Web Filtering inbound traffic

[rossi141]

Hi - I have a web server on my private network which has the correct ports forwarded. It works just fine. What I would like to do, however, is to secure my web server from external attacks. What I want to do is to have it so that the Web Filter would work in reverse, and any inbound web sessions would be checked and allow people to go to only pages that are in the filter - i.e. prevent people scanning and picking up other directories and probing them. At this point, its no big deal, but if someone does something silly on the web server, I dont want to expose us to security breach. Does anyone know if Untangle can do this?

Cheers
Colin

[sky-knight]

The web filter isn't direction specific. So it DOES process TCP 80 traffic coming in just as it does the stuff going out.

It just doesn't work the way you expect it to, and generally this behavior is detrimental.

You probably could custom configure a rack with a web filter in it that blocks all categories and then passes only specific URLs. The question is... why?

A UTM is no substitute for a properly configured web server.

[dbunyard]

The intrusion prevention app will help with some web server attacks. As sky mentioned though Untangle (or any UTM) is not a substitute for a properly configured web server.

[rossi141]

Quote:

Originally Posted by sky-knight

The web filter isn't direction specific. So it DOES process TCP 80 traffic coming in just as it does the stuff going out.

It just doesn't work the way you expect it to, and generally this behavior is detrimental.

You probably could custom configure a rack with a web filter in it that blocks all categories and then passes only specific URLs. The question is... why?

A UTM is no substitute for a properly configured web server.

I appreciate your reply. The answer to why is quite simple. Firstly, an early principle in security is not giving access to something that does not need it, or in other words, only give access to the exact things that are needed. Now security is going up to higher levels in the stack, this includes file and directory structures. The ability to have a device external to the web server policing this is therefore becoming crucial to the delivery of security.
This statement is strongly backed up by the fact that the company Imperva, who delivers security for Web Servers etc, just had a highly successful IPO. One of the many things that they do is to only allow access to the files/folders that are needed. So if someone is scanning your webserver, looking for open directories, they are stopped by the WebFilter, and can not even get to the actual server. So, for me to be able to take this first step is goodness, and another addition to the security layer.

[sky-knight]

"Scanning Directories"?

You mean using the web resource? (That's how search engines work by the way.)

This isn't a security question as much as a sanity check. Untangle can offer you, with some creative configuration, the ability to control what URLs can hit your web server.

However, that won't stop someone from "randomly" trying to break your web app. There is NO SUCH THING as web app security. And while I agree there is a "market" there, my integrity demands that I point at what all my dev buddies say.

The security of a web app is the responsibility of the app! The web server has all the information to deal with intrusions at its fingertips. No external application will ever have the information required to make sane decisions. If such a thing was really possible, Untangle would be using those techniques to determine how long a user was on Facebook so management can get a nice report. Not to mention nailing down specific viral processes that are moving torrent around. As it is the best we can do is suppose there is an issue with a given IP and throttle it a bit.

If your web server has information on it that is "private" it shouldn't be exposed to the world at all. That is what VPNs are for! If it has public information on it, who cares if the hacker scanned all the folders?

http://www.imperva.com/products/wsc_...-overview.html

Quote:

Dynamically learns legitimate Web application usage
Fortifies Web defenses with research-driven intelligence on current threats
Alerts or blocks requests that:
Deviate from normal application and data usage
Attempt to exploit known and unknown vulnerabilities
Originate from malicious or fraudulent sources
Indicate a sophisticated, multi-stage attack
Virtually patches application vulnerabilities through integration with Web application vulnerability scanners, reducing the window of exposure and impact of ad-hoc application fixes
Supports transparent, drop-in deployment
Cloud-based services simplify Web application security and prevent DDoS attacks

From the first line forward, I call BULL. All I see in this laundry list of "features" is an engine that watches the HTTP stream, and if it starts seeing a ton of requests doing the same thing over and over, it sets off an alarm and starts temp banning IP addresses.

Apache 2 and IIS 7 have the ability to do this out of the box, all you need to do is configure them. Two systems doing the same thing is just going to make it harder to figure out how to unban someone when the false positives land.

The rest of the page indicates some normal IDS functionality that Untangle can sort of provide via the Intrusion Prevention module. These tools are effective in some niche cases, but require constant tuning to work well.

I'm not saying these guys aren't making a product that works. I'm saying the marketing bull is a bit thick! I'm also saying it will require constant management and tuning. And, I'm saying that it is a process best left to a dedicated device, and not integrated with a general network defense system like Untangle.

It's an apples and oranges thing. (Not to mention the smoke and mirrors! )

[dmorris]

Quote:

Originally Posted by rossi141

Hi - I have a web server on my private network which has the correct ports forwarded. It works just fine. What I would like to do, however, is to secure my web server from external attacks. What I want to do is to have it so that the Web Filter would work in reverse, and any inbound web sessions would be checked and allow people to go to only pages that are in the filter - i.e. prevent people scanning and picking up other directories and probing them. At this point, its no big deal, but if someone does something silly on the web server, I dont want to expose us to security breach. Does anyone know if Untangle can do this?

Cheers
Colin

I won't go into a philosophical discussion, but yes, untangle will do this.

just block everything and then only allow specific URLs. You'll likely need to monitor the event logs closely to make sure you passed everything. Also, as mentioned above, you may need policy manager to handle this policy separately depending on where you have untangle installed.

[rossi141]

Quote:

Originally Posted by sky-knight

The security of a web app is the responsibility of the app!

I hate to argue with a highly respected "Ninja" of this forum, but in this case I have to tell you that you are wrong.
At a time where the news if filled with articles about the latest high profile site that was hacked, I am very surprised that you, as an apparent security expert, would advise not to specifically secure your web servers with an external device (and actually think that it is not possible) - why dont we also not use any kind of security and say that desktops are ok if there are secured correctly?
The only reason why we need security is because it is impossible to ensure the security of potentially thousands of individual devices. So instead we create a single choke point where security can be implemented that covers all devices.

If you own both security and the web server, you have a better chance of security, although, bugs in the web server and developer mistakes still leave you vulnerable. I would still want an extra layer of security. If, as a security guy you believe that you or anyone else that touches any machine of the network will never make a mistake that leaves your vulnerable, then you are asking to be hacked. This is the point of layered security - if you make a mistake, you are covered. Anyone claiming that they never make mistakes either lives in an idealistic world, or is a liar.
I also believe that you have completely dismissed a security application without actually trying it. I trailed Imperva 2 weeks ago and was mightily impressed. Firstly it does what it says it does. Unfortunately, it was way too expensive for us though. You as a security guy (and again, as a respected member of this online security forum) should be extremely careful about dismissing "new" technology until you fully understand it and have actually tried it.

[rossi141]

Quote:

Originally Posted by dmorris

I won't go into a philosophical discussion, but yes, untangle will do this.

Thanks - I definitely appreciate the straight answer.

Cheers

[sky-knight]

Quote:

Originally Posted by rossi141

I hate to argue with a highly respected "Ninja" of this forum, but in this case I have to tell you that you are wrong.
At a time where the news if filled with articles about the latest high profile site that was hacked, I am very surprised that you, as an apparent security expert, would advise not to specifically secure your web servers with an external device (and actually think that it is not possible) - why dont we also not use any kind of security and say that desktops are ok if there are secured correctly?
The only reason why we need security is because it is impossible to ensure the security of potentially thousands of individual devices. So instead we create a single choke point where security can be implemented that covers all devices.

If you own both security and the web server, you have a better chance of security, although, bugs in the web server and developer mistakes still leave you vulnerable. I would still want an extra layer of security. If, as a security guy you believe that you or anyone else that touches any machine of the network will never make a mistake that leaves your vulnerable, then you are asking to be hacked. This is the point of layered security - if you make a mistake, you are covered. Anyone claiming that they never make mistakes either lives in an idealistic world, or is a liar.
I also believe that you have completely dismissed a security application without actually trying it. I trailed Imperva 2 weeks ago and was mightily impressed. Firstly it does what it says it does. Unfortunately, it was way too expensive for us though. You as a security guy (and again, as a respected member of this online security forum) should be extremely careful about dismissing "new" technology until you fully understand it and have actually tried it.

It's called, VMs. Isolate risky services into separate environments and lock then down from each other to mitigate risk.

Imperva has it's use, and if you read what I said I wasn't entirely dismissing it. I was simply turned off by it making promises that I know it can't keep. I also indicated that you could with the policy manager and a dedicated rack, configure a web filter to create a sort of URL access control list against internal web services. Furthermore, I pointed out the use of the IDS module for a few extra toys.

I use Untangle to protect my web and mail servers, I have one right behind me. I do NOT have the web filter in the way. My web servers are public! There is nothing on those public servers that if compromised I would care about! I use VM technology to separate public and private roles.

Large sites getting compromised? Yeah, it happens. And Imperva isn't going to stop these things from happening. Is it an extra layer? That's a debatable thing. As long as Web sites and the related services are as unique as a finger print a market stamped box that "defends" them will be quite ineffective.

I prefer a simpler approach, VM live backups. If a site is compromised I just restore the VM and restart. If the hackers persist, I'll just make the VM read only until they get bored. Snapshots are wonderful things.

New expensive toys need time to prove themselves. I'm not dismissing it as much as pointing out the impossibility of the task it's claiming to perform. Furthermore, I don't need a bot to protect my network. Apache offers many of these features. Fail2Ban? DenyHosts?

There are so many more... VMs! That's the key and they are cheap to operate if you get creative and can design your own hardware.

[rossi141]

Quote:

Originally Posted by sky-knight

I was simply turned off by it making promises that I know it can't keep.

I must assume that you have experience with Imperva, being able to make such a statement. I would appreciate learning from your experiences, as when I tried it, it worked as advertised.

Incidentally:

Quote:

Originally Posted by sky-knight

If a site is compromised I just restore the VM and restart.

While this may be a sound approach for your own stuff, this is NOT a security strategy that any company should pursue, and I am astounded that someone with your standing would even suggest that this is a good way forward.