NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Datagram Protocol (UDP) as well as IP. The most powerful firewalls are applicati<strong>on</strong> layer or proxy<br />
firewalls that are able to understand and filter <strong>Web</strong> c<strong>on</strong>tent. 67<br />
A comm<strong>on</strong> mispercepti<strong>on</strong> about firewalls (and routers acting as firewalls) is that they eliminate all risk<br />
and can protect against misc<strong>on</strong>figurati<strong>on</strong> of the <strong>Web</strong> server or poor network design. Unfortunately, this is<br />
not the case. Firewalls and routers themselves are vulnerable to misc<strong>on</strong>figurati<strong>on</strong> and software<br />
vulnerabilities. In additi<strong>on</strong>, many firewalls have limited insight into the applicati<strong>on</strong> layer where many<br />
attacks occur. Thus, <strong>Web</strong> servers in particular are vulnerable to many attacks, even when located behind<br />
a secure, well-c<strong>on</strong>figured firewall.<br />
A firewall (or router acting as a firewall) that is protecting a <strong>Web</strong> server should be c<strong>on</strong>figured to block all<br />
access to the <strong>Web</strong> server from the Internet except the necessary ports, such as TCP ports 80 (HTTP) and<br />
<str<strong>on</strong>g>44</str<strong>on</strong>g>3 (HTTPS). A firewall is the first line of defense for a <strong>Web</strong> server; however, to be truly secure,<br />
organizati<strong>on</strong>s need to implement layered protecti<strong>on</strong> for their <strong>Web</strong> servers (and networks). Most<br />
importantly, organizati<strong>on</strong>s should strive to maintain all systems in a secure posture and not depend solely<br />
<strong>on</strong> firewalls, routers, or any other single comp<strong>on</strong>ent to stop attackers.<br />
A modern enterprise router is able to functi<strong>on</strong> as a network and transport layer filter (e.g., a basic<br />
firewall). A router functi<strong>on</strong>ing as a network/transport layer firewall can provide filtering based <strong>on</strong> several<br />
pieces of informati<strong>on</strong> [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>02a], including the following:<br />
Source IP address<br />
Destinati<strong>on</strong> IP address<br />
Traffic type<br />
TCP/UDP port number and state.<br />
The strength of routers is in their cost. Most organizati<strong>on</strong>s already have a border router that can be<br />
c<strong>on</strong>figured to provide network/transport layer firewall capabilities.<br />
The weaknesses of routers include the following:<br />
Susceptibility to applicati<strong>on</strong> layer attacks (e.g., cannot examine <strong>Web</strong> c<strong>on</strong>tent for embedded malicious<br />
code)<br />
Susceptibility to attacks via allowed ports<br />
Difficulty of c<strong>on</strong>figurati<strong>on</strong> and administrati<strong>on</strong><br />
Limitati<strong>on</strong>s in logging capabilities<br />
Processing capabilities that may be more limited and overtaxed by complex rule sets (i.e., access<br />
c<strong>on</strong>trol lists)<br />
Insufficient rule set expressiveness and filtering capabilities.<br />
67<br />
For more informati<strong>on</strong> about firewalls, see <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-41, <str<strong>on</strong>g>Guidelines</str<strong>on</strong>g> <strong>on</strong> Firewalls and Firewall Policy<br />
(http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/).<br />
8-6