Administration Guide : Xinet Security : Other security measures

Other security measures
Robots, Spiders and Web crawlers
These are programs that automatically traverse the Web’s hypertext structure by retrieving a document and then recursively retrieving all documents that it references. That is how indexing sites and search engines, such as Google, are able to tell you where everything is on the Internet. Unfortunately, it also is the method some hackers use to find sites to investigate more thoroughly.
Protecting your site:
1.
You should create a file in your Web server root directory called robots.txt and put the following two lines in it:
User-agent: *
Disallow: /
2.
<HTML>
<Head> <Title>title of your page</Title>
<META name="robots" content="noindex,nofollow">
<META name="description" content="description of your page">
</Head>
<Body> ...
This will keep most properly-behaved robots from indexing your Web site. Remember, the less information your server broadcasts or allows out voluntarily, the less chance it will be noticed by a hacker.
Proxy and reverse-proxy servers
Proxy servers and reverse-proxy servers are applications that get in between the user’s browser and the Web server. These are usually used inside a firewall to allow users to connect to the outside world. When using a proxy server, an outgoing request from a client browser is intercepted by the proxy server and matched against a set of rules. If the request meets the rules of acceptability, it is forwarded to the destination with the source address set to the proxy server, not the original client. The destination Web server then responds to the request from the proxy server, which processes it through a set of acceptability rules then passes the response on to the original client.
A reverse-proxy does the same thing but is set up outside the firewall and accepts requests from the outside world and passes them securely through the firewall to the destination Web server.
One of the most popular ways of implementing a proxy or reverse-proxy server is to use the Apache mod-proxy module. By setting up a very stripped-down server (running Linux would be ideal) and using Apache with mod-proxy, you can build a very inexpensive and secure proxy server.
Here is an example of what to put in the Apache httpd.conf file of your reverse proxy server:
ProxyRequests off
ProxyPass / http://999.888.111.212/
ProxyPassReverse / http://999.888.111.212/
This setup disables the forward proxy so it can’t be hijacked. Then, it remaps all incoming WWW requests to the inside server (999.888.111.212). (The inside server could have been set to a non-standard port to make it even more secure.)
Firewalls
Firewalls are applications or hardware devices that are placed between your internal network and the Internet. The firewall will look at all packets that go in or out and compares them to a set of rules that allow you to precisely define what can and can’t go in or out of your network. Firewalls are usually placed on the LAN side of your Internet router or are sometimes built directly into your Internet router. The term “DMZ” refers to the network between the Internet router and the firewall. This network zone is usually where external Web servers or proxy servers are placed along with mail servers, DNS servers, etc.
Here is an example of some ACL statements for a CISCO firewall that permits only the communication from the proxy server (999.888.1.211) to the inside Web server (999.888.111.212) and denies all other traffic:
access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
permit tcp host 999.888.1.211 host 999.888.111.212 eq www
deny ip all host 999.888.111.212
NAT — Network Address Translation and virtual services
NAT is a service that is commonly built into firewalls that remaps all traffic coming from the inside network to a single outbound source address. Systems that provide NAT also often provide virtual servers or services. This technology remaps all packets destined for a certain port and addressed to the firewall to specified servers inside the firewall. Basically, this is a lot like a reverse proxy server only configurable for multiple applications.
There are many inexpensive firewall/NAT/virtual server boxes available on the market. Any one of these will provide a significant amount of security to your Xinet server.1
VPN — Virtual Private Network
If you want the ultimate in security for a select group of customers, you can implement a VPN. On your end, you need either a hardware or software based VPN concentrator. The clients (your customers) would have to have VPN client software loaded on their computer and you would have to give them a VPN login ID and password. Once they have authenticated to the VPN concentrator, their client computer would be essentially inside your network on a virtual circuit. All traffic would then be encrypted as it passes along the virtual tunnel across the Internet. You would connect your Web server to the other side of the concentrator using a separate network card in the server so that the concentrator would not be connected directly to your main network.
SSL— Secure Sockets Layer and TLS (Transport Layer Security)
The Secure Sockets Layer protocol is a protocol layer which may be placed between a reliable, connection-oriented network layer protocol (e.g. TCP/IP) and the application protocol layer (e.g. HTTP). SSL provides for secure communication between client and server by allowing mutual authentication, the use of digital signatures for integrity, and encryption for privacy.
The protocol is designed to support a range of choices for specific algorithms used for cryptography, digests, and signatures. This allows algorithm selection for specific servers to be made based on legal, export or other concerns, and also enables the protocol to take advantage of new algorithms. Choices are negotiated between client and server at the start of establishing a protocol session. A secure session goes something like this:
1.
2.
Server responds, sending the client its digital ID. The server might also request the client’s digital ID.
3.
The client verifies the server’s digital ID. If requested, the client then sends the server its digital ID.
4.
5.
You can run mod_ssl or Apache_SSL to provide your end users with a secure 128-bit encrypted link to your site. Both of these use OpenSSL to provide SSL v2/v3 and TLS v1.
The heart of this system is an asymmetrical public/private encryption key schema and a certificate. A certificate associates a public key with the real identity of an individual, server, or other entity. Certificates are related to public key cryptography by containing a public key. To be useful, there must be a corresponding private key somewhere. With OpenSSL, public keys are easily derived from private keys, so before you create a certificate or a certificate request, you need to create a private key.
Private keys are generated with openssl genrsa if you want a RSA private key, or openssl gendsa if you want a DSA private key.
To create a certificate, you need to start with a certificate request (or, as some certificate authorities like to put it, “certificate signing request”, since that’s exactly what certificate authorities do: they sign it and give you the result back, making it authentic according to their policies). A certificate request can then be sent to a certificate authority to get it signed into a certificate. Or, if you have your own certificate authority, you may sign it yourself, which is useful if you need a self-signed certificate because you just want a test certificate or because you are setting up your own CA.
The certificate request is created like this:
openssl req -new -key privkey.pem -out cert.csr
Now, the file cert.csr can be sent to the certificate authority, if they can handle files in PEM format. If not, use the extra argument -outform followed by the keyword for the format to use.
When the certificate authority has then done the checks they require (and probably gotten payment from you), they will hand over your new certificate to you.
Running SSL means that clients will have to connect to your server using the
https://
protocol over port 443 rather than the normal port 80. Connecting to port 443 happens automatically when using https:// in a standard Web browser.
To set this up, you will need to download OpenSSL then either mod_ssl or
Apache-SSL. You will then need to acquire a security certificate from one of the signing agencies, such as Verisign. In order to get one of these certificates, you will have to prove to the signing authority exactly who you are. By doing this, everybody can be assured that connecting to an SSL enabled site is truly secure.
Here is an example of entries that you would need to put in your httpd.conf file to make http and https work using Apache-SSL:
#############################################################
# example config for SSL and Non-SSL hosts in the same config
# main server is an SSL one...
#
 
ServerName ssl.fictional.co
ServerType standalone
ServerAdmin www@ssl.fictional.co
User www
Group www
Port 443
Listen 443
Listen 80
SSLVerifyClient 0
SSLVerifyDepth 10
SSLCertificateKeyFile /www/certs/ssl.fictional.co.key
SSLCertificateFile /www/certs/ssl.fictional.co.cert
SSLCACertificateFile /www/certs/CA.cert
 
#############################################################
# Note: The following directives are only required if session
# cacheing is enabled (the default from 1.17). To disable
# cacheing, make sure the following is set in apache_ssl.c
#
#define CACHE_SESSIONS FALSE
 
SSLCacheServerPath /www/bin/gcache
SSLCacheServerPort /www/cache/ssl.fictional.co.cache.socket
SSLSessionCacheTimeout 300
 
# end conditional section
 
DocumentRoot /www/hosts/ssl.fictional.co/docs
TransferLog /www/hosts/ssl.fictional.co/logs/access.log
SSLLogFile /www/hosts/ssl.fictional.co/logs/ssl.log
ErrorLog /www/hosts/ssl.fictional.co/logs/error.log
PidFile /www/logs/httpsd.pid
 
# and a non-SSL one...
 
<VirtualHost www.fictional.co:80>
SSLDisable
Port 80
DocumentRoot /www/hosts/www.fictional.co/docs
TransferLog /www/hosts/www.fictional.co/logs/access.log
ErrorLog /www/hosts/www.fictional.co/logs/error.log
</VirtualHost>
 
# and another SSL one... (this one does client-cert
# authentication)
 
<VirtualHost another-ssl.fictional.co:443>
Port 443
SSLVerifyClient 2
SSLVerifyDepth 10
SSLCertificateKeyFile /www/certs/another-ssl.fictional.co.key
SSLCertificateFile /www/certs/another-ssl.fictional.co.cert
SSLCACertificateFile /www/certs/another-CA.cert
DocumentRoot /www/hosts/another-ssl.fictional.co/docs
TransferLog /www/hosts/another-ssl.fictional.co/logs/access.log
SSLLogFile /www/hosts/another-ssl.fictional.co/logs/ssl.log
ErrorLog /www/hosts/another-ssl.fictional.co/logs/error.log
</VirtualHost>
Here is a 15-minute procedure (for testing only!) to set up an SSL-aware Apache Web server under /usr/local/apache/ and using mod_ssl. This procedure provides you with some hands-on experience in setting this up before you apply this knowledge to your main server.
1.
Fetch and extract the distributions of Apache, mod_ssl and OpenSSL;.
GET: http://httpd.apache.org/dist/httpd/apache_1.3.29.tar.gz
GET: ftp://ftp.modssl.org/source/mod_ssl-2.8.16-1.3.29.tar.gz
GET: ftp://ftp.openssl.org/source/openssl-0.9.7c.tar.gz
$ gzip -d -c apache_1.3.29.tar.gz | tar xvf -
$ gzip -d -c mod_ssl-2.8.16-1.3.29.tar.gz | tar xvf -
$ gzip -d -c openssl-0.9.7c.tar.gz | tar xvf -
2.
Build OpenSSL:
$ cd openssl-0.9.7c
$ ./config
$ make
$ cd ..
3.
Build and install the SSL-aware Apache:
$ cd mod_ssl-2.8.16-1.3.29
$ ./configure \
--with-apache=../apache_1.3.29 \
--with-ssl=../openssl-0.9.7c \
--prefix=/usr/local/apache
$ cd ..
$ cd apache_1.3.29
$ make
$ make certificate
$ make install
4.
$ rm -rf apache_1.3.29
$ rm -rf mod_ssl-2.8.16-1.3.29
$ rm -rf openssl-0.9.7c
5.
Fire up your SSL-aware Apache and try it out replacing local-host-name with the fully qualified domain name (FQDN) of your Web site which you entered at the make certificate step above.
$ /usr/local/apache/bin/httpd -DSSL
In your browser type:
https://local-host-name/
The one thing to note when using SSL is that it will require more processing power then regular http because all transactions must be encrypted/decrypted.
Intrusion detection
Now that you have secured your network and servers, how do you detect if anyone has attempted or worse yet succeeded in breaching your defenses? The first thing you must do is check your logs on a regular basis. The logs from your firewall as well as the ones from your server are very useful in providing a trail of evidence. If you are going to use them in court though, you must ensure that they are on a file system that is secure and that you can prove that they have not been edited — backing them up to permanent or change-protected media is a good idea.
There are also several applications that can help you such as Tripwire, Snort and Honey Pots. Honey Pots are essentially systems that are placed in your DMZ which have only basic security, but no real useful data on them. Their only purpose is to attract the attention of would-be hackers and lure them in. You can then track and log their progress for later prosecution.
Tripwire software is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more.
Snort (aka The Piggy) is a comprehensive packet-analyzing intrusion-detection system (IDS). And ACID is a PHP-based analysis engine to help you search and analyze your IDS logs.
This subject is very complicated in itself and further research is an exercise best left to the reader.

1
An excellent example of one of these devices is the Linksys Instant Broadband™ EtherFast®Cable/DSL Firewall Router (BEFSX41) [see http://www.linksys.com/products for more info]. It is very inexpensive, provides all of the above services, and is designed for even the novice administrator to secure his or her network with only a few minutes of work. If you have a much larger budget, then have a look at the products offered by Cisco, as they are considered the market leader in Internet security hardware.