Ensuring Web server security is one of the most thankless tasks facing information security pros. You need to balance the conflicting roles of allowing the public legitimate access to Web resources while trying to keep the bad guys out. You might even consider implementing two-factor authentication, such as RSA SecurID to obtain a high degree of confidence in your authentication system, but it wouldn't be practical, or cost-effective to distribute tokens to all of your Web site users. Despite such conflicting goals, here are six tactics that can help lock down your Web servers.
- Use separate servers for internal and external applications.
- Use a separate development server for testing and debugging apps.
Testing applications on a stand-alone Web server sounds like common sense -- and it is! Unfortunately, many organizations don't follow this basic principle and, instead, allow
Given that organizations typically have two, separate classes of Web applications, those serving internal users and those serving external users, it's prudent to place those applications on different servers. Doing so reduces the risk of a malicious user penetrating the external server to gain access to sensitive internal information. If you don't have the resources to implement this at your disposal, you should at least consider using technical controls (such as process isolation) to keep internal and external applications from interacting with each other.
- developers to "tweak" code or even develop new applications on a production server. This is a horrible idea for both reliability and security reasons. Testing code on production systems could cause users to experience malfunctions (possibly, a complete outage) and could also introduce security vulnerabilities as developers post untested code that might be vulnerable to attack. Most modern version control systems (such as Microsoft's Visual SourceSafe) can help automate the coding/testing/debugging process.
- Audit Web site activity and store logs in a secure location.
Every security professional knows the importance of maintaining server activity logs. Since most Web servers are public facing it's critical that you perform this task for all Internet-based services. These audit trails will help you detect and react to attacks, and will enable you to troubleshoot server performance issues. In high-security environments, make sure that your logs are stored in a physically secure location -- the safest (but least convenient) technique is to have a line printer print the trail as it gets logged, thereby creating a permanent paper record that can't be modified by an intruder who doesn't have physical access to the premises. You may also want to consider the use of electronic equivalents, such as logging to a secure host that implements encryption with digital signatures to prevent against log snooping and modification.
- Educate developers on sound security coding practices.
Software developers, focused on creating apps that meet business requirements, often overlook the fact that information security is a critical business requirement. As a security pro, it's your role to educate developers on the security issues that affect Web servers. You should make developers aware of the security mechanisms in place on your network to ensure that the software they create doesn't circumvent those mechanisms; also offer training on concepts such as buffer overflow attacks and process isolation -- all of which will go a long way towards ensuring sound coding practices that result in secure applications.
- Keep your operating system and Web server patched.
This is another "common sense" item that often slips through the cracks when administrators become overburdened with other tasks. Security bulletins, such as those issued by CERT or Microsoft, are a constant reminder of how often software vendors release patches for specific security vulnerabilities. It's critical to keep your Web servers patched with current security fixes. Tools like Microsoft's Software Update Service (SUS) and RedHat's up2date service can help to automate this task. After all, once a flaw is published, if you don't fix it, someone will eventually find it and exploit it.
- Use application scanners.
If affordable, you might want to consider the use of an application scanner to validate internally developed code. Tools like Watchfire's AppScan can help ensure that exploitable code doesn't slip through the cracks and into a production environment.
Remember, security is a state of mind! Well-designed Web server architecture should be based on sound security principles. Implementing these six measures will help you build a strong foundation.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the author of the About.com Guide to Databases.
This was first published in October 2004