1. Web server security Dr Jim Briggs WEBP security1

2. What do we mean by secure? 100% security Trading off security versus convenience Particular vulnerabilities of the Internet –The "wild west" WEBP security2

3. Vulnerability of web systems Open to the outside world –Aim to attract strangers! Left unattended (largely) Lots of potential security holes –Running other people's buggy software –Running own buggy software (even worse!) –Large amount of code (often) Visitors are largely anonymous and can be very remote Communication can be eavesdropped (unless encrypted) Difficult (impossible?) to test exhaustively WEBP security3

4. Server risks Bugs or misconfiguration problems in the Web server that allow unauthorized remote users to: –Steal confidential documents not intended for their eyes. –Execute commands on the server host machine, allowing them to modify the system. –Gain information about the Web server's host machine that will allow them to break into the system. –Launch denial-of-service attacks, rendering the machine temporarily unusable. WEBP security4

5. Client risks Browser-side risks, including: –Active content (e.g. Java, JavaScript, ActiveX) that crashes the browser damages the user's system breaches the user's privacy, or merely creates an annoyance –The misuse of personal information knowingly or unknowingly provided by the end-user passwords credit card numbers other sensitive data WEBP security5

6. Network risks Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including: –The network on the browser's side of the connection –The network on the server's side of the connection (including intranets). –The end-user's Internet service provider (ISP) –The server's ISP –Either ISPs' regional access provider WEBP security6

7. General security techniques Keep your software up to date with security patches Try not to use unsafe techniques (e.g. CGI, SSI) If you have to use them, test them thoroughly –Include own use of hacker tools Design and implement an access control policy (both via the web and to the host server) Log everything; monitor the logs; and investigate suspicious activity WEBP security7

8. Specific server side issues Back door access to the server –Remote/local login –FTP –Alternative web sites hosted on same machine Don't run the server as "root" Turn off un-needed … –features in software –IP ports Firewalls WEBP security8

9. Denial of service (DoS) attacks Definition: –attack designed to render a computer or network incapable of providing normal services Typical attacks –Bandwidth attacks flood network with high volume of traffic consequence – all available network resources are consumed and legitimate user requests can not get through –Connectivity attacks flood computer with high volume of connection requests consequence – all available operating system resources are consumed, and computer can not process legitimate requests WEBP security9

10. Distributed DoS (DDoS) attacks Many hosts simultaneously attack target Typically caused by agent hijacking vulnerable hosts (e.g. via virus) As important to protect your machine from hijack as it is to protect it from attack Techniques: –Scan regularly for DDoS tools –Do egress filtering (check for spoofed packets) WEBP security10

11. HTTP security Authentication –Basic –Digest Secure transport –SSL WEBP security11