In this chapter, we’ll look at the basics of web security. We’ll discuss the risks of running a web server on the Internet and give you a framework for understanding how to defend against those risks. We’ll also look at the hype surrounding web security, analyze what companies (probably) mean when they use the phrase “secure web server,” and discuss overall strategies for reducing the risks of operating a site and publishing information on the World Wide Web.
Using this definition, web security is a set of procedures, practices, and technologies for protecting web servers, web users, and their surrounding organizations. Security protects you against unexpected behavior.
Why should web security require special attention apart from the general subject of computer and Internet security? Because the Web is changing many of the assumptions that people have historically made about computer security and publishing:
The Internet is a two-way network. As the Internet makes it possible for web servers to publish information to millions of users, it also makes it possible for computer hackers, crackers, criminals, vandals, and other “bad guys” to break into the very computers on which the web servers are running. Those risks don’t exist in most other publishing environments, such as newspapers, magazines, or even “electronic” publishing systems involving teletext, voice-response, and fax-back.
The World Wide Web is increasingly being used by corporations and governments to distribute important information and conduct business transactions. Reputations can be damaged and money can be lost if web servers are subverted.
Although the Web is easy to use, web servers and browsers are exceedingly complicated pieces of software, with many potential security flaws. Many times in the past, new features have been added without proper attention being paid to their security impact. Thus, properly installed software may still pose security threats.
Once subverted, web browsers and servers can be used by attackers as a launching point for conducting further attacks against users and organizations.
Unsophisticated users will be (and are) common users of WWW-based services. The current generation of software calls upon users to make security-relevant decisions on a daily basis, yet users are not given enough information to make informed choices.
It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time.
The World Wide Web is the fastest growing part of the Internet. Increasingly, it is also the part of the Internet that is most vulnerable to attack.
Web servers are an organization’s public face to the Internet and the electronic world. A successful attack on a web server is a public event that may be seen by hundreds of thousands of people within a matter of hours. Attacks can be mounted for ideological or financial reasons; alternatively, they can simply be random acts of vandalism.
Many web servers are involved with commerce and money. Indeed, the cryptographic protocols built into Netscape Navigator and other browsers were originally placed there to allow users to send credit card numbers over the Internet without fear of compromise. Web servers have thus become a repository for sensitive financial information, making them an attractive target for attackers. Of course, the commercial services on these servers also make them targets of interest.
Organizations are using web technology as an easy way to distribute information both internally, to their own members, and externally, to partners around the world. This proprietary information is a target for competitors and enemies.
Because they are used by people both inside and outside an organization, web servers effectively bridge an organization’s internal and external networks. Their position of privileged network connectivity makes web servers an ideal target for attack, as a compromised web server may be used to further attack computers within an organization.
Unfortunately, the power of web technology makes web servers and browsers especially vulnerable to attack as well:
By their very nature, web servers are designed to be extensible. This extensibility makes it possible to connect web servers with databases, legacy systems, and other programs running on an organization’s network. If not properly implemented, modules that are added to a web server can compromise the security of the entire system.
Because web technology is based on the TCP/IP family of protocols, it is subject to disruption of service: either accidentally or intentionally through denial-of-service attacks. People who use this technology must be aware of its failings and prepare for significant service disruptions.
Web browsers require external services such as DNS (Domain Name Service) and IP (Internet Protocol) routing to function properly. The robustness and dependability of those services may not be known and can be vulnerable to bugs, accidents, and subversion. Subverting a lower-level service can result in problems for the browsers as well.
The explosive growth of WWW and electronic commerce has been driven by (and drives) a frenetic pace of innovation and development. Vendors are releasing new software features and platforms, often with minimal (or no) consideration given to proper testing, design, or security. Market forces pressure users to adopt these new versions with new features to stay competitive. However, new software may not be compatible with old features or may contain new vulnerabilities unknown to the general population.
The solution to these problems is not to forsake web technology but to embrace both the limitations and the appropriate security measures. However, it is also important to understand the limits of any system and to plan accordingly for failure and accident.
This book assumes that you are familiar with the basics of the Internet and the World Wide Web. However, because a variety of different terms have been used by authors to denote more or less the same systems, this section will briefly elucidate the terms used in this book.
A computer network is a collection of computers that are physically and logically connected together to exchange information. A Local Area Network, or LAN, is a network in which all of the computers are physically connected to short (up to a few hundred meters) segments of Ethernet, or token ring, or are connected to the same network hub. A Wide Area Network, or WAN, is a network in which the computers are separated by considerable distance, usually miles, sometimes thousands of miles. An internetwork is a network of computer networks. The largest internetwork in the world today is the Internet, which has existed in some form since the early 1970s and is based on the IP (Internet Protocol) suite.
Information that travels over the Internet is divided into compact pieces called packets . The way that data is divided up and reassembled is specified by the Internet Protocol. User information can be sent in streams using the Transmission Control Protocol (TCP/IP) or as a series of packets using the User Datagram Protocol (UDP). Other protocols are used for sending control information.
Computers can be connected to one or more networks. Computers that are connected to at least one network are called hosts . A computer that is connected to more than one network is called a multi-homed host . If the computer can automatically transmit packets from one network to another, it is called a gateway . A gateway that examines packets and determines which network to send them to next is functioning as a router . A computer can also act as a repeater, by forwarding every packet appearing on one network to another, or as a bridge , in which the only packets forwarded are those that need to be. Firewalls are special kinds of computers that are connected to two networks but selectively forward information. There are fundamentally two kinds of firewalls. A packet-filtering firewall decides packet-by-packet whether a packet should be copied from one network to another. Firewalls can also be built from application-level proxies, which operate at a higher level. Because they can exercise precise control over what information is passed between two networks, firewalls are thought to improve computer security.
Most Internet services are based on the client/server model. Under this model, one program requests service from another program. Both programs can be running on the same computer or, as is more often the case, on different computers. The program making the request is called the client; the program that responds to the request is called the server. Often, the words “client” and “server” are used to describe the computers as well, although this terminology is technically incorrect. Most client software tends to be run on personal computers, such as machines running the Windows 95 or MacOS operating system. Most server software tends to run on computers running the UNIX or Windows NT operating system. But these operating system distinctions are not too useful because both network clients and servers are available for all kinds of operating systems.
The World Wide Web was invented in 1990 by Tim Berners-Lee while at the Swiss-based European Laboratory for Particle Physics (CERN). The Web was envisioned as a way of publishing physics papers on the Internet without requiring that physicists go through the laborious process of downloading a file and printing it out. Developed on NeXT computers, the Web didn’t really gain popularity until a team at the University of Illinois at Champaign-Urbana wrote a web browser called Mosaic for the Macintosh and Windows operating systems. Jim Clark, a successful Silicon Valley businessman, realized the commercial potential for the new technology and started a company called Mosaic Communications to commercialize it. Clark asked Mark Andreessen, head of the original Mosaic development team, to join him. The company created a web browser called Mozilla, but soon renamed Netscape. Soon Clark’s company was renamed Netscape Communications and the web browser was renamed Netscape Navigator.
Information is displayed on the World Wide Web as a series of pages . Web pages are written in the HyperText Markup Language (HTML). The pages themselves are usually stored on dedicated computers called web servers. The term web server is used interchangeably to describe the computer on which the web pages reside and the program on that computer that receives network requests and transmits HTML files in response. Web pages are requested and received using messages formatted according to the HyperText Transport Protocol (HTTP).
Besides transmitting a file, a web server can run a program in response to an incoming web request. Originally, these programs were invoked using the Common Gateway Interface (CGI). Although CGI makes it simple to have a web server perform a complicated operation, such as performing a database lookup, it is not efficient because it requires that a separate program be started for each incoming web request. A more efficient technique is to have the web server itself perform the external operation. A variety of Application Programmer Interfaces (APIs), such as the Netscape API (NSAPI), are now available to support this function.
The computer that hosts the web server may run other programs, such as mail servers, news servers, or DNS servers. They may even support interactive logins, although this is not a good idea from a security point of view.
Web technology was originally built for deployment on the worldwide Internet. Between 1995 and 1996, companies including Netscape realized that a much larger market for their products—at least initially—was companies that wanted to use the Web for publishing information and making services available for their own employees. These organizational networks that are cut off from the outside world are called intranets , a term that reflects the fact that they are intended to be used within an organization, rather than between organizations.
A virus is a malicious computer program that makes copies of itself and attaches those copies to other programs. A worm is similar to a virus, except that it sends copies of itself to other computers, where they run as standalone programs. A Trojan horse is a program that appears to have one ubiquitous function, but actually has a hidden malicious function. For instance, a program that claims to be an address book, but actually reformats your hard drive when you run it, is a kind of Trojan horse.
In recent years, the phrase “secure web server” has come to mean different things to different people:
For the software vendors that sell them, a secure web server is a program that implements certain cryptographic protocols, so that information transferred between a web server and a web browser cannot be eavesdropped upon.
For users, a secure web server is one that will safeguard any personal information that is received or collected. It’s one that supports their privacy and won’t subvert their browser to download viruses or other rogue programs onto their computer.
For a company that runs one, a secure web server is resistant to a determined attack over the Internet or from corporate insiders.
A secure web server is all of these things, and more. It’s a server that is reliable. It’s a server that is mirrored or backed up, so in the event of a hardware or software failure it can be reconstituted quickly. It’s a server that is expandable, so that it can adequately service large amounts of traffic.
Unfortunately, when vendors use the phrase “secure web server,” they almost always are referring to a World Wide Web server that implements certain cryptographic protocols. These protocols allow web browsers and servers to exchange information without the risk of eavesdropping by parties with access to the messages in between. Such encryption is widely regarded as a prerequisite for commerce on the Internet.
As we’ll see in this book, while cryptographic protocols are certainly useful for protecting information that is sent over the Internet from eavesdropping, they are not strictly necessary for web security, nor are they sufficient to ensure it. That’s why we’ll use the term cryptographically enabled web server, rather than “secure web server,” to describe a web server that implements the cryptographic protocols. To understand this distinction, consider an analogy that Gene Spafford has been using for the last few years:
“Secure” web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.
As we’ll see, web security requires far more than protection against simple eavesdropping.
 Firewall construction is difficult to get right. Furthermore, organizations often forget about internal security after a firewall is installed. Thus, many firewalls only provide the illusion of better security, and some organizations may actually be less secure after a firewall is installed.