[3330] in WWW Security List Archive
RE: www web security !
daemon@ATHENA.MIT.EDU (Alex Filacchione)
Tue Oct 22 15:03:34 1996
From: Alex Filacchione <alexf@iss.net>
To: "'John Cronin'" <John.Cronin@oit.gatech.edu>
Cc: "BZH01572@niftyserve.or.jp" <BZH01572@niftyserve.or.jp>,
"joang@lix.intercom.es" <joang@lix.intercom.es>,
"pyb@cadrus.fr"
<pyb@cadrus.fr>,
"www-security@ns2.rutgers.edu"
<www-security@ns2.rutgers.edu>
Date: Tue, 22 Oct 1996 12:15:59 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
->
->Why should you not put your web server BEHIND a firewall? It opens up
your
->internal network (it provides a path through your firewall. All someone
->needs to do is compromise your webserver, not your firewall then)
I would not put it behind the firewall if it was intended primarily for
EXTERNAL use
[SNIP]
. If possible, I would put it on
it's own subnet, or perhaps with the firewall.
=-=-=-
I am assuming that the web server is for external use. If you are dealing
with a one machine firewall (packet filter), then I would put the web
server on the outside. If you are dealing with something more along the
lines of a "bootstrap" firewal where you have 3 machine set up like so:
Internet<->Packet filter<->Proxy Server<->Packet Filter<->Internal net
I would put the web server on a separate subnet off of the proxy server.
This way if someone *does* compromise the web server, they still have to
go through the proxy server and a second packet filter to get inside, the
web server is protected by the initial packet filtering gateway router, and
because it is subnetted off, sniffers installed on that machine will do no
good. I'm sure that probably 90% of the firewalls out there are one
machine firewalls (my own made up statistic) and not "bootstrap" firewalls.
=-=-=-=-=-
->Don't leave compilers lieing (sp?) around. If you need to use one,
install
->it via a console log-in, and then delete it.
Or compile on another machine, and then tar up the needed files and
transfer
them to the web server.
=-=-=-=-
Well, this is just in case the web server is an OS that the internal net is
not using. An ISP that I worked for once upon a time (I did not web or
security work for them, btw) had internal Suns and linux boxes, but the web
server was running Free BSD or BSDI or something.
=-=-=-=-
I got the demo version at Networld+InterOp.
[SNIP]
This is not a criticism of the software. However,
you cannot rely on a port scanner alone. I know for a fact that the
version
of sendmail I was running at the time had the usual buffer overflow
problems,
and the ISS Web Security Scanner did not detect that. I did not really
expect it to, as my version of sendmail was quite recent, and the CERT
bulletins etc had just gone out. (Sendmail 8.7.5, for those who are
curious).
=-=-=-=-=-
Relying on a port scanner alone would be foolish. It does, however, help a
great deal in finding things that you might have otherwise missed. Taking
the same route that an attacker might is always prudent, if only for
scanning "just in case" you missed something.
Re: Sendmail. The latest, 8.8, is vulnerable. The vulnerability was
posted to bugtraq and BoS on the 17th. I believe that we are working on
adding this test to our latest version of the Intranet Scanner software (I
don't know off-hand when you will be able to download a version that will
include this check, though. Check the web site periodically).
We are trying to add new bugs as they come out. We can't get every one,
but we generally release new versions with new bug checks after a number of
bugs have been added (say 4 or 5) so we don't have to add new versions to
the web site every other day!
Later,
Alex F
alexf@iss.net
webmaster/security training
