NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS 6. Securing Web Content.....................................................................................................6-1 6.1 Publishing Information on Public Web Sites ............................................................6-1 6.2 Observing Regulations about the Collection of Personal Information......................6-3 6.3 Mitigating Indirect Attacks on Content .....................................................................6-5 6.3.1 Phishing........................................................................................................6-5 6.3.2 Pharming ......................................................................................................6-7 6.4 Securing Active Content and Content Generation Technologies.............................6-8 6.4.1 Vulnerabilities with Client-Side Active Content Technologies ....................6-10 6.4.2 Vulnerabilities with Server-Side Content Generation Technologies ...........6-12 6.4.3 Server-Side Content Generator Security Considerations...........................6-15 6.4.4 Location of Server-Side Content Generators .............................................6-17 6.4.5 Cross-Site Scripting Vulnerabilities ............................................................6-17 6.5 Checklist for Securing Web Content ......................................................................6-18 7. Using Authentication and Encryption Technologies....................................................7-1 7.1 Determining Authentication and Encryption Requirements .....................................7-1 7.2 Address-Based Authentication.................................................................................7-1 7.3 Basic Authentication ................................................................................................7-2 7.4 Digest Authentication ...............................................................................................7-2 7.5 SSL/TLS...................................................................................................................7-3 7.5.1 SSL/TLS Capabilities....................................................................................7-3 7.5.2 Weaknesses of SSL/TLS..............................................................................7-4 7.5.3 Example SSL/TLS Session ..........................................................................7-5 7.5.4 SSL/TLS Encryption Schemes .....................................................................7-6 7.5.5 Implementing SSL/TLS.................................................................................7-8 7.5.6 SSL/TLS Implementations..........................................................................7-12 7.6 Brute Force Attacks ...............................................................................................7-12 7.7 Checklist for Using Authentication and Encryption Technologies for Web Servers7-14 8. Implementing a Secure Network Infrastructure ............................................................8-1 8.1 Network Composition and Structure ........................................................................8-1 8.1.1 Inadvisable Network Layout .........................................................................8-1 8.1.2 Demilitarized Zone........................................................................................8-1 8.1.3 Outsourced Hosting......................................................................................8-4 8.1.4 Management Network ..................................................................................8-5 8.2 Network Element Configuration ...............................................................................8-5 8.2.1 Router/Firewall Configuration .......................................................................8-5 8.2.2 Intrusion Detection and Prevention Systems................................................8-9 8.2.3 Network Switches .......................................................................................8-11 8.2.4 Load Balancers...........................................................................................8-12 8.2.5 Reverse Proxies .........................................................................................8-12 8.3 Checklist for Implementing a Secure Network Infrastructure.................................8-13 9. Administering the Web Server........................................................................................9-1 9.1 Logging ....................................................................................................................9-1 9.1.1 Identifying the Logging Capabilities of a Web Server...................................9-1 9.1.2 Identifying Additional Logging Requirements ...............................................9-3 9.1.3 Recommended Generic Logging Configuration ...........................................9-3 9.1.4 Reviewing and Retaining Log Files ..............................................................9-3 9.1.5 Automated Log File Analysis Tools ..............................................................9-5 v
GUIDELINES ON SECURING PUBLIC WEB SERVERS 9.2 Web Server Backup Procedures..............................................................................9-5 9.2.1 Web Server Backup Policies and Strategies ................................................9-5 9.2.2 Maintain a Test Web Server .........................................................................9-7 9.2.3 Maintain an Authoritative Copy of Organizational Web Content ..................9-8 9.3 Recovering From a Security Compromise ...............................................................9-9 9.4 Security Testing Web Servers ...............................................................................9-11 9.4.1 Vulnerability Scanning ................................................................................9-11 9.4.2 Penetration Testing ....................................................................................9-12 9.5 Remotely Administering a Web Server ..................................................................9-13 9.6 Checklist for Administering the Web Server ..........................................................9-14 Appendices Appendix A— Online Web Server Security Resources....................................................... A-1 Appendix B— Glossary .......................................................................................................... B-1 Appendix C— Web Security Tools and Applications .......................................................... C-1 Appendix D— References ...................................................................................................... D-1 Appendix E— Web Server Security Checklist...................................................................... E-1 Appendix F— Acronym List................................................................................................... F-1 Appendix G— Index................................................................................................................G-1 List of Tables and Figures Figure 7-1. SSL/TLS Location within the Internet Protocol Stack .............................................7-3 Table 7-1. SSL/TLS Cipher Suites............................................................................................7-7 Figure 7-2. Sample CSR...........................................................................................................7-9 Figure 7-3. Sample Encoded SSL/TLS Certificate..................................................................7-10 Figure 8-1. Simple Single-Firewall DMZ ...................................................................................8-2 Figure 8-2. Two-Firewall DMZ ..................................................................................................8-2 Figure 8-3. Service Leg DMZ....................................................................................................8-3 Figure 8-4. Outsourced Web Server Hosting............................................................................8-4 vi
Page 1 and 2: Special Publication 800</st
Page 3 and 4: GUIDELINES ON SECURING PUBLIC WEB S
Page 5: GUIDELINES ON SECURING PUBLIC WEB S
Page 57 and 58:
GUIDELINES ON SECURING PUBLIC WEB S
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?