Web Server Web Site Security
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,724
On Slideshare
2,644
From Embeds
80
Number of Embeds
3

Actions

Shares
Downloads
38
Comments
0
Likes
0

Embeds 80

http://www.itmm-online.com 74
http://www.slideshare.net 5
http://itmm-online.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Web Server and Web Site Security
  • 2. Web Server and Web Site Security
    Web Server Security
  • 3. Web Server and Web Site Security
    Demilitarised Zones
  • 4. Web Server and Web Site Security
    • A DMZ is a network area that sits between an internal network and an external network (generally the Internet).
    • 5. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network – hosts in the DMZ may not connect to the internal network.
  • Web Server and Web Site Security
  • 6. Web Server and Web Site Security
    DMZ and Web Servers
    • Web servers may need to communicate with an internal database to provide some specialised services.
    • 7. Since the database server is not publically accessible and may contain sensitive information, it should not be in the DMZ.
  • Web Server and Web Site Security
    DMZ and Web Servers
    • Generally, it is not a good idea to allow the web server to communicate directly with the internal database server.
    • 8. Instead, an application server can be used to act as a medium for communication between the web server and the database server.
  • Web Server and Web Site Security
    Firewalls
  • 9. Web Server and Web Site Security
    • A firewall is a piece of hardware/software which functions in a networked environment to protect against communications forbidden by security policies.
    • 10. Firewalls filter information coming from the Internet into your private network or computer system. If incoming packets of information is flagged by the firewall’ filters, it’s not allowed through.
    • 11. Firewalls use one or more of three methods to control traffic flowing in and out of a network.
  • Web Server and Web Site Security
    Packet filtering
    • A type of service filtering to permit or deny network traffic based on the data source, destination, service or protocol of the data packets.
  • Web Server and Web Site Security
    Proxy Service
    • Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.
  • Web Server and Web Site Security
    Stateful Inspection
    • Compares certain key parts of the packet to a database of trusted information.
    • 12. Information travelling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics.
    • 13. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.
  • Web Server and Web Site Security
    What a firewall protects you from?
  • Web Server and Web Site Security
    Intrusion Detection System
  • 22. Web Server and Web Site Security
    • An Intrusion Detection Systems monitors any network traffic and logs/notifies against any possibly malicious activity.
    • 23. An IDS is composed of several components:
    • 24. Sensors which generate security events,
    • 25. A console to monitor events and alerts and control the sensors
    • 26. A central engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received.
  • Web Server and Web Site Security
    Web Security Protocols
  • 27. Web Server and Web Site Security
    Secure Sockets Layer
    • Secure Sockets Layer (SSL) preserves user and content integrity as well as confidentiality so that communications from a client and the Web server, containing sensitive data such as passwords or credit card information, are protected.
    • 28. SSL is based on the public key security protocol that protects communications by encrypting data before being transmitted.
  • Web Server and Web Site Security
    Secure HTTP
    • If you have used the Web, you have probably noticed that URLS for most Web pages begin with the HTTP prefix, which indicates that the request will be handled by TCP/IP port 80 using the HTTP protocol.
    • 29. When Web page URLs begin with the prefix HTTPS they are requiring that their data be transferred from server to client and vice versa using SSL encryption.
  • Web Server and Web Site Security
    Secure HTTP
    • HTTPS uses the TCP port number 443, rather than port 80.
    • 30. Once an SSL connection has been established between a Web server and client, the client's browser indicates this by showing a padlock in the lower-right corner of the screen.
  • Web Server and Web Site Security
    Web Site Security
  • 31. Web Server and Web Site Security
    Common Gateway Interface
  • 32. Web Server and Web Site Security
    What is a Common Gateway Interface?
    • The Common Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server, commonly a Web Server.
  • Web Server and Web Site Security
    "CGI Scripts are essential software programs. SCGI scripts link servers and software and servers and other resources such as databases. These scripts are themselves small servers and this can create problems in making information too available. The problem with CGI scripts is that each one creates opportunities for exploitable bugs. Therefore, it is essential that business organisations ensure the security of not only servers but also the CGI scripts that link their servers to other resources used in the business.“
    (2003, Lawrence, E., et al.)
  • 33. Web Server and Web Site Security
    Web Form Validation
  • 34. Web Server and Web Site Security
    Why we need to validate?
  • 35. Web Server and Web Site Security
    • When working with web forms, often you will have the data being placed into a database of some form.
    • 36. You want to ensure that the correct data is going into the fields set in the tables.
    • 37. You don't want alphanumeric characters going into fields that require numeric characters only.
    • 38. Some fields might require specific information to be entered in a specific format, for example email addresses.
    • 39. You will want your email addresses to be validated correctly and that is based on the username@domain.comstandard.
  • Web Server and Web Site Security
    • Web Form Validation can take place on two fronts. Client Side and Server Side.
    • 40. Client Side Validation will often be done with JavaScript whilst Server Side validation would be performed with a server side language such as PHP or ASP.
    • 41. There are other reasons you would validate your web forms and that is due to vulnerabilities.
    • 42. One such vulnerability which can leave you open to attack is with the method of SQL Injection.
  • Web Server and Web Site Security
    SQL Injection
  • 43. Web Server and Web Site Security
    What is SQL Injection?
  • 44. Web Server and Web Site Security
    • SQL Injection is a technique that exploits a security vulnerability occurring in the database layer of an application.
    • 45. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
    • 46. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
  • Web Server and Web Site Security
    Cross-Site Scripting
  • 47. Web Server and Web Site Security
    What is Cross-Site Scripting?
  • 48. Web Server and Web Site Security
    Preventing Cross-Site Scripting
  • 49. Web Server and Web Site Security
    • You have to be careful when you display data entered by a user on a web page because malicious users an include HTML tags and JavaScript in their input in an attempt to trick other users who might view that information into doing something they might not want to do, such as entering their password to your site and submitting it to another site.
  • Web Server and Web Site Security
    • In order to prevent malicious users from doing that sort of thing, PHP includes the htmlspecialchars() function, which automatically encodes any special characters in a string so that they are displayed on a page rather than letting the browser treat them as markup.
    • 50. Or, if you prefer, you can use htmlentities(), which encodes all of the characters that are encoded by thmlspecialchars() plus any other characters that can be represented as entities.
  • Web Server and Web Site Security
    • In the preceeding example, you’d really want to write the script that displays the user’s name like this:
    <p>Hello <?= htmlspecialchars($_POST[‘yourname’]) ?> Thanks for visiting.</p>
    • That prevents the person who submitted the data from launching a successful cross-site scripting attack.
  • Web Server and Web Site Security
    • If you prefer, you can also use the strip_tags() function, which just removes all the HTML tags from a string.
    • 51. Finally, if your form is submitted using the POST method, you should refer to the parameters using a $_POST rather than $_REQUEST, which also helps to avoid certain types of attacks by ignoring information appended to the URL via the query string.