Firewall Wizards mailing list archives
Re: Re: Anti-Defacement Products...
From: Paul McNabb <mcnabb () argus-systems com>
Date: Tue, 28 Mar 2000 14:09:59 -0600 (CST)
Starkey, Kyle wrote:
I was thinking about defacement the other day and how to help automate a response to this type of activity. I understand that host based security and network based security is the key, but what about response. I am looking for a product that could be used to make sure the page being displayed was the real page. Thoughts of encyting the page/code to get a hash and storing it somewhere inside the enterprise, periodically the webserver re-calcing the hash on the page stored locally and running a check against a the stored copy secured in box on the inside. I would also envision the automatic posting of the original source back to the webserver and alerts bieng generated to the security officer if the two hashes did not match. Does anyone know of any product that does something similar? I was hoping not to have to build this from scratch, but perhaps it will be my little project. Any thoughts about this project or software that might already do this for me would be greatly appreciated...
1. Use a TOS to create 3 virtual machines: one for the webserver process, one for the webpages, and one for administration. Make the webpages VM read-only from the webserver VM. 2. Move all admin utilities into the admin VM. 3. Put the internet network interface in the webserver VM, and put the internal LAN network interface into the admin VM. If you want, you can pick certain hosts or subnets on the internal LAN to be in the admin VM and send all other internal hosts to the webserver VM. 4. Use the packet filtering part of the TOS to prevent the webserver, or anything that is coming from the Internet from ever contacting the admin VM and from ever modifying the webpages VM. Note: this will hold true no matter what machine instructions are executed in the VM, so you can open up other services (like ftp or telnet) if you want. Or, you could put these other services in their own VMs. 5. Use the integrity mechanism of the TOS to verify checksums and security attributes of the webpage files. This can be run automatically at any interval you need. If you want to be really paranoid, set up another VM for logging and auditing and run everything from that. Make the other VMs visible to the logging VM, but not the other way around. Use the packet filtering on the TOS to limit access to the logging VM to a single host somewhere, preferably protected via a VPN and on the internal LAN. 6. If this is a host with a single network interface, use virtual IFs to set up the system so that each VM has its own virtual network IF and give each service and VM its own IP address on the box. paul --------------------------------------------------------- Paul A. McNabb, CISSP Argus Systems Group, Inc. Senior Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- Re: Anti-Defacement Products... Joseph S D Yao (Mar 28)
- <Possible follow-ups>
- Re: Re: Anti-Defacement Products... Paul McNabb (Mar 29)