Firewall Wizards mailing list archives
RE: Re: Anti-Defacement Products...
From: Predrag Zivic <pzivic () yahoo com>
Date: Fri, 19 May 2000 08:17:40 -0700 (PDT)
a late comment but... Anyway HP VV is good TOS but this will ensure only that the outside web page is correct. Also without any PROXY based product (outside to inside proxy) on the VV itself, you will still remain vulnerable to HTTP (application attacks, bos etc). However combination of HP VV with BMC's Safe Passage (no longer supported by HP) or HP VV with Apache proxy (not officially released yet by HP) will comply with mcnabb's requirements. Another solution to your problem would be to use combination of F5/alteon/arrowpoint and proxy based firewall (raptor/gauntlet). where you would terminate the client connection on the f5/alteon/arrowpoint in front of the firewall. I like F5 since you can hash dynamically on proxied (proxiing/proxying...hey techies change the language barriers:-)) cookies and http headers if memory serves me ok. Hope this helps... Pez --- fernando_montenegro () hp com wrote:
Hi everyone! ATTENTION: This message is not supposed to be marketing drivel. Though I will talk about a specific product, I hope the technical description will merit posting to the list. Using a multilevel OS as a Web server, as Paul described, is something that we have had some success with at HP. One of our better known products, Virtual Vault, is architected almost exactly like Paul described. The product is based on a modified version of HP-UX, so running it is not totally unlike administering a normal UNIX box. The way that the Virtual Vault (VV) is set up is to have 4 separate containers, enforced by MAC rules (not changeable from a running process, once "root" is disabled and no extra privileges are given to user accounts): - System, holds almost all files in the system plus the running instances of most operating system applications. - Outside, containing ONLY the webserver running instance and the webserver's access log. - Inside, holds the running instances for some administrative daemons and the customer application, as well some temporary files/directories. - SystemHigh, with the audit daemon's running instance and ancilliary files. BTW, normal Discretionary Access Controls (DAC, our familiar owner-group-world permission mechanism) still applies, so access is checked against DAC and MAC both. Should the OUTSIDE compartment be compromised (through a failure in the Web server), the only files subject to change are the HTTP access logs. Usually, the HTML/GIF/JPG/... content will be housed in the SYSTEM compartment, therefore safe from modification by the outside. The customer application runs in the INSIDE compartment. While a compromise there is worse, it is still limited by the MAC rules. Checking MD5 signature on files can be done on-the-fly for CGI scripts (though it will hurt performance) or regularly through cron. On the downside, it takes some planning to come up with the proper policies and procedures for integrating content, running audits, ... but it is certainly within reach of any knowledgeable UNIX shop. Hope this helps. Cheers, Fernando -- Fernando da Silveira Montenegro Hewlett-Packard Brasil HP Consulting - IT Security Al. Rio Negro, 750 - Alphaville mailto:fernando_montenegro () hp com Barueri, SP - Brazil 06454-000 voice: +55-11-7297-4351 #include <disclaimer.h>-----Original Message----- From: mcnabb () argus-systems com[mailto:mcnabb () argus-systems com]Sent: Tuesday, March 28, 2000 5:10 PM To: Kyle.Starkey () msdw com Cc: mcnabb () argus-systems com;firewall-wizards () nfr netSubject: Re: [fw-wiz] Re: Anti-DefacementProducts...Starkey, Kyle wrote:I was thinking about defacement the other dayand how tohelp automate aresponse to this type of activity. I understandthat hostbased securityand network based security is the key, but whataboutresponse. I amlooking for a product that could be used to makesure the page beingdisplayed was the real page. Thoughts ofencyting thepage/code to get ahash and storing it somewhere inside theenterprise,periodically thewebserver re-calcing the hash on the page storedlocallyand running a checkagainst a the stored copy secured in box on theinside. Iwould alsoenvision the automatic posting of the originalsource backto the webserverand alerts bieng generated to the securityofficer if thetwo hashes did notmatch. Does anyone know of any product thatdoes somethingsimilar? I washoping not to have to build this from scratch,but perhapsit will be mylittle project. Any thoughts about this projectorsoftware that mightalready do this for me would be greatlyappreciated...1. Use a TOS to create 3 virtual machines: one forthe webserver process,one for the webpages, and one for administration.Make the webpages VMread-only from the webserver VM. 2. Move all admin utilities into the admin VM. 3. Put the internet network interface in thewebserver VM, and put theinternal LAN network interface into the admin VM.If you want, you canpick certain hosts or subnets on the internal LANto be in the admin VMand send all other internal hosts to the webserverVM.4. Use the packet filtering part of the TOS toprevent the webserver,or anything that is coming from the Internet fromever contacting theadmin VM and from ever modifying the webpages VM.Note: this will holdtrue no matter what machine instructions areexecuted in the VM, so youcan open up other services (like ftp or telnet) ifyou want. Or, youcould put these other services in their own VMs. 5. Use the integrity mechanism of the TOS toverify checksums and securityattributes of the webpage files. This can be runautomatically at anyinterval you need. If you want to be reallyparanoid, set up another VMfor logging and auditing and run everything fromthat. Make the otherVMs visible to the logging VM, but not the otherway around. Use thepacket filtering on the TOS to limit access to thelogging VM to a singlehost somewhere, preferably protected via a VPN andon the internal LAN.6. If this is a host with a single networkinterface, use virtual IFsto set up the system so that each VM has its ownvirtual network IF andgive each service and VM its own IP address on thebox.
__________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/
Current thread:
- RE: Re: Anti-Defacement Products... Jonathan Squire (May 05)
- Re: Re: Anti-Defacement Products... Mikael Olsson (May 12)
- <Possible follow-ups>
- RE: Re: Anti-Defacement Products... Predrag Zivic (May 19)