JAVASCRIPT

Protecting the Server

If you plan to run a web server, you'd better be prepared to see it attacked. This five-part series will help you arm your system against intruders. It is excerpted from chapter four of the book Securing Ajax Applications: Ensuring the Safety of the Dynamic Web, written by Christopher Wells (O'Reilly, 2007; ISBN: 0596529317). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

Author Info:

By: O'Reilly Media

Poor Best

Rating:

/ 0

September 11, 2008

TABLE OF CONTENTS:

Hey, what’s this rule for? Far too often firewalls are found with rules that nobody remembers adding. This happens because administrators fear something will break if they remove them. When firewall rules are introduced, there should be a well-defined procedure for keeping track of each rule and its purpose.

Another problem is that to see whether a firewall is actually doing what it is supposed to be doing you need to beat on it with a penetration-testing tool and monitor it with intrusion detection software. In other words, you have to hack it to see if it breaks.

Port 80

That’s just web traffic, right? Port 80 is sometimes called the firewall bypass port. This is because many times any traffic will be allowed in and out of the firewall on port 80. Firewall administrators open port 80 for web traffic, and developers take advantage of the open port by running things such as web services through it—so much for firewall security.

SSL

SSL must be terminated before the firewall so that the firewall can inspect the data and make decisions about the content being sent or received. Otherwise, the data is encrypted with SSL. If the firewall or some proxy in front or behind the firewall terminates SSL, the user won’t see a lock in her browser and may become confused or concerned that she cannot do secure online banking, for example.

SSL proxies

There is a crafty solution to the SSL problem: an SSL proxy server. A proxy server can set up its own outbound SSL connection to the server the user wants to contact. The proxy server then negotiates a separate SSL connection with the user’s browser. The user’s browser doesn’t know what is on the other side of the proxy, so it cannot get to the other side without the proxy’s help.

The proxy then impersonates the destination web server by—on the fly—generating and signing a certificate for that web destination. The only way that this works is if the user’s browser trusts the proxy as a certificate authority. Meaning that if the user’s browser has a Certificate Authority (CA) certificate from the company in its trusted store of certificates, then the browser will accept the proxy’s generated certificate as legit.

Once this sort of proxy is set up, it is possible to thoroughly inspect all content flowing through without any worry about encryption getting in the way. Although this does now make it possible to inspect the contents of the web transaction, and an organization such as the Electronic Frontier Foundation (http://www.eff.org) might complain about the loss of the user’s privacy.

Next: Network tiers and the DMZ >>