not process legitimate requests
WEBP security
9Slide10
Distributed DoS (DDoS) attacks
Many hosts simultaneously attack target
Typically caused by agent hijacking vulnerable hosts (e.g. via virus)
As important to protect your machine from hijack as it is to protect it from attack
Techniques:
Scan regularly for
DDoS
tools
Do egress filtering (check for spoofed packets)
WEBP security
10Slide11
HTTP security
AuthenticationBasic
DigestSecure transportSSL
WEBP security
11