Web Servers Product
This module contains the Common Web Server Security Module and the Microsoft IIS Web Server module. The Common Web Server Security Module contains rules that apply to any web server running on a Windows host, whereas the Microsoft IIS Web Server Security module contains rules that are specific to IIS. The rules in this module are shown in Figure 8-4. Figure 8-4 Web Server Microsoft IIS Windows Rule Policy Figure 8-4 Web Server Microsoft IIS Windows Rule Policy The overall effect of these policies is to secure the web server against common attacks and exploits encountered by IIS servers. Some of the policy highlights include
The iPlanet Web Server policy is similar to the IIS module in that it is a combination of a generic Common Web Server Security module and the more specific iPlanet module. Many of the protections provided by this module are the same as the IIS module, except that they use Unix commands and objects instead of those found in Windows. Rules for XSS, SQL command injection, and common log file exploits are present in this module just as in the IIS module. The rules in this module are shown in Figure 8-5. Figure 8-5 Web Server iPlanet Solarisp Policy Figure 8-5 Web Server iPlanet Solarisp Policy
In theory, the Internet service that runs on TCP port 80 is intrinsically secure and does not really require protection. However, it is the Web server itself and the network operating system that causes the security concerns. Any service other than the HTTP service running on the server increases the risk associated to the server. The best way to protect against this, as with most other services, is to deploy a firewall that is situated between the public Internet and the Web server. The Web server can then be on a private network, and Network Address Translation can provide the added security of hiding the real IP address of the Web server. The firewall should be further configured only to allow access to the Web server on the required ports. These are usually port 80 for general HTTP traffic and port 443 if the web site is using HTTPS and HTTP. To protect against application vulnerabilities, it is important to ensure that the Web server applications are kept up with the latest...
A PIX with three interfaces is one of the most commonly used PIX hardware configurations in use in most enterprise networks today. The three interfaces are the inside, the outside, and a DMZ interface. As discussed earlier, the DMZ interface is used to house the servers that are to be accessed from the public network. In this case study, the server is a web server sitting on the DMZ interface. Example 8-1 shows the configuration for a PIX Firewall with three interfaces with a web server residing on the DMZ interface.
Using the Cisco Secure PIX Firewall, the following commands allow public Web traffic to the Web server with an internal address of 192.168.0.10 24 and provide static translation to the public address of 126.96.36.199 24. This is based on Figure 11-3 FTP is a very common application protocol that is used widely on the Internet to transfer files. Most public Web servers also provide some FTP functionality for public users to download files. For example, Cisco Systems has a corporate web site that is located at www.cisco.com. This serves the corporate web site. In addition, Cisco has an FTP server that can be accessed at ftp.cisco.com. This service is provided for downloading files from the Cisco web site. Many companies do not run their own Web servers in-house. They look to an ISP to provide Web space on a shared server or opt for a dedicated, colocated server. In doing this, they gain the benefit of the ISP's network and Internet connection. The ISP offers this as a service and...
The Cisco Micro Webserver is best when a customer needs to accomplish the following To facilitate intraoffice communications (Micro Webserver acts as an intranet server) To share information with clients and partners (Micro Webserver acts as an extranet server) Key benefits of the Cisco Micro Webserver include the following Cost-effective, plug-and-play Web server appliance with an easy-to-use, Java-based configuration utility and Network Wizard, allowing setup and installation within minutes.
Many small- and medium-sized businesses recognize the potential of Internet marketing. A Web site can market a company and enhance communication. The Cisco Micro Webserver is a Web server appliance that gives small- to medium-sized businesses and branch office customers an easy way to establish an Internet presence or to provide intranet-based intraoffice communications. The Micro Webserver packages both hardware and the embedded Web software kernel within a small footprint for content storage and Web authoring. The simple and intuitive graphical installation and configuration utilities enable nontechnical users to rapidly and easily connect Micro Webserver to the network. Its user-friendly graphical user interface and extensibility make the Cisco Micro Webserver appliance the ideal choice for a wide variety of customers and mission-specific applications. The Cisco Micro Webserver has excellent price per performance, with more than 50 connections per second. The Micro Webserver...
Before you can install the UCP module, you must prepare your web server. The web server needs to perform Secure Sockets Layer (SSL) encryption, or the users' passwords can be seen in clear text when changed. After you have prepared your web server, you need to do a little more configuration in ACS if the UCP module is not going to be installed on the same device. You also need to assign permissions to the personal directories. If permissions are set incorrectly, the UCP module might not operate correctly. The following steps from the Installation and User Guide for Cisco Secure ACS User-Changeable Passwords guide you through the process of preparing the web server Step 1. Make sure the web server uses Microsoft IIS 5.0. IIS 5.0 is included with Windows 2000. Step 2. In the file system directory that the web server uses as its home directory, create the following two directories If the home directory of the web server is C Inetpub wwwroot, use My Computer to add the directories to C...
In the section titled User Changeable Passwords earlier in the chapter, SSL was briefly mentioned. For those of you that are unfamiliar with SSL, SSL is a means of encrypting communication between the web server and the user that is changing their password. If the users that change passwords with the UCP exist on a trusted network, it might not be necessary to encrypt this traffic. It is my general recommendation to encrypt it anyhow. To configure the SSL portion on the web server, perform the following tasks 4 After you have received your certificate from the certificate authority, install the certificate on your web server. For information about installing a certificate, see Microsoft IIS documentation, available at Following your Microsoft IIS documentation, activate SSL security on the web server. Keep in mind the following points when enabling SSL security
Figure 15-3 shows an outside user accessing the DMZ web server. Web Server 1G.1.1.3 Web Server 1G.1.1.3 1. A user on the outside network requests a web page from the DMZ web server using the global destination address of 188.8.131.52, which is on the outside interface subnet. For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context the destination address is associated by matching an address translation in a context. In this case, the classifier knows that the DMZ web server address belongs to a certain context because of the server address translation. 5. When the DMZ web server responds to the request, the packet goes through the security appliance and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT by translating the local source address to 184.108.40.206.
Figure 15-4 shows an inside user accessing the DMZ web server. User Web Server User Web Server 1. A user on the inside network requests a web page from the DMZ web server using the destination address of 10.1.1.3. For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context the destination address is associated by matching an address translation in a context. In this case, the interface is unique the web server IP address does not have a current address translation. 4. When the DMZ web server responds to the request, the packet goes through the fast path, which lets the packet bypass the many lookups associated with a new connection. User Web Server User Web Server
Figure 15-10 shows an outside user accessing the inside web server. Web Server 220.127.116.11 Web Server 18.104.22.168 1. A user on the outside network requests a web page from the inside web server. 5. The web server responds to the request because the session is already established, the packet bypasses the many lookups associated with a new connection.
Video conferencing servers, such as H.323 gatekeepers and SIP proxy servers, often host a web server to provide a user interface. This user interface typically provides two important functions However, web servers in general have a higher level of susceptibility to attack than other services, for two reasons. For the web server to operate properly, firewalls allow external users to send high-bandwidth packet streams to the web server on port 80. Hackers can leverage this open port to take advantage of newly discovered flaws that compromise security. Also, server machines often use two popular web services Apache and Microsoft Internet Information Service (IIS). Because these web servers are so common, hackers target these services in an attempt to find new vulnerabilities that might not be detected by a firewall or HIPS. Solution The web server should offer strong confidentiality and authentication. The HTTPS protocol provides this mechanism by verifying identity, typically using...
The Web Server Apache policy applies to all three supported operating systems. It contains six modules the Common Web Server Security module for each of the operating systems and a specific Apache Web Server module for each operating system. The protections offered by this policy are similar to the protection in the preceding two policies. What makes this policy so convenient to use is that it is applicable to all three operating systems, so the same policy can be used for protecting hosts of all three types. Figure 8-6 Web Server Apache Policy Figure 8-6 Web Server Apache Policy There are few differences between the Microsoft IIS policy and the Apache policy as applied to a Windows machine. The bulk of the rules from each policy come from the Common Web Server Security module. This module contains most of the data access control rules, although the IIS and Apache-specific modules address file access control and application execution control rules relevant to the web server...
The cidWebServer application is the sensor's web server interface that facilitates interaction between the sensor and other Cisco IPS components on your network. This web server is capable of both HTTP and HTTPS communication sessions. Instead of simply providing static web pages, however, the web server provides functionality via several servlets. These servlets perform most of the real work accomplished via the cidWebServer application. One of the main functions provided by the web server is a front-end for the IDM.
The web server shown in Figure 13-1 doubles as a very basic form of a remediation server. Its primary purpose is to supply information to quarantined users that are redirected to the server. It must contain information on why they were redirected there, as well as information on how to bring their computer up to the company standard. In the case of this small business example, configure the web server's main index.html page to explain that the network has quarantined the user because the computer fails to meet minimum security. Next, provide instructions on how the users can install the latest patches, hotfixes, virus-definition files, and so on to bring the computer up-to-date and thus remove them from being quarantined.
Jerry Lin, CCIE No. 6469, is a consulting systems engineer for Cisco and is based in southern California. He specializes in security best practices. Jerry has worked with a variety of Cisco enterprise customers in areas such as software development, local government agencies, K-12 and universities, hightech manufacturing, retail, and health care, as well as managed web-hosting service provider customers. He holds his CCIE in routing and switching as well as in CCDP and CISSP. Jerry has been working in the IT industry for the past 12 years. During the late 1990s, he worked as a technical instructor. Jerry earned both a bachelor's degree and a master's degree in mechanical engineering from the University of California, Irvine.
Error occurs, all implementations of the differentiated services architecture should provide the same treatment to each packet of the same type when those packets pass through a given interface. In figure 1-1, multiple packets are sent from Bob to the web server, marked with IP precedence t. Figure 1-1. Multiple Packers from Bob Are Sent to the Web Server Figure 1-1. Multiple Packers from Bob Are Sent to the Web Server
Data traverses an IP-based network in the form of packets, where each packet consists of a header that specifies the source, the destination, and the message itself. The IP addressing scheme uses either IPv4 or IPv6 to address computers on the Internet. IPv4 uses 32 bits for addressing, whereas IPv6 has a 128-bit source and destination address scheme that provides more addresses than IPv4. IP permits connectivity via a variety of physical media and provides a best-effort datagram service. Therefore, no hard packet delivery guarantees exist. TCP is often used where reliability is a concern because it guarantees the delivery and ordering of transmitted data. IP provides any-to-any connectivity, as demonstrated by the Internet. Common applications that are used today by companies include e-mail, web hosting, electronic commerce, corporate intranets and extranets, and emerging VoIP. Moreover, enterprise applications, such as enterprise resource planning (ERP) and supply chain management...
This chapter discusses the breadth and depth of services available to the service provider and the enterprise customer. It provides an overview of Layer 2 Layer 3 remote access and value-added services, such as managed VPN, web hosting, and managed shared services, as well as their applicability in the current environment. Subsequent chapters cover more detailed service descriptions for example, Chapter 4, Layer 2 VPNs, covers Layer 2 Chapter 5, Layer 3 VPNS, examines Layer 3 MPLS VPN and Chapter 6, Remote Access and IPSec MPLS VPN Integration, discusses remote access and IPSec integration.
Although hosting has been around almost as long as dedicated access services, it has become very popular over the past few years, with many service providers specializing in this market. Large providers that focus on dedicated hosting are commonly referred to as content providers. These providers usually develop highly fault-tolerant data center facilities that house cabinets or racks in which both enterprise and Web hosting customers can lease space and collocate servers and other computer equipment. Providers then sell Internet access to the collocating devices locally via technologies such as Fast Ethernet (100 Mbps) and Gigabit Ethernet (1 Gbps). Pricing models vary, and both usage-based and fixed-rate services are available.
The final stage to consider is the plan at the end of the first year of operation. Again, this is a projection on what the business could be like. It is assumed that the ISP has started to do Web hosting for its customers and is investing in a large dialup network (which we shall say that the business plan calls for).
This is a very common simple configuration for Web hosting from an ISP. Initial Problems and Threats in the Internet Service Security Example Application vulnerabilities Besides operating system vulnerabilities, there are application vulnerabilities. These vulnerabilities appertain to the applications running on the servers. Microsoft's Internet Information Server (IIS) is the standard Web server of choice for Windows NT and Windows 2000 servers. This application has numerous well-known vulnerabilities, and new patches are released frequently to protect against recently found vulnerabilities. Server-to-server communication When the Web server co mmunicates with the database server, this is classified as server-to-server communication. This traffic should never go across a public network. In the design in Figure 11-2, this traffic is going across the public network. Other machines that are not a part of the Mydomain.com network and within the same Layer 3 domain could easily capture...
BOWIE.net is a regional Internet service provider (ISP) with 60 points of presence (POPs) throughout the Southeast and along the East Coast of the United States. It has a Cisco-powered network and currently provides residential and business access to the Internet, managed network services, and Web hosting.
Inbound traffic that initiates from the outside is automatically denied access by default on the PIX. Rules have to be put in place to permit traffic to initiate from the outside to servers and subnet on the Cisco PIX Firewall. The rules are usually made up of a static nat command and access list. The static nat command identifies the subnet or host where traffic will be permitted to go to from the outside. Access lists are then configured to identify and permit the type of traffic to the subnet or host identified by the static command. The following is an example of rule that permits http traffic to be intitated from the outside to a webserver 10.1.2.39 on the inside interface of the PIX
This task involves copying a file access control rule to the Common Web Server Security Step 2 Select the Apache Web Server module link. Step 3 Select the Modify Rules link. The existing rules for the Apache Web Server rules module appear. Step 5 Select Common Web Server Security Module v4.5 r369 from the Copy to rule module drop-down menu. Step 11 Select the Common Web Server Security Module.
If the web server and the client trying to access it are on the same PIX interface, the normal way of configuring the alias command (alias ) works fine. The alias command doctors the DNS server response for the name of the web server such that the client trying to connect to the server uses its private IP address to connect to it. However, problems arise when the web server is sitting on a subnet connected to a different interface of the PIX than the client. In that case, the normal way of configuring the alias command does not work. The reason for this is that when the client sends a packet to the web server's private IP address provided to it by the doctoring PIX, the PIX translates it back into the web server's public or globally routable address and routes it out the public or outside interface. Of course, this is incorrect because the web server is not located on the public network but rather on a DMZ segment. The way to fix this problem is to reverse the...
You can also use a dynamic remove process capability in conjunction with dynamically adding a process. For example, you can dynamically add a process to a suspicious web server descendents class if a web server spawns a process. Then, if that spawned process attempts to read a script from a normally accessed directory, you can decide this isn't a dangerous process and have the process removed from the class after the attempt. But if the spawned process attempts to read a script from a directory it should not be accessing, the process should remain in the suspicious web server descendents class.
The e-commerce customer initiates an HTTP connection to the Web server after receiving the IP address from a DNS server hosted at the ISP network. The DNS is hosted on a different network to reduce the amount of protocols required by the e-commerce application. The first set of firewalls must be configured to allow this protocol through to that particular address. The return traffic for this connection is allowed back, but there is no need for any communication initiated by the Web server back out to the Internet. The firewall should block this path to limit the options of hackers if they get control of one of the Web servers. As the user navigates the web site, certain link selections cause the Web server to initiate a request to the application server on the inside interface. This connection must be permitted by the first firewall, as well as the associated return traffic. As in the case with the Web server, there is no reason for the application server to initiate a connection to...
CGFs offer more protection than CTP firewalls. Figure 2-17 shows the process that a person goes through when setting up a connection through a CGF. In Step 1, Richard attempts to set up a connection to the internal web server (22.214.171.124). The CGF intercepts the connection and authenticates it, if this has been configured. After authentication, the CGF opens a separate connection to the internal web server (Step 2). At this point, any web traffic sent by Richard to 126.96.36.199 first is processed by the CGF and then is redirected to the internal web server, as shown in Step 3. Any other traffic from Richard is dropped unless it has been authorized by the first authentication request or unless the CGF asks for authentication for any additional connections. If Richard does not authenticate successfully, the CGF terminates the connection.
The Analysis and Hit Count buttons are located next to the Query button at the bottom of the access control list (ACL) rule table for a device. The Analysis function performs an analysis on the access control list (ACL) rules in the rule table for the device. The rule Analysis function will display access control list (ACL) rules that conflict or overlap. For example, say that someone has configured a rule to permit any traffic to the web server destination object for web service (in other words, permit source of any destination of web server object for service of HTTP). Let's also say that several weeks later another admin added a rule to deny any traffic to the web server destination object for web service further down in the rule table. The Analysis function would display that these rules are in mutual conflict. An example of how Analysis would display a conflict for these access control list (ACLs) rules is provided in Figure 9-13.
When you click the Add button in the Advanced Firewall DMZ Service Configuration page, the DMZ Service Configuration window appears. You must provide the server addresses and select the DMZ services either by clicking the list of well-known services or by manually specifying the port number. In this figure, an access to the web server running on server 192.168.0.2 port TCP 80 (identified as www service) is permitted.
In Figure 11-3, you can see that the Web server for Mydomain.com is serving Web files for www.mydomain.com. The Web server runs a stock lookup database that is linked to a backend SQL database running on a server in the same Layer 3 domain as the Web server. NAT is used to statically translate the Web server's private IP address of 192.168.1.10 to the public IP address of 188.8.131.52. Therefore, Internet hosts access www.mydomain.com and DNS resolves this to 184.108.40.206. The Mydomain.com firewall handles this request and statically translates it inbound to 192.168.1.10. The SQL server has a private IP address of 192.168.1.20. There is no static translation for this server, so in theory, it cannot be accessed from the outside.
The traffic then is processed by a stateful firewall. The stateful firewall has set up three security levels low for the Internet side, medium for the DMZ, and high for the internal network. A security rule was added on the stateful firewall to allow traffic from the Internet to only the web server. All other traffic from a lower security level to a higher one is prohibited however, higher-to-lower movement is permitted, allowing the web server administrator located on the internal network to log into the DMZ web server to update web pages.
The hostname of the end station must be associated with a device group. A hostname is automatically associated with a device group as indicated in the Cisco Security Agent kit. A hostname can also be added to additional device groups. The ability to associate a hostname, such as a Windows workstation name, with a device group enables common security policies to be deployed to different end stations, including Solaris Web Server, SAP Servers, teleworkers, and so on. For example, a Linux web server in New York City for business-to-business (B2B) can be part of the Linux device group, Web Server device group, New York City data center device group, and the B2B server device group.
NOTE We recommend that you install only the Common Services component of CiscoWorks VMS on any server that will run CSA MC software. In addition, you want to ensure that Microsoft Terminal Services is not installed and the IIS Web server is not running prior to starting the CSA server installation process.
You can see that two ranges have been defined. The first range is for the Web server farm, 220.127.116.11 to 18.104.22.168. Note that the Force Scan checkbox is selected. This means that all of these hosts will be probed, regardless of whether they are active. The second range identifies the Internet mail server on 22.214.171.124. An ICMP Echo Request will be sent to this machine to ascertain whether or not the machine is running.
A policy is composed of individual rules. A collection of rules is named a rule module. Rule modules are generally specific to a particular OS. Rules define each component of the specific security posture in the rule module, which can be attached to a security policy. Rules can also refer to an application class to indicate which applications or processes are policed by the rule. Rules can also be composed with variables, so common information between rules can be defined once and referenced multiple times. Example of variables in rules includes event sets, query settings, file sets, network address sets, network services, registry sets, COM component sets, and data sets. Figure 8-5 displays some the rules that compose the Common Web Server Security Module default policy.
In Figure 8-2, the browser on workstation A is configured with the content engine as its proxy. The user at this workstation requests a web page that resides on the web server. This request is therefore sent to the content engine. At Step 2, if the content engine had the requested web page cached, it would send the page directly to the user. Similar to transparent caching, after the content engine has the content, any subsequent requests for the same web page are satisfied by the content engine the web server is not involved.
However, what happens if someone inside the network, such as 126.96.36.199, tries to access this external device (188.8.131.52) Assume that this is an HTTP request to 184.108.40.206, which has a web server running on it. HTTP uses TCP, and TCP goes through a three-way handshake to establish a connection before data is transferred SYN, SYN ACK, and ACK. Initially, 220.127.116.11 sends a SYN to establish a connection. With TCP (and UDP), a source port number is chosen that is greater than 1,023, which represents this specific connection. The destination is port 80, telling 18.104.22.168 that this is an HTTP request for web services. 22.214.171.124 now responds back to the TCP SYN message of 126.96.36.199 with a SYN ACK (the second step in the three-way handshake), as shown in Figure 2-9. However, when the packet-filtering firewall examines the packet, it determines that because the destination is 188.8.131.52, the packet should be dropped, according to its packet-filtering rules. Therefore, the connection cannot be...
During a sudden surge of web traffic, a caching device can become overloaded, no longer able to handle additional web requests. To solve this problem, cache engines determine when they reach a particular load limit. At the point of overload, the cache device refuses additional requests and forwards subsequent requests directly to the destination web server to handle directly. After the cache device can process the backlog of requests, it intercepts requests again. Another issue is keeping the cached content current. The cache device becomes less effective if it can't show the same content as if the user visited the web server directly. An example might be a stock-tracking page What good is the caching device if the stock price is an hour or day old compared to the actual website You have three different ways to indicate whether content can be cached and how long it can be cached. The first method is in the actual HTTP document. HTTP can specify whether a document is cacheable....
After a user is successfully authenticated, his or her user information is saved in cache for a predetermined amount of time. You set this time by configuring the timeout uauth command. It is specified in hours, minutes, and seconds. If the user session idle time exceeds the timeout, the session is terminated, and the user is prompted to authenticate during the next connection. To disable caching of users, use the timeout uauth 0 command. Be sure not to use timeout uauth 0 when using virtual http. This setting prevents any connections to the real web server after successful authentication at the Cisco PIX Firewall.
TIP Consider the following situation You do not want hackers exploiting port 80 to access your network. Because you do not host a web server, it is possible to block incoming traffic on port 80 except that your internal users need web access. When they request a web page, return traffic on port 80 must be allowed. The solution to this problem is to use the established command. The ACL will allow the response to enter your network, because it will have the ACK bit set as a result of the initial request from inside your network. Requests from the outside world will still be blocked because the ACK bit will not be set, but responses will be allowed through.
FTP access for downloading files from a Web server is normally pretty safe and anonymous access can be allowed for this purpose. The problems arise when you start to use FTP to upload files that make up the company web site or similar services. This access has to be protected against intrusion, because the files being uploaded make up the corporate web site and must be kept secure. A good idea in this instance is either to run the management FTP access on a different port or to use a different server completely for public FTP access.
A common attack that hackers employ is to break into your web server and change the content (web pages). This form of attack is called graffiti. This type of attack has happened to many organizations, typically government resources a hacker breaks into a web server and replaces the web content with pornography or interesting political content. To execute this kind of attack, a hacker typically first performs a reconnaissance attack, such as eavesdropping, to discover user accounts and passwords, and then executes an unauthorized access attack. A more ingenious hacker might use Java or ActiveX scripts either to learn information about a client's device or to break into it. Likewise, a hacker might try to take advantage of known vulnerabilities in a web server application or operating system. To prevent Java and ActiveX attacks on your users, and possibly your web servers, you should use a filtering solution that can filter Java and ActiveX scripts that are embedded in HTML pages. Many...
Web server on the protected host from being overloaded by accepting too many connections in a Step 5 Select Connection rate limit to open the configuration window for this rule type. Step 6 Enter Protect web server from too many connections in the Description field. Step 7 Check the Enabled check box to enable this rule within the policy.
To install UCP, a Microsoft IIS 5.0 or 6.0 web server must be running. Communications between UCP and Cisco Secure ACS is protected with 128-bit encryption. It is also possible to secure communications between the user and UCP by using Secure Sockets Layer (SSL). SSL is the recommended method for UCP.
For example, a common type of proxy is an HTTP proxy. With an HTTP proxy, an individual configures the web browser to point to the proxy. Whenever the individual requests a web page, the request goes to the proxy first. The proxy examines its local cache to see if the information was retrieved previously. If it is in the cache, the proxy responds with the information otherwise, the proxy generates a request to pull the information from the real web server, caches that information, and forwards it to the client. This is similar to a CGF, but without the security functions.
One common misuse of Internet e-mail systems is spam. Spam is unsolicited bulk e-mail the people who send it are known as spammers. Spammers usually send bulk e-mails about get-rich-quick schemes or advertising pornographic web sites. Spam is enabled if the Web server is running as an open relay. Various Internet groups, such as the Open Relay Behavior-modification System (ORBS, www.orbs.org). have emerged to crack down on server administrators who are running open relays, either intentionally or unintentionally.
Routable IP addresses, because you need people on the Internet to be able to browse your Web server, download files from your FTP server, and send and receive from your e-mail server. You now have three major design changes to make to your system. You must first allow WWW traffic to access the Web server, whose IP address is 10.1.1.30. This IP address needs to be statically translated to a routable address on the Internet. One of the easiest ways to keep track of static IP translations is to use the same last octet in both addresses. In the case of the Web server, you will use 30 as the last octet. The second change is to allow e-mail through to the mail server. The third change is to allow FTP traffic to the FTP server. All of these servers That is all that is required to allow SMTP packets to traverse the PIX to the server with the 10.1.1.49 IP address. Users outside the PIX will see this server as 192.168.1.49. Packets sent to 192.168.1.49 will have NAT applied to them and will be...
The firewall provides connection state enforcement and detailed filtering for sessions initiated through it. Publicly addressable servers have some protection against TCP SYN floods through the use of half-open connection limits on the firewall. From a filtering standpoint, in addition to limiting traffic on the public services segment to relevant addresses and ports, filtering in the opposite direction also takes place. If an attack compromises one of the public servers (by circumventing the firewall, HIDS, and NIDS), that server should not be able to attack the network further. To mitigate against this type of attack, specific filtering prevents any unauthorized requests from being generated by the public servers to any other location. As an example, the Web server should be filtered so that it cannot originate requests of its own, but merely respond to requests from clients. This helps prevent a hacker from downloading additional utilities to the compromised box after the initial...
Interface Serial 0.1, which connects to the distributor's office, is set up with an IP address, an access list, and a call to the CBAC to inspect outgoing packets. Bigg Inc. allows HTTP (Web server) access to the host at 10.1.1.34 for ports 80 (the default) and ports 8001, 8002, 8003, and 8004.
Complete the following steps to use the CSA MC interface to examine the Web Servers group for Windows and access the CSA MC to obtain the Agent kit URL for the Web Servers group Step 2 Scroll down to the Servers IIS Web Servers group link in the lower box of groups. The correct group will show Windows in the Operating System column to the right. Step 3 Click the Servers IIS Web Servers (for Windows) link. This page also displays the policies attached to this preconfigured group. Step 8 Enter IIS Web Servers in the description text box. Step 9 Select Servers-IIS Web Servers V4.5 r369 from the Select the groups with which this kit should be associated.
For many years, businesses have been building networks based on Transmission Control Protocol Internet Protocol (TCP IP) to take advantage of the power of TCP IP networking and the many services it can provide. These services include ubiquitous Internet access for remote users, easy-to-use Web browsers, internal corporate Intranets and Web servers, Java applications, and Extranets with trading partners and suppliers. All these services make it easier for enterprise businesses to build new business applications, enable Webbrowser access to information databases, and provide new services to both internal and external customers.
When systems connect to your network, corporate firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and other security devices protect them. When they disconnect and travel to remote networks at coffee shops, hotels, or even their home, they lose all that protection. Therefore, it might be desirable to raise the level of network security enforced on these systems when they travel abroad. In many cases, endpoints run many services that listen on the network, such as mass deployment and system management software, remote control packages, file sharing, and web servers. The following example creates a system state set and a policy to help you lock down your systems when they leave your premises.
When you type in a web site address or URL such as www.cisco.com, the first thing that happens is that this easy-to-use name gets converted into an IP address. The server is known on the network by its IP address, not by its name. It is easier for users to remember www.cisco.com than 192.168.10.12. This is the main reason that DNS was implemented, but there are other benefits of using a name -resolution service. One of these is round-robin load balancing, where one domain name can be translated to more than one IP address. For example, you could register www.mydomain.com to 192.168.0.1 and 192.168.0.2. Both of these could be Web servers serving the Mydomain.com web site. Users accessing www.mydomain.com from their Web browsers would get either of the Web servers in a round-robin fashion. This provides load balancing and a simple form of fault tolerance.
In Figure 7-13, you can see three configuration lines for the session. The first line configures the session to scan the Web servers on DMZ1. The second line configures the session to scan the internal network, and the third line configures the session to scan the mail servers on DMZ2. Note that the Force Scan checkbox is checked on the second configuration line. Because ICMP is not permitted through the firewall for the internal interface, forcing a scan is the only way to scan the hosts on the internal network. If you leave this blank, no hosts on the internal interface would be added to the network map because the scanning software would presume that the hosts are down.
Because the router redirects packets destined for Web servers to the cache engine, the cache engine operates transparently to clients. Clients do not need to configure their browsers to be in proxy server mode. This is a compelling feature for ISPs and large enterprises, for whom uniform client configuration is extremely expensive and difficult to implement. In addition, the operation of the cache engine is transparent to the network the router operates entirely in its normal role for non-Web traffic. This transparent design is a requirement for a system to offer networkwide scalability, fault tolerance, and fail-safe operation. Because the Cisco cache engine is transparent to the user and to network operation, customers can place cache engines in several network locations in a hierarchical fashion. For example, if an ISP places a large cache farm at its main point of access to the Internet, then all its points of presence (POPs) benefit. (See Figure 49-5.) Client requests hit the...
Before configuring your policies, you must understand exactly which network resources and services you want to protect and which threats you are most concerned about. The first step in planning a security policy is identifying the resources that your user community requires in order to do business. That could include specific applications, protocols, network servers, and web servers. Collect this information and use it to design the main features of your policy.
It is a good practice to use a combination of NAT and PAT. If you have more internal hosts than external IP addresses, you can configure both NAT and PAT. Your first group of hosts translates to the global addresses that are listed, and the remaining hosts use PAT and translate to the single global address. If you do not configure NAT and PAT, the PIX automatically performs NAT starting at the highest IP of the global IP range and performs PAT with the lowest IP after all other addresses have been used. If the location has any servers that need to be accessed from the Internet (web servers, mail servers, and so on), they must be configured for static translation.
The next chapter, Providing Secure Access to Internet Services, covers the requirements of securing the corporate network while still allowing access to Web servers. Web Servers This chapter covers common Internet services and the attacks that are launched on them. It starts by looking at some common security attacks that can be made over the Internet and concentrates on network intrusion and DoS attacks. Finally, the chapter moves on to look at each individual Internet service, consisting of Web servers, File Transfer Protocol (FTP) servers, Internet e-mail servers, and Domain Name System (DNS) servers. Web servers Web servers provide access to the web sites of the business. Before covering the individual services, the chapter looks at aspects of Internet security in relation to the web site as a whole. To do this, the chapter includes a sample Internet service that is running under Mydomain.com. This Internet service includes Web servers, FTP servers, e-mail servers, DNS servers,...
You can provide the local (source) and foreign (destination) IP addresses and subnet masks. When web clients using local addresses send HTTP requests to web servers with foreign addresses, those requests are subject to filtering. In most cases, you can define the policy to use any local address and any foreign address. To do this, specify the local and foreign values as 0s (0 0 0 0). You can also allow HTTPS traffic to be filtered by a Websense server. Identify the HTTPS port as dest-port (usually port 443). Connections that are subject to filtering have clients using local (source) addresses defined by local_ip and local_mask and web servers using foreign (destination) addresses defined by foreign_ip and foreign_mask. When a web client requests web content from a foreign site, the firewall relays the request toward the website and sends a request to the filtering server all in parallel. By default, if the web server responds before the filtering server, the content is dropped at the...
Terminates the HTTPS connections on its public interface and then forwards the HTTP or HTTPS requests to the internal web server. The response from the web server is then encapsulated into HTTPS and forwarded to the client. This feature uses only an Internet browser to access corporate resources. Thus, this mode is referred to as clientless SSL VPNs. Figure 6-10 illustrates this mode. The following sequence of events takes place when UserA tries to connect to a web server located at 192.168.1.100 1 UserA initiates an HTTP request to the web server, which is located on the other side of the SSL VPN tunnel. The user request is encapsulated into the SSL tunnel and is then forwarded to the IOS router. Web Server NOTE If you frequently use Java and ActiveX coding on a web page, a Cisco IOS router might not be able to rewrite web pages that embed that content. You can enable the port-forwarding option to tunnel HTTP traffic directly to the web server. Additionally, a Cisco IOS router does...
Two hosts, named PC1 and PC2, sit on subnet 172.16.1.0 24, along with router R1. A web server sits on subnet 172.16.2.0 24, which is connected to another interface of R1. At some point, both PC1 and PC2 send an ARP request before they successfully send packets to the web server. With PC1, R1 makes a normal ARP reply, but for PC2, R1 uses a proxy ARP reply. Which two of the following answers could be true given the stated behavior in this network c. PC2's ARP broadcast implied that PC2 was looking for the web server's MAC address. e. R1's proxy ARP reply contains the web server's MAC address.
Assume that Fred is trying to connect to the web server, called Web. (Web uses TCP as the transport layer protocol.) Three of the ICMP unreachable codes would possibly be used by Routers A and B. The other two codes would be used by the web server. These ICMP codes would be sent to Fred as a result of the packet originally sent by Fred. Host unreachable This code implies that the single destination host is unavailable. If Router A has a route to 10.1.2.0, the packet will be delivered to Router B. However, if the web server is down, Router B will not get an ARP reply from web. The ICMP unreachable message, with code host unreachable, will be sent by Router B to Fred, in response to Fred's packet destined for 10.1.2.14. Protocol unreachable If the packet successfully arrives at the web server, two other unreachable codes are possible. One implies that the protocol above IP, typically TCP or UDP, is not running on that host. This is highly unlikely because most operating systems that use...
5 Configure and enable an IP access list that allows packets from subnet 10.3.4.0 24, to any Web server, to get out serial interface S0. Also allow packets from 184.108.40.206 going to all TCP-based servers using a well-known port to enter serial 0. Deny all other traffic. 9 Configure a named IP access list that allows only packets from subnet 220.127.116.11 255.255.255.0, going to hosts in network 18.104.22.168 and using a Web server in 22.214.171.124, to enter serial 0 on a router. 2 Configure an IP access list that allows only packets from subnet 126.96.36.199 255.255.255.0, going to hosts in network 188.8.131.52 and using a Web server in 184.108.40.206, to enter serial 0 on a router. 5 Configure and enable an IP access list that allows packets from subnet 10.3.4.0 24, to any Web server, to get out serial interface S0. Also allow packets from 220.127.116.11 going to all TCP-based servers using a well-known port to enter serial 0. Deny all other traffic.
The GUI Web interface files must be installed in flash memory on a Web server that runs locally on the Cisco CME router. The HTTP server on the Cisco CME router is disabled by default. In order to enable it, enter ip http server from global configuration mode. While this starts the HTTP service, it does not define where the files are that will be served up by the local routers Web server will reside. To configure the location of the files to be served by the Web server enter the command ip http path flash from global configuration mode. Authentication is set to use the enable password by default. It is recommended that authentication be configured to use AAA or a local username and password pair. The ip http authentication command is used to configure the authentication method that is desired. Enables the Cisco Web server on the local Cisco CME router
In addition to allocating sufficient time for a baseline analysis, it is also important to find a typical time period to do the analysis. A baseline of normal performance should not include nontypical problems caused by exceptionally large traffic loads. For example, at some companies, end-of-the quarter sales processing puts an abnormal load on the network. In a retail environment, network traffic can increase fivefold around Christmas time. Network traffic to a web server can unexpectedly increase tenfold if the website gets linked to other popular sites or listed in search engines.
Just as there was a loading issue outbound from AS 65001, there can be a similar problem inbound. Maybe the sales web servers are located on the same subnet behind router B, causing the inbound load for router B to average higher utilization. To manipulate how traffic enters an AS, use the BGP MED attribute. The problem is that if the inbound load for router A spikes to more than 100 percent and causes the link to flap, all the sessions crossing that link could be lost. If these sessions were purchases being made on AS 65001 web servers, revenue would be lost, which is a result that administrators want to avoid.
Method of distributing Web traffic by taking into account Web server availability and relative client-to-server topological distances in order to determine the optimal Web server for a client. DistributedDirector uses the Director Response Protocol to query DRP server agents for BGP and
If you were using the previous configuration, you would have needed to remove the old static translations using the no form of the static command. You also added a new conduit statement. This statement allows any Oracle database traffic from the Web server on the public interface to enter into your inside LAN. The PIX Firewall uses port 1521 for SQL*Net. This is also the default port used by Oracle for SQL*Net, despite the fact that this value does not agree with Internet Assigned Numbers Authority (IANA) port assignments. Because the Web server has a database running in the background, you need to allow traffic from this Web server to enter into the LAN and talk to the Oracle database servers. These tasks are accomplished with the following lines
The primary problem with application layer attacks is that they often use ports that are allowed through a firewall. For example, a hacker executing a known vulnerability against a Web server often uses TCP port 80 in the attack. Because the Web server serves pages to users, a firewall needs to allow access on that port. From a firewall's perspective, it is merely standard port 80 traffic.
Figure 10-19 and Figure 10-20 illustrate the Company XYZ network diagram for this scenario. An Internet user (cracker) is connected via a public connection to Company XYZ headquarters, with the intention of hacking into one of the web servers (WebServer1). The server has been attacked frequently before, and the network administrator wants to implement a solid solution using a network IDS configured for IP blocking.
Step 1 Create a static translation for the web server, as follows mapped-address The translated IP address of the web server. real-address The real IP address of the web server. Step 2 Create an access list that permits traffic to the port that the web server listens to for HTTP requests. mapped-address The translated IP address of the web server. port The TCP port that the web server listens to for HTTP requests. Step 5 On the public DNS server, add an A-record for the web server, such as where domain-qualified-hostname is the hostname with a domain suffix, as in server.example.com. The period after the hostname is important. mapped-address is the translated IP address of the web server. Web server 192.168.100.10 In Figure 25-2, a web server, server.example.com, has the real address 192.168.100.10 on the DMZ interface of the security appliance. A web client with the IP address 10.10.10.25 is on the inside interface and a public DNS server is on the outside interface. The site NAT...
Figure 12-6 Windows Web Server Logging mechanisms Figure 12-6 Windows Web Server Logging mechanisms Step 12 From the Select Application list, select Generic Web Server Generic. Step 13 Click Add. Chapter 12 Configuring Web Server Devices_ Apache Web Server on Solaris or RedHat Linux H Apache Web Server on Solaris or RedHat Linux System Web Server on Solaris The Sun Java System Web Sever was formerly known by the following product names Netscape Enterprise Server, iPlanet Web Server, and Sun ONE Web Server, Generic Web Server Generic For MARS to recieve logs from a webserver, you must install the Web agent, (agent.pl version 1.1) on the target webserv and direct the agent to publish logs to the MARS Appliance. access_log_path identifies the absolute path name to the web server's access log Web Server Configuration To configure the Apache web server for the agent iPlanet web server for the agent If necessary, shut down and restart the iPlanet web server.
A hacker can select port 443 as a listening port and remain undetected. The hacker can then set up a port redirector without disrupting operations. A port redirector takes traffic coming in on one port and directs it to another host on another port. In this example, the port redirector on the web server takes incoming traffic on port 443 and sends it out to port 3389 on the database server.
Based on the findings in the test phase, enhance network security. For instance, if the testing phase identifies a vulnerability in the web server softwore, install the appropriato softwate patch is accorUan ce w it A the vendor's recommendation.
Besides allowing a standard, secure event-logging protocol, SDEE also guarantees delivery of log messages. SDEE uses TCP for the transport protocol. It is also a pull method, meaning that the monitoring station pulls event logs from the device, just as your web browser pulls information from a web server. Syslog and SNMP, on the other hand, are push methods, meaning that they blindly fire event logs onto the network, without knowing whether they reach their destination.
Some examples will help make the need for multiplexing obvious. The sample network consists of two PCs, labeled Hannah and Jessie. Hannah uses an application that she wrote to send advertisements that display on Jessie's screen. The application sends a new ad to Jessie every 10 seconds. Hannah uses a second application, a wire-transfer application, to send Jessie some money. Finally, Hannah uses a web browser to access the web server that runs on Jessie's PC. The ad application and wire-transfer application are imaginary, just for this example. The web application works just like it would in real life. A TCP web server application Web Server Multiplexing relies on the use of a concept called a socket. A socket consists of three things an IP address, a transport protocol, and a port number. So, for a web server application on Jessie, the socket would be (10.1.1.2, TCP, port 80) because, by default, web servers use the well-known port 80. When Hannah's web browser connected to the web...
Mahler, CCNP and CCDA, is the National Wide-Area Network and Network Operations Center manager for the American Cancer Society. Kevin's teams are responsible for designing, deploying, maintaining, and monitoring the networks of the American Cancer Society. He also runs his own Web hosting company where he is trying to find his fortune on the Internet. He is the author of CCNA Training Guide published by New Riders. He also worked as a revision author on the third edition of Internetworking Technologies Handbook from Cisco Press. Kevin ran his own company designing, selling, and installing computer and networking systems for over ten years. Kevin has worked as a programmer, repair technician, networking consultant, database administrator, and Internetworking engineer. Today, he reminisces of when CP M was king, everyone wanted WordStar, Microsoft was a small company, portable computers weighed just under 45 pounds, and 10 Mbps was a fast network. You can find him on the...
HTTPS provides secure web communication between a browser and a web server that supports the HTTPS protocol. SSL VPN extends this model to allow VPN users to access corporate internal web applications and other corporate application servers that might or might not support HTTPS, or even HTTP. SSL VPN does this by using several techniques that are collectively called reverse proxy technology. A reverse proxy is a proxy server that resides in front of the application servers, normally web servers, and functions as an entry point for Internet users who want to access the corporate internal web application resources. To the external clients, a reverse proxy server appears to be the true web server. Upon receiving the user's web request, a reverse proxy relays the user request to the internal web server to fetch the content on behalf of the users and relays the web content to the user with or without additional processing. Many web server implementations support reverse proxy. One example...
4 Your boss returns from a security convention and advises you that it is a good security practice to run all internal web servers on port TCP 8080 rather than TCP 80 to help secure access to them. How do you respond 9 In the section on the axiom Everything is a target, you saw the various ways in which a web server could be compromised. Now run through the exercise yourself and list the potential methods an attacker could use to gain access to your internal LAN.
Each line of the ACL is shown, along with a hit counter indicating how many connections or flows (or packets for ICMP) have been matched by that line. This is shown as (hitcnt n) at the end of each ACE. For example, an access list configured to permit inbound HTTP connections to several web servers is shown to have the following contents and hit counters Now suppose that an object group has been configured to list the web servers with the following commands Firewall(config) object-group network web-servers Firewall(config-network) network-object host 192.168.3.16 Firewall(config-network) network-object host 192.168.3.19 Firewall(config-network) network-object host 192.168.3.23 Firewall(config-network) network-object host 192.168.3.231 Firewall(config-network) network-object host 192.168.3.242 Firewall(config-network) exit Firewall(config) access-list acl outside permit tcp any object-group webservers eq www access-list acl outside line 1 permit tcp any object-group web-servers eq www...
You can use languages such as Perl, PHP Hypertext Preprocessor (PHP), Python, and more to write your web applications. We have included a sample Python application that you can run on your archive server's web server. Feel free to use this application, marchive.py, which you can access through the Downloads section of this book's product page at http www.ciscopress.com title 1587052709. Although it has a simple interface, as Figure A-1 illustrates, it is a nice query tool, and you can use your imagination to customize it nicely
In addition, the company has been developing and testing its two new NT Web servers on the new Internet segment. These new Web servers need to communicate with the new NT SQL database at the Oak Street office. The Media Group, which is part of the Production department, will complete its testing within one month. With the new Web servers, Ms. Roberts needs to also implement a DNS solution and register a domain name. Ms. Roberts has begun the process of acquiring a domain name in preparation for the Internet access, but she needs to install and secure her DNS servers.
This step estimates the volume of traffic flow from PoP to PoP based on a variety of factors, including customer population distribution and modified access line bandwidth per PoP. Another factor is the presence of co-located applications such as Web servers in the case of a service provider who is also an ASP. The exact procedure for this step varies from network to network. For interstate business IP traffic, a reasonable first approximation might be that 33 percent of traffic will go to Chicago, 22 percent to Washington, 13
Imagine a Web browser displaying a Web page that it received from a Web server. Before that happened, the browser somehow interacted with the software implementing other layers of TCP IP on the client computer, causing a request to flow to the server. Likewise, the broswer application somehow communicated with the Web server application, telling the server what Web page the browser wanted to display. A fancy way to describe these two ideas that is interaction between OSI layers. The process of how layers interact on the same computer, as well as how the same layer processes on different computers communicate with each other, is all interrelated. The software or hardware products implementing the logic of some of the OSI protocol layers provide two general functions
Cisco Secure ACS is configured through a web-based application that is called ACS Admin. When you install Cisco Secure ACS, you also install a complete web server to which the ACS Admin site is bound. This web server only operates on port 2002, and it runs as a Windows NT service on the Windows NT version and as an application on the UNIX version. This service is called CSAdmin and can be stopped and started like any other Windows NT service.
Cisco Unified IP Phones access the LDAPv3 directory when the Directory button is pressed. The IP phone responds to the Directory button click by sending an HTTP directory lookup request to the Apache web server on CUCM. The response from CUCM contains Extensible Markup Language (XML) user information objects that the phone displays to the person using the phone. Cisco Unified IP Phones perform user lookups against the embedded CUCM database by default. The directory lookup can be configured to allow the IP phones to access a corporate LDAPv3 directory. The phones would then send their HTTP user lookup requests to an external web server that operates as a proxy to the LDAPv3 server. The user lookup requests are translated into LDAPv3 queries against the corporate directory. The LDAPv3 response is then encapsulated in the appropriate XML objects and sent back to the phones via HTTP.
This case study shows you how to install your own CA. For this case study, use the Windows 2000 server that comes with Microsoft CA software called Certificate Services. Other vendors, such as Netscape, also have certificate servers. All these servers can issue certificates, which can be used on any brand of web server and are accepted by any modern web browser.
To determine if your customer's goals for network efficiency are realistic, you should use a protocol analyzer to examine the current frame sizes on the network. Many protocol analyzers let you output a chart such as the one in Figure 3-7 that documents how many frames fall into standard categories for frame sizes. Figure 3-7 shows packet sizes at an Internet service provider (ISP). Many of the frames were 64-byte acknowledgments. A lot of the traffic was HTTP, which used 1500-byte packets in most cases, but also sent 500- and 600-byte packets. If many webhosting customers had been transferring pages to a web server using a file-transfer or file-sharing protocol, there would have been many more 1500-byte frames. The other traffic consisted of DNS lookups and replies, Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), and Address Resolution Protocol (ARP) packets.
Web server Step 2 The screen shown in Figure 12-12 is displayed. First configure static NAT for the web server. Under the Original section, choose the dmz interface from the drop-down menu, and enter the web server physical IP address (10.10.20.10) as the source. Step 4 Click the Use IP address option, and enter the public address to which the web server will be translated (18.104.22.168).
Server and operating system best practices apply when protecting the Cisco Unified CallManager. Just as with any other critical application, you should make major configuration changes within a maintenance window to avoid the disruption of voice services. However, some standard security policies for application servers might not be adequate for IP telephony servers. For example, on e-mail and web servers, you can easily resend an e-mail message or refresh a web page. On the other hand, voice communications are real-time events. Consequently, your user population will quickly notice any disruption of service.
For years, networking books and training classes taught the 80 20 rule for capacity planning 80 percent of traffic stays local in departmental LANs, and 20 percent of traffic is destined for other departments or external networks. This rule is no longer universal and is rapidly moving to the other side of the scale. Many companies have centralized servers residing on server farms located on building or campus backbone networks. In addition, corporations increasingly implement intranets that enable employees to access centralized World Wide Web servers using Internet Protocol (IP) technologies. At some companies, employees can access intranet web servers to arrange business travel, search online phone directories, order equipment, and attend distance-learning training classes. The web servers are centrally located, which breaks the
Notice that the web server must wait after sending the third segment because the window is exhausted. When the acknowledgment has been received, another window can be sent. Because there have been no errors, the web client grants a larger window to the server, so now 4000 bytes can be sent before an acknowledgment is received by the server. In other words, the Window field is used by the receiver to tell the sender how much data it can send before it must stop and wait for the next acknowledgment. As with other TCP features, windowing is symmetrical both sides send and receive, and, in each case, the receiver grants a window to the sender using the Window field.
Reducing the visibility of the network posture involves reducing the number of services in the public-facing segment of the network to a minimum. This means that if a web server, an SMTP server, an FTP server, and a DNS server are situated in the DMZ of the Corporate Internet module, the only inbound ports open at the edge router are for web, e-mail, FTP, and DNS to those servers. All other ports are blocked with an access control list (ACL). If other hosts exist in the DMZ but access from the outside is not required, no traffic should reach these hosts through the edge router. This concept is shown in Figure 8-1. There are four servers behind the router
In Figure 9-3, the firewall permits any machine on the Internet to connect to the web server on the DMZ. Additionally, the firewall permits all traffic from the DMZ into the internal LAN and permits all traffic from the DMZ to the Internet. Finally, the firewall permits all traffic from the internal LAN going out. An attacker can exploit a vulnerability in the web server to gain access to that host. Once access to the web server in the DMZ is obtained, the attacker can set up port redirection software to redirect traffic so that the traffic connects to the system on the internal LAN. In Figure 9-3, the web server TCP port 80 is redirected to connect to the Telnet port on the internal host. The attacker then connects to the web server on TCP port 80 and is automatically redirected to the Telnet port on the internal host. This allows the attacker to tunnel into the internal LAN through the firewall without violating the firewall policy.
An example of a man-in-the-middle attack is shown in Figure 7-1. Here, the attacker intercepts and establishes a communication link with the web server client on the left in step 1. This can be done by spoofing the IP address of the real web server, WWW, in the client's DNS server in Figure 7-1. When the client queries the DNS server for the IP address of the web server, WWW, the DNS server responds with the IP address of the attacker's host. The attacker's host is running a web server with web pages that are identical, or nearly identical, to the web pages on the real web server, WWW. The client connects to the attacker's web server and inputs their information, as shown in step 2. The attacker's host then connects to the real web server, WWW, establishes a connection, and relays the client information to the server in step 3. The response from the server is then relayed back to the client system in steps 4 and 5.
One of the most widely known targets of an application layer attack is the Microsoft Internet Information Server (IIS) directory traversal vulnerability or UNICODE attack. An attacker who exploits this vulnerability is capable of searching the directories on the server outside of the web root directory. This allows them to view files that they would normally not have access to. It also allows the attacker to exploit certain commands, such as tftp, to further exploit the host. This can all be done through a regular web browser such as Internet Explorer or Netscape. One particular program that was written to use this exploit is called iis-zang, which provides an attacker with a pseudo-command-line interface to the web server. Microsoft provided a patch for this vulnerability in August of 2000 and published Microsoft Security Bulletin MS00-057 regarding this vulnerability.
Web servers Includes the Standard Edition functionality but also protects the web server application and the web server API The Standard Edition Agent is leveled for general host use. The Server Edition Agent, however, is aimed at public-facing devices, such as web servers, which require additional levels of security because of increased vulnerabilities.