NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS 9.1.5 Automated Log File Analysis Tools Most public Web servers receive significant amounts of traffic, and the log files quickly become voluminous. Automated log analysis tools should be installed to ease the burden on the Web server administrator. These tools analyze the entries in the Web server log files and identify suspicious and unusual activity. As mentioned in Section 9.1.2, some organizations use SIEM software for centralized logging, which can also perform automated log file analysis. Many commercial and public domain tools are available to support regular analysis of Transfer Logs. Most operate on either the common or the combined log formats. These tools can identify IP addresses that are the source of high numbers of connections and transfers. Error Log tools indicate not only errors that may exist within available Web content (such as missing files) but also attempts to access nonexistent URLs. Such attempts could indicate the following: Probes for the existence of vulnerabilities to be used later in launching an attack Information gathering Interest in specific content, such as databases. The automated log analyzer should forward any suspicious events to the responsible Web server administrator or security incident response team as soon as possible for follow-up investigation. Some organizations may wish to use two or more log analyzers, which will reduce the risk of missing an attacker or other significant events in the log files [<strong>NIST</strong>06b]. 9.2 Web Server Backup Procedures One of the most important functions of a Web server administrator is to maintain the integrity of the data on the Web server. This is important because Web servers are often some of the most exposed and vital servers on an organization’s network. There are two principal components to backing up data on a Web server: regular backup of the data and OS on the Web server, and maintenance of a separate protected authoritative copy of the organization’s Web content. 9.2.1 Web Server Backup Policies and Strategies The Web server administrator needs to perform backups of the Web server on a regular basis for several reasons. A Web server could fail as a result of a malicious or unintentional act or a hardware or software failure. In addition, Federal agencies and many other organizations are governed by regulations on the backup and archiving of Web server data. Web server data should also be backed up regularly for legal and financial reasons. All organizations need to create a Web server data backup policy. Three main factors influence the contents of this policy: Legal requirements • Applicable laws and regulations (Federal, state, and international) • Litigation requirements Mission requirements 9-5
GUIDELINES ON SECURING PUBLIC WEB SERVERS • Contractual • Accepted practices • Criticality of data to organization Organizational guidelines and policies. Although each organization’s Web server backup policy will be different to reflect its particular environment, it should address the following issues: Purpose of the policy Parties affected by the policy Web servers covered by the policy Definitions of key terms, especially legal and technical Detailed requirements from the legal, business, and organization’s perspective Required frequency of backups Procedures for ensuring data is properly retained and protected Procedures for ensuring data is properly destroyed or archived when no longer required Procedures for preserving information for Freedom of Information Act (FOIA) requests, legal investigations, and other such requests Responsibilities of those involved in data retention, protection, and destruction activities Retention period for each type of information logged 76 Specific duties of a central/organizational data backup team, if one exists. Three primary types of backups exist: full, incremental, and differential. Full backups include the OS, applications, and data stored on the Web server (i.e., an image of every piece of data stored on the Web server hard drives). The advantage of a full backup is that it is easy to restore the entire Web server to the state (e.g., configuration, patch level, data) it was in when the backup was performed. The disadvantage of full backups is that they take considerable time and resources to perform. Incremental backups reduce the impact of backups by backing up only data that has changed since the previous backup (either full or incremental). Differential backups reduce the number of backup sets that must be accessed to restore a configuration by backing up all changed data since the last full backup. However, each differential backup increases as 76 Organizations should carefully consider the retention period for Web transaction logs and other Web server-related records. Many organizations are subject to multiple sets of legal and regulatory requirements that can affect their retention of Web records. The National Archives and Records Administration (NARA) has a Web site for Federal records management, which is located at http://www.archives.gov/records-mgmt/. 9-6
Page 1 and 2:
Special Publication 800</st
Page 3 and 4:
GUIDELINES ON SECURING PUBLIC WEB S
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54: GUIDELINES ON SECURING PUBLIC WEB S
Page 103: GUIDELINES ON SECURING PUBLIC WEB S
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

Create successful ePaper yourself

Delete template?

Save as template?