Guidelines on Securing Public Web Servers
Source and destination port numbers
Network protocol used by attack.
Be patched to the latest or most secure level (firewall application and underlying
operating system).
Most firewall devices available in hardware and software perform some type of logging of the
traffic they receive. For most firewalls, the default logging configuration is suitable, provided
logging is enabled. Administrators should consult their vendor documentation if they believe
they require additional information logged. Certain brands of hardware based firewalls
include an ability to track and log information for each firewall policy. This ability enables
accountability to a very specific extent.
One common feature that is available in many firewalls is the ability to selectively decide what
information to log. If a firewall receives a series of similar packets from the same location it
may decide not to log any additional packets after the first one. Although this is a valuable
feature, consider the consequences: each packet that is dropped and not logged is potential
evidence of a malicious intent. The principle of logging, which is a fundamental aspect of
accountability, is discussed in greater detail in Section 9.1.
As with operating systems and other security enforcing elements, a firewall may not
necessarily be perfect; it may require updates. Although more prevalent in software
implementations of firewall technology, hardware and router firewalls contain an ability to
update their firmware. Specific instructions on how to update a firewall are found within the
vendor documentation. Administrators should check for firewall updates at least once a week.
8.2.2 Intrusion Detection Systems
An IDS is an application that monitors system and network resources and activities and, using
information gathered from these sources, notifies the network administrator and/or appropriate
security personnel when it identifies a possible intrusion or penetration attempt.
32
The two principal types of IDSs are host based and network based. Host based IDSs must be
installed on each individual computer system that is to be monitored or protected. Host based
IDSs are very closely integrated with the operating system they protect. Thus, a host based
IDS must be designed specifically for each operating system. These types of IDSs monitor
network traffic to and from the host, the use of system resources, and the system log files.
Host based IDSs are useful when most of the network traffic to and from the Web server is
encrypted (e.g., when SSL/TLS is in use [see Section 7.5]) because the functionality and
capability of network based IDSs (see below) is severely limited when network traffic is
encrypted. Furthermore, because Host based IDSs are located on the server, they can detect
some attacks and penetration attempts not recognized by network based IDSs.
Host based IDS can have a negative effect on host performance. In general, the greater the
detection capabilities, the greater the negative impact on the performance of the host. Host
32
For more information about IDSs see NIST Special Publication 800 31,
Intrusion Detection Systems
(
http://csrc.nist.gov/publications/nistpubs/index.html
).
72