Web server security Dr Jim Briggs - PowerPoint Presentation

Slide1

Web server security

Dr Jim Briggs

WEBP security

1Slide2

What do we mean by secure?

100% security

Trading off security versus convenienceParticular vulnerabilities of the InternetThe "wild west"

WEBP security

2Slide3

Vulnerability of web systems

Open to the outside world

Aim to attract strangers!

Left unattended (largely)

Lots of potential security holes

Running other people's buggy software

Running own buggy software (even worse!)

Large amount of code (often)

Visitors are largely anonymous and can be very remote

Communication can be eavesdropped (unless encrypted)

Difficult (impossible?) to test exhaustively

WEBP security

3Slide4

Server risks

Bugs or misconfiguration problems in the Web server that allow unauthorized remote users to:

Steal confidential documents not intended for their eyes.

Execute commands on the server host machine, allowing them to modify the system.

Gain information about the Web server's host machine that will allow them to break into the system.

Launch denial-of-service attacks, rendering the machine temporarily unusable.

WEBP security

4Slide5

Client risks

Browser-side risks, including:

Active content (e.g. Java, JavaScript, ActiveX) that

crashes the browser

damages the user's system

breaches the user's privacy, or

merely creates an annoyance

The misuse of personal information knowingly or unknowingly provided by the end-user

passwords

credit card numbers

other sensitive data

WEBP security

5Slide6

Network risks

Interception of network data sent from browser to server or vice versa via network eavesdropping.

Eavesdroppers can operate from any point on the pathway between browser and server including:

The network on the browser's side of the connection

The network on the server's side of the connection (including intranets).

The end-user's Internet service provider (ISP)

The server's ISP

Either ISPs' regional access provider

WEBP security

6Slide7

General security techniques

Keep your software up to date with security patches

Try not to use unsafe techniques (e.g. CGI, SSI)

If you have to use them, test them thoroughly

Include own use of hacker tools

Design and implement an access control policy (both via the web and to the host server)

Log everything; monitor the logs; and investigate suspicious activity

WEBP security

7Slide8

Specific server side issues

Back door access to the server

Remote/local login

FTP

Alternative web sites hosted on same machine

Don't run the server as "root"

Turn off un-needed …

features in software

IP ports

Firewalls

WEBP security

8Slide9

Denial of service (DoS) attacks

Definition:

attack designed to render a computer or network incapable of providing normal services

Typical attacks

Bandwidth attacks

flood network with high volume of traffic

consequence – all available network resources are consumed and legitimate user requests

can not

get through

Connectivity attacks

flood computer with high volume of connection requestsconsequence – all available operating system resources are consumed, and computer

can not process legitimate requests

WEBP security

9Slide10

Distributed DoS (DDoS) attacks

Many hosts simultaneously attack target

Typically caused by agent hijacking vulnerable hosts (e.g. via virus)

As important to protect your machine from hijack as it is to protect it from attack

Techniques:

Scan regularly for

DDoS

tools

Do egress filtering (check for spoofed packets)

WEBP security

10Slide11

HTTP security

AuthenticationBasic

DigestSecure transportSSL

WEBP security

11