[OWASP-LEADERS] Big welcome to Carric / Server Setup

David Raphael david.raphael at ceterum.net
Sat Nov 9 01:49:49 EST 2002


We have been referring to Filters.  At this point I have
to ask a question:  I need to clarify the Filters -

1.  Dynamic Content:
REQUEST:  HTTP(CLIENT) -> FILTER(FILTERS PROJECT) -> WEB SERVER ->
JK2(TOMCAT) -> FILTER(SERVLET API) -> SERVLET

RESPONSE: SERVLET -> FILTER(SERVLET API) -> JK2(TOMCAT) -> WEB SERVER ->
HTTP(CLIENT)

2.  Static Content:
REQUEST:  HTTP(CLIENT) -> FILTER(FILTERS PROJECT) -> WEB SERVER

RESPONSE: WEB SERVER -> HTTP(CLIENT)

Will the Filters Project filter Responses?

Is this picture accurate?  Obviously there is more to this.  But I am
including the important pieces.  This is what I am deriving from what
you are saying Mark.  The only problem I see, is that Static content
will get a performance hit from the filter.  And what benefit is a
filter on Static content?  Or am I misunderstanding this.  Are we only
referring to Filters in the App context?

Thoughts anyone?

-d


> -----Original Message-----
> From: owasp-leaders-admin at lists.sourceforge.net
> [mailto:owasp-leaders-admin at lists.sourceforge.net]On Behalf Of Mark
> Curphey
> Sent: Saturday, November 09, 2002 12:27 AM
> To: david.raphael at ceterum.net
> Cc: ingo at ingostruck.de; owasp-leaders at lists.sourceforge.net
> Subject: RE: [OWASP-LEADERS] Big welcome to Carric / Server Setup
>
>
> All sounds good. When you say app server homed with
> db/ldap do you mean "same box" or homed as in "nic and
> route to" ?
>
> Carrics an IDS man so I know he will have some ideas
> for the os and network IDS.
>
> As for the app level attacks I have an idea. Shoot me
> if I am pushing the envelope but you wouldn't expect
> anything else:-) Given well be using the filters
> projects work and intercepting all HTTP requests and
> parsing them for malicous input, it might be pretty
> easy to also do a compare to a VulnXML signature list
> and log / report on matches. It would seem that IDS
> for a web app is already there with a good MVC
> architecture, you just need to define the triggers.
> There are several advantages of doing it this way.
> Don't need to worry about SSL, the hardware should be
> able to handle the load etc
>
> I know many of the app ids vendors would willingly
> stick there boxes infront of this, but I just cant see
> what they give you that a well written filter and
> pattern matching of our own vulnxml database wont.
>
> Thoughts ?
>
> ---- David Raphael <david.raphael at ceterum.net> wrote:
> > Allow me to clarify ;)
> >
> > The aforementioned ports (80 & 443) should be fine
> for the Public Facing
> > interface.
> >
> > I am still working on my documents (I hope for them
> to be finished tonight)
> > I will include some of the Portal Architecture.
> >
> > I will give a quick preview of what I have in mind:
> >
> > There will be at least 2 IP interfaces on the Web
> Server(s).  One will be
> > public facing.  The other will be traffic to the
> Middle Tier (Currently
> > Tomcat).  This will be internal traffic.
> Additionally this interface
> > can face the DB/LDAP.  I assume that the AS will be
> Homed with the DB/LDAP
> > for now.
> >
> > But please don't read too far into this snippet.
> Once I release the doc
> > let the carnage begin...
> >
> > Regarding SSH:  Again, I am comfortable with a
> Terminal Server...This way,
> > we can log in and turn on SSH as needed (IE to
> transfer Files).  And when
> > we don't need throughput, we will access the
> Terminal server to access the
> > Web Tier.
> >
> > Alternatively,  maybe it is adequate to use ACLs for
> SSH.  I dunno.
> >
> > Cheers,
> > David Raphael
> >
> > PS:  I am unfamiliar with IDS, but is there any we
> can implement?
> >
> >
> > > -----Original Message-----
> > > From: owasp-leaders-admin at lists.sourceforge.net
> > >
> [mailto:owasp-leaders-admin at lists.sourceforge.net]On
> Behalf Of Mark
> > > Curphey
> > > Sent: Friday, November 08, 2002 10:30 PM
> > > To: David Raphael
> > > Cc: ingo at ingostruck.de;
> owasp-leaders at lists.sourceforge.net
> > > Subject: RE: [OWASP-LEADERS] Big welcome to Carric
> / Server Setup
> > >
> > >
> > > I will get valid SSL certs for the portal so user
> auth at an absolute
> > > min and password changes etc are over SSL.
> > >
> > > I was assuming we would have a three tier portal.
> Web Server (with
> > > coyote connector or similar), app server (Tomcat
> 4.x) and database
> > > (Hypersonic) / directory (LDAP). Is that right
> David ? I really don't
> > > want to collapse the app and web tiers on the same
> box for obvious
> > > security reasons.
> > >
> > > If thats accurate I will need to find one more
> box. That should be
> > > pretty easy as it will only be static images, jsps
> and the
> > > connector...
> > >
> > > Then we also need to figure out the packet
> filtering reqs.
> > >
> > > Carric, I guess maybe Sanswire can drop everything
> bar 80 and
> > > 443 to the
> > > web tier directly from the ingress router ? If
> they can maybe we can
> > > setup SSH from static IP's such as Davids, yours etc ?
> > >
> > >
> > > n Fri, 2002-11-08 at 20:08, David Raphael wrote:
> > > > Hello Everyone,
> > > >
> > > > Welcome Carric! Its great to hear more people
> are interested in the
> > > > cause!
> > > >
> > > > To business:
> > > >
> > > > Are we comfortable with Apache 2 being the most
> secure?  I am not a
> > > > Linux security specialist, but I don't believe
> that Apache 2 has had
> > > > the same exposure as 1.3.xx ...What does
> everybody think?
> > > >
> > > > I like the idea of no Port other than 80 being
> open.  A
> > > terminal server
> > > > might be a good alternative for remote
> administration!
> > > Maybe we could
> > > > get a hold of a little cyclades or something.
> Please give
> > > you comments.
> > > > Use dial-in only access.  Or if it is on some
> kind of
> > > Private LAN with
> > > > alternative access.
> > > >
> > > > What does anyone think about this?
> > > >
> > > > -Dave
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: owasp-leaders-admin at lists.sourceforge.net
> > > > >
> [mailto:owasp-leaders-admin at lists.sourceforge.net]On
> > > Behalf Of Ingo
> > > > > Struck
> > > > > Sent: Thursday, November 07, 2002 6:29 AM
> > > > > To: owasp-leaders at lists.sourceforge.net
> > > > > Cc: mark at curphey.com
> > > > > Subject: [OWASP-LEADERS] Big welcome to Carric
> / Server Setup
> > > > >
> > > > >
> > > > > Hi Carric,
> > > > >
> > > > > I assume that Mark put you on this list, so
> welcome at the
> > > > > OWASP staff.
> > > > > It is really great that you volunteered for
> some admin work
> > > > > and that you
> > > > > could provide a hosting location for our
> production servers.
> > > > > Thanks a lot!
> > > > >
> > > > > Some weeks ago I already sent a personal
> wishlist for the
> > > > > production server
> > > > > setup, so I simply repost it here:
> > > > >
> > > > > === snip ===
> > > > >
> > > > > Here you go with a detailed wishlist for the
> server configuration:
> > > > > (I am currently not sure, whether the BSD or a
> linux box will be
> > > > >  used for vulnxml - that makes no difference
> for me)
> > > > >
> > > > > 1. The file system setup *must* provide
> separate partitions for
> > > > >     /var and /tmp
> > > > > 2. The file system setup *should* provide
> separate partitions for
> > > > >     /opt , /usr and /home
> > > > > 3. All apache stuff goes to /opt/apache, i.e.:
> > > > >    /opt/apache/httpd      httpd (preferably
> 2.0.43, 1.3.27
> > > > > will do as well)
> > > > >    /opt/apache/tomcat    tomcat (4.1.12)
> > > > >    (I will provide the appropriate conf files
> for httpd 2.0
> > > > > and for tomcat)
> > > > > 4. The vulnxml application goes to
> /opt/owasp/vulnxml
> > > > >     (I will provide this directory in a whole
> as tar.bz2)
> > > > > 5. absolutely no ftp, telnet, finger or other
> crap access
> > > > > 6. only port 80 open for remote access (best
> would be a
> > > package filter
> > > > >    firewall), if *really* necessary port 22
> for ssh
> > > > > 5. If it is somehow possible (i.e. you have
> got the servers
> > > > > near to you)
> > > > >    NO SSH ACCESS AT ALL
> > > > >
> > > > > Due to our project goals I expect our apps to
> be attacked
> > > more than
> > > > > an average web app. Thats why I want the
> servers as leakproof as
> > > > > possible.
> > > > >
> > > > > === snap ==
> > > > >
> > > > > Kind regards
> > > > >
> > > > > Ingo
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> -------------------------------------------------------
> > > > > This sf.net email is sponsored by: See the NEW
> Palm
> > > > > Tungsten T handheld. Power & Color in a
> compact size!
> > > > >
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> > > > > _______________________________________________
> > > > > Owasp-leaders mailing list
> > > > > Owasp-leaders at lists.sourceforge.net
> > > > >
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> -------------------------------------------------------
> > > This sf.net email is sponsored by: See the NEW Palm
> > > Tungsten T handheld. Power & Color in a compact size!
> > >
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> > > _______________________________________________
> > > Owasp-leaders mailing list
> > > Owasp-leaders at lists.sourceforge.net
> > >
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> > >
> > >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: See the NEW Palm
> > Tungsten T handheld. Power & Color in a compact size!
> >
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> > _______________________________________________
> > Owasp-leaders mailing list
> > Owasp-leaders at lists.sourceforge.net
> >
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> >
> >
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Owasp-leaders mailing list
> Owasp-leaders at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
>
>





More information about the OWASP-Leaders mailing list