Firewall Wizards mailing list archives
Re: WWW protectors
From: mcnabb () argus-systems com (Paul McNabb)
Date: Fri, 6 Mar 1998 14:35:27 -0600
From: "Marcus J. Ranum" <mjr () nfr net> >I'm looking for pointers to packages that protect web servers. >So far I've found: The question to me is "how do they protect the web server?" One of the ways a web server gets broken into is through stupid flaws in CGI-bin scripts. There's not a good way for an externally developed engine to know about all the stupid CGI-flaws the end user might invent. Another way web servers get broken into is through buggy code in the http daemon. This is unfortunate, since you NEED something serving web, and that's a main point of attack. Trusted operating systems (CMWs, etc) can help prevent the web server software from letting an attacker gain access to the whole system, but unless it's set up carefully they may be able to gain access to the web pages and alter them.
HP's Virtual Vault and Argus's Gibraltar (for Solaris) are both designed to do exactly this. They both use B1 features to force CGI scripts and other applications to run in a different environment than the webserver themselves. With these products, the web pages can be read-only for both the web server and the CGI scripts, and you can completely isolate the webserver and CGI environments from each other and from the rest of the system (including the ability to send signals, use specific network interfaces, use IPC mechanisms, access storage devices, etc.). Both VV and Gibraltar remove the superuser/root functionality of standard Unix. VV and Gibraltar are the basis for providing secure internet transaction web sites, where the outside and inside of a webserver have to be protected from each other. Both are marketed to banking and securities companies as well as to any company needing to build a very secured host connected to multiple networks. All of the other B1-type security systems I'm aware of are designed to provide the *tools* to do this, but do not integrate the webserver fully into the environment (VV and Gibraltar supply modified web servers) and do not preconfigure the whole thing for commercial installation and use, and do not automate the separation into various compartments for the different applications and net services. paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- WWW protectors Mark Le Vea (Mar 06)
- Re: WWW protectors Marcus J. Ranum (Mar 06)
- Re: WWW protectors Bennett Todd (Mar 06)
- Re: WWW protectors Aleph One (Mar 06)
- <Possible follow-ups>
- Re: WWW protectors Paul McNabb (Mar 06)
- RE: WWW protectors firstcat (Mar 06)