Re: Newbie questions

From: David (davidwnh@adelphia.net)
Date: 10/09/02


From: "David" <davidwnh@adelphia.net>
Date: Wed, 09 Oct 2002 19:23:13 GMT


> > 1) Can I install a piece of firewall software which will only permit
> > access to port 80 and block all other requests?
> > 2) Is it safer to install a completely separate firewall machine (eg,
> > running Linux) to route requests to port 80 to MS-Windows Server?
> > 3) What other issues are there apart from blocking IP packets to all
> > other ports?

As with many questions here it all depends on several factors including(but
not limited to) how many computers you have and need to protect, how much
cash you have at your disposal, and what (if any)other network services your
webserver requires. If you have broadband, IMHO a router is one of the first
things you should get. It will block a lot of the unwanted incoming bs at
the doorstep. They are easy to configure and give you more choices when
setting up the remainder of your security infrastructure.

The big issue here is that you want to open up a web server on windows. Once
you allow publicly accessible services (particularly IIS)you enter a whole
new playing field. Your best bet is to keep a web server that is open to the
public as separate as possible from the rest of your network; and this all
depends on your own requirements. Does your web server require information
from other services on your network(a database for example)? Are you running
your computers in a domain or workgroup configuration? The list of variables
goes on and on. 1000+ page books are written to address all the issues
involved so take any tidbit of info you get on a message board with a grain
of salt. They may or may not apply to you. The point here is that if you
have to run a webserver for business read a book and get advice/help from
consultants, you can't possibly get the information you need in small scraps
from a newsgroup. If you're setting up a publicly accessible webserver from
home THINK SERIOUSLY about the implications, isolate it as much as possible
from the rest of your network, or better yet consider using a web hosting
company.

The issues apart from blocking all other ports than 80 for your webserver
are numerous(and new ones are discovered frequently). A hacker can gain
total access to your machine and network via port 80 alone. Check out some
of the IIS buffer overflow vulnerabilities that are known. Sure MS patches
them.....eventually.....hopefully.......maybe. Search for information on
"Unicode Input Validation Attack". This is a well-published hack that has
been patched in IIS and Apache but will give you a little insight on what is
(or at least was)possible through port 80 alone. So basically the idea is
this: If you want to run a publicly accessible webserver accept the fact
that it will always be vulnerable to something. Just be sure to keep it up
to date, as secure as possible, and as isolated as possible from the rest of
your network. If you think that you can safely run a publicly accessible
webserver on the same machine that you keep your personal information, think
again.

Also don't think of your OS as your last line of defense. In many respects
it is the first. Once you open public access to port 80 your firewall is in
many respects no longer applicable. Many of the recent virus/worm outbreaks
had already been addressed in windows updates and service packs. They do not
exploit your firewall they use vulnerabilities that are exposed by the OS
and the services if provides.

Here's some pointers that may or may not apply depending on your setup:

Instead of running a separate firewall for the webserver separate the
webserver from the rest of your network. Put it behind a router with port
forwarding. Install it as a standalone server, DO NOT ATTACH IT TO A
WINDOWS DOMAIN. Do not run or if possible even install unnecessary services.
Do not enable netbios. Put your webserver file shares on a partition
separate from the system partition. Do not install unnecessary software. Do
not put any personal or sensitive information on it.Keep your OS and
Antivirus software up to date. Yada Yada Yada. If you use a Win2K server you
can control inbound and outbound access via ACL's, IPsec and TC/IP
filtering. These tools can be just as effective as a separate firewall if
you know how to use them. Remember you have to consider a publicly
accessible webserver vulnerable in some way no matter what you do to secure
it. Work your access from the ground up. Close up all ports, minimize ACL
permissions, etc. Then open up specific ports and add permissions as they
are needed. Before you actually open it up to the internet. Ghost your
harddrives so that you have an easier restoration path if you do get hacked.

Then take the rest of your network and put that through a dedicated software
firewall/proxy connected to the router. The cost of this added protection
is minimal compared to the advantages. You can use a cheap/free secondhand
box with free opensource software, or more if your wallet is heavier. Assign
a different private subnet to the internal network side of your
firewall/proxy. This allows you to control inbound and outbound access for
the remainder of your network from a single computer. You can control not
only internet access but also access between the webserver and the rest of
your internal network.

The main point here is that if you want to run publicly accessible services
such as IIS deem everything on the same computer as being publicly
accessible. If you can't afford a separate computer and whatever else
becomes necessary to secure your other computer(s), use a web hosting
company. If you still decide to run a publicly accessible webserver on a
private machine that contains your own private info. accept the consequences
and don't complain that nobody warned you.