[OWASP-LEADERS] Big welcome to Carric / Server Setup

Dawes, Rogan (ZA - Johannesburg) rdawes at deloitte.co.za
Mon Nov 11 01:32:17 EST 2002


Interesting. I'd never thought of using VulnXML as an IDS signature list as
well. I'm not too sure how well it would work, to be honest.

I am more inclined to put some kind of heuristics into the system, or
formally specify the acceptable input and log/alert on exceptions.

For example of application IDS that I think may be appropriate, and we
should consider handling:

Cookie sampling. Someone is repeatedly requesting URLs that supply new
cookies, in order to see if there is a repeatable pattern.
Invalid input. If we are rigorous in specifying what the application can
accept, we can log and alert whenever the filters reject input.

VulnXML is not really approporiate for this.

What I DO think we should do is be very verbose in the logging that we do,
so that we can see if there are any new kinds of attacks that are being
attempted against the site. And of course, that needs to be reviewed
somehow. We can probably exclude requests for all the "legitimate" pages on
the site, otherwise almost certainly all the static pages(?) and images.

Rogan


> -----Original Message-----
> From: Mark Curphey [mailto:mark at curphey.com]
> Sent: 09 November 2002 08:27
> To: david.raphael at ceterum.net
> Cc: ingo at ingostruck.de; owasp-leaders at lists.sourceforge.net
> Subject: RE: [OWASP-LEADERS] Big welcome to Carric / Server Setup
> 
> 
> All sounds good. When you say app server homed with
> db/ldap do you mean "same box" or homed as in "nic and
> route to" ?
> 
> Carrics an IDS man so I know he will have some ideas
> for the os and network IDS.
> 
> As for the app level attacks I have an idea. Shoot me
> if I am pushing the envelope but you wouldn't expect
> anything else:-) Given well be using the filters
> projects work and intercepting all HTTP requests and
> parsing them for malicous input, it might be pretty
> easy to also do a compare to a VulnXML signature list
> and log / report on matches. It would seem that IDS
> for a web app is already there with a good MVC
> architecture, you just need to define the triggers.
> There are several advantages of doing it this way.
> Don't need to worry about SSL, the hardware should be
> able to handle the load etc
> 
> I know many of the app ids vendors would willingly
> stick there boxes infront of this, but I just cant see
> what they give you that a well written filter and
> pattern matching of our own vulnxml database wont.
> 
> Thoughts ? 
> 
> ---- David Raphael <david.raphael at ceterum.net> wrote:
> > Allow me to clarify ;)
> > 
> > The aforementioned ports (80 & 443) should be fine
> for the Public Facing 
> > interface.
> > 
> > I am still working on my documents (I hope for them
> to be finished tonight)
> > I will include some of the Portal Architecture.  
> > 
> > I will give a quick preview of what I have in mind:
> > 
> > There will be at least 2 IP interfaces on the Web
> Server(s).  One will be 
> > public facing.  The other will be traffic to the
> Middle Tier (Currently 
> > Tomcat).  This will be internal traffic. 
> Additionally this interface 
> > can face the DB/LDAP.  I assume that the AS will be
> Homed with the DB/LDAP
> > for now.  
> > 
> > But please don't read too far into this snippet. 
> Once I release the doc
> > let the carnage begin...
> > 
> > Regarding SSH:  Again, I am comfortable with a
> Terminal Server...This way,
> > we can log in and turn on SSH as needed (IE to
> transfer Files).  And when
> > we don't need throughput, we will access the
> Terminal server to access the
> > Web Tier.  
> > 
> > Alternatively,  maybe it is adequate to use ACLs for
> SSH.  I dunno.  
> > 
> > Cheers,
> > David Raphael
> > 
> > PS:  I am unfamiliar with IDS, but is there any we
> can implement?
> > 
> > 
> > > -----Original Message-----
> > > From: owasp-leaders-admin at lists.sourceforge.net
> > >
> [mailto:owasp-leaders-admin at lists.sourceforge.net]On
> Behalf Of Mark
> > > Curphey
> > > Sent: Friday, November 08, 2002 10:30 PM
> > > To: David Raphael
> > > Cc: ingo at ingostruck.de;
> owasp-leaders at lists.sourceforge.net
> > > Subject: RE: [OWASP-LEADERS] Big welcome to Carric
> / Server Setup
> > > 
> > > 
> > > I will get valid SSL certs for the portal so user
> auth at an absolute
> > > min and password changes etc are over SSL.
> > > 
> > > I was assuming we would have a three tier portal.
> Web Server (with
> > > coyote connector or similar), app server (Tomcat
> 4.x) and database
> > > (Hypersonic) / directory (LDAP). Is that right
> David ? I really don't
> > > want to collapse the app and web tiers on the same
> box for obvious
> > > security reasons.
> > > 
> > > If thats accurate I will need to find one more
> box. That should be
> > > pretty easy as it will only be static images, jsps
> and the 
> > > connector...
> > > 
> > > Then we also need to figure out the packet
> filtering reqs. 
> > > 
> > > Carric, I guess maybe Sanswire can drop everything
> bar 80 and 
> > > 443 to the
> > > web tier directly from the ingress router ? If
> they can maybe we can
> > > setup SSH from static IP's such as Davids, yours etc ?
> > > 
> > > 
> > > n Fri, 2002-11-08 at 20:08, David Raphael wrote:
> > > > Hello Everyone,
> > > > 
> > > > Welcome Carric! Its great to hear more people
> are interested in the
> > > > cause!
> > > > 
> > > > To business:
> > > > 
> > > > Are we comfortable with Apache 2 being the most
> secure?  I am not a
> > > > Linux security specialist, but I don't believe
> that Apache 2 has had
> > > > the same exposure as 1.3.xx ...What does
> everybody think?  
> > > > 
> > > > I like the idea of no Port other than 80 being
> open.  A 
> > > terminal server
> > > > might be a good alternative for remote
> administration!  
> > > Maybe we could 
> > > > get a hold of a little cyclades or something. 
> Please give 
> > > you comments.
> > > > Use dial-in only access.  Or if it is on some
> kind of 
> > > Private LAN with 
> > > > alternative access.
> > > > 
> > > > What does anyone think about this?
> > > > 
> > > > -Dave
> > > > 
> > > > 
> > > > > -----Original Message-----
> > > > > From: owasp-leaders-admin at lists.sourceforge.net
> > > > >
> [mailto:owasp-leaders-admin at lists.sourceforge.net]On 
> > > Behalf Of Ingo
> > > > > Struck
> > > > > Sent: Thursday, November 07, 2002 6:29 AM
> > > > > To: owasp-leaders at lists.sourceforge.net
> > > > > Cc: mark at curphey.com
> > > > > Subject: [OWASP-LEADERS] Big welcome to Carric
> / Server Setup
> > > > > 
> > > > > 
> > > > > Hi Carric,
> > > > > 
> > > > > I assume that Mark put you on this list, so
> welcome at the 
> > > > > OWASP staff.
> > > > > It is really great that you volunteered for
> some admin work 
> > > > > and that you
> > > > > could provide a hosting location for our
> production servers.
> > > > > Thanks a lot!
> > > > > 
> > > > > Some weeks ago I already sent a personal
> wishlist for the 
> > > > > production server
> > > > > setup, so I simply repost it here:
> > > > > 
> > > > > === snip ===
> > > > > 
> > > > > Here you go with a detailed wishlist for the
> server configuration:
> > > > > (I am currently not sure, whether the BSD or a
> linux box will be
> > > > >  used for vulnxml - that makes no difference
> for me)
> > > > > 
> > > > > 1. The file system setup *must* provide
> separate partitions for
> > > > >     /var and /tmp
> > > > > 2. The file system setup *should* provide
> separate partitions for
> > > > >     /opt , /usr and /home
> > > > > 3. All apache stuff goes to /opt/apache, i.e.:
> > > > >    /opt/apache/httpd      httpd (preferably
> 2.0.43, 1.3.27 
> > > > > will do as well)
> > > > >    /opt/apache/tomcat    tomcat (4.1.12)
> > > > >    (I will provide the appropriate conf files
> for httpd 2.0 
> > > > > and for tomcat)
> > > > > 4. The vulnxml application goes to
> /opt/owasp/vulnxml
> > > > >     (I will provide this directory in a whole
> as tar.bz2)
> > > > > 5. absolutely no ftp, telnet, finger or other
> crap access
> > > > > 6. only port 80 open for remote access (best
> would be a 
> > > package filter
> > > > >    firewall), if *really* necessary port 22
> for ssh
> > > > > 5. If it is somehow possible (i.e. you have
> got the servers 
> > > > > near to you)
> > > > >    NO SSH ACCESS AT ALL
> > > > > 
> > > > > Due to our project goals I expect our apps to
> be attacked 
> > > more than
> > > > > an average web app. Thats why I want the
> servers as leakproof as
> > > > > possible.
> > > > > 
> > > > > === snap ==
> > > > > 
> > > > > Kind regards
> > > > > 
> > > > > Ingo
> > > > >     
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > >
> -------------------------------------------------------
> > > > > This sf.net email is sponsored by: See the NEW
> Palm 
> > > > > Tungsten T handheld. Power & Color in a
> compact size!
> > > > >
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> > > > > _______________________________________________
> > > > > Owasp-leaders mailing list
> > > > > Owasp-leaders at lists.sourceforge.net
> > > > >
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> > > > > 
> > > > > 
> > > > 
> > > 
> > > 
> > > 
> > > 
> > >
> -------------------------------------------------------
> > > This sf.net email is sponsored by: See the NEW Palm 
> > > Tungsten T handheld. Power & Color in a compact size!
> > >
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> > > _______________________________________________
> > > Owasp-leaders mailing list
> > > Owasp-leaders at lists.sourceforge.net
> > >
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> > > 
> > > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: See the NEW Palm 
> > Tungsten T handheld. Power & Color in a compact size!
> >
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> > _______________________________________________
> > Owasp-leaders mailing list
> > Owasp-leaders at lists.sourceforge.net
> >
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> > 
> > 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Owasp-leaders mailing list
> Owasp-leaders at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> 




More information about the OWASP-Leaders mailing list