NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
9.1.5<br />
Automated Log File Analysis Tools<br />
Most public <strong>Web</strong> servers receive significant amounts of traffic, and the log files quickly become<br />
voluminous. Automated log analysis tools should be installed to ease the burden <strong>on</strong> the <strong>Web</strong> server<br />
administrator. These tools analyze the entries in the <strong>Web</strong> server log files and identify suspicious and<br />
unusual activity. As menti<strong>on</strong>ed in Secti<strong>on</strong> 9.1.2, some organizati<strong>on</strong>s use SIEM software for centralized<br />
logging, which can also perform automated log file analysis.<br />
Many commercial and public domain tools are available to support regular analysis of Transfer Logs.<br />
Most operate <strong>on</strong> either the comm<strong>on</strong> or the combined log formats. These tools can identify IP addresses<br />
that are the source of high numbers of c<strong>on</strong>necti<strong>on</strong>s and transfers.<br />
Error Log tools indicate not <strong>on</strong>ly errors that may exist within available <strong>Web</strong> c<strong>on</strong>tent (such as missing<br />
files) but also attempts to access n<strong>on</strong>existent URLs. Such attempts could indicate the following:<br />
Probes for the existence of vulnerabilities to be used later in launching an attack<br />
Informati<strong>on</strong> gathering<br />
Interest in specific c<strong>on</strong>tent, such as databases.<br />
The automated log analyzer should forward any suspicious events to the resp<strong>on</strong>sible <strong>Web</strong> server<br />
administrator or security incident resp<strong>on</strong>se team as so<strong>on</strong> as possible for follow-up investigati<strong>on</strong>. Some<br />
organizati<strong>on</strong>s may wish to use two or more log analyzers, which will reduce the risk of missing an<br />
attacker or other significant events in the log files [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>06b].<br />
9.2 <strong>Web</strong> Server Backup Procedures<br />
One of the most important functi<strong>on</strong>s of a <strong>Web</strong> server administrator is to maintain the integrity of the data<br />
<strong>on</strong> the <strong>Web</strong> server. This is important because <strong>Web</strong> servers are often some of the most exposed and vital<br />
servers <strong>on</strong> an organizati<strong>on</strong>’s network. There are two principal comp<strong>on</strong>ents to backing up data <strong>on</strong> a <strong>Web</strong><br />
server: regular backup of the data and OS <strong>on</strong> the <strong>Web</strong> server, and maintenance of a separate protected<br />
authoritative copy of the organizati<strong>on</strong>’s <strong>Web</strong> c<strong>on</strong>tent.<br />
9.2.1<br />
<strong>Web</strong> Server Backup Policies and Strategies<br />
The <strong>Web</strong> server administrator needs to perform backups of the <strong>Web</strong> server <strong>on</strong> a regular basis for several<br />
reas<strong>on</strong>s. A <strong>Web</strong> server could fail as a result of a malicious or unintenti<strong>on</strong>al act or a hardware or software<br />
failure. In additi<strong>on</strong>, Federal agencies and many other organizati<strong>on</strong>s are governed by regulati<strong>on</strong>s <strong>on</strong> the<br />
backup and archiving of <strong>Web</strong> server data. <strong>Web</strong> server data should also be backed up regularly for legal<br />
and financial reas<strong>on</strong>s.<br />
All organizati<strong>on</strong>s need to create a <strong>Web</strong> server data backup policy. Three main factors influence the<br />
c<strong>on</strong>tents of this policy:<br />
Legal requirements<br />
• Applicable laws and regulati<strong>on</strong>s (Federal, state, and internati<strong>on</strong>al)<br />
• Litigati<strong>on</strong> requirements<br />
Missi<strong>on</strong> requirements<br />
9-5