Web Server Policies and Procedures

- It is highly recommended that the Chief Information Officer formally approve the content and operation of any Web server to be connected to any organization system.

- Any and all Web site content and features must be approved and installed by the organization's Webmaster.

- Under no circumstances will sensitive information be made available on any company Web site internally or externally accessible.

- All enterprise Web sites must be reviewed, vetted, and approved in the same fashion as officially released reports or other outside correspondence.

- At all times, copyrights will be protected and observed.

- There should be no reason for control of the Web server other than from the Web server's console. Logging on to the Web server from any device other than this console is not permitted, and the server's software should be configured accordingly.

- Systems administrators, firewall administrators, and Webmasters are to report any and all attempts to gain unauthorized access to the Web server located on either the Internet or internal intranet.

- Incoming packet traffic will be scanned and connections to unapproved Web sites will be immediately reported to senior managers.

- Systems maintenance will include the installation of operating systems and applications patches.

- Senior administrators and Webmasters are responsible for change management. Any and all changes must be justified, documented, and submitted to a thorough quality control process before installation.

- Senior administrators and Webmasters are responsible for monitoring system performance, taking appropriate security measures, and ensuring Web sites reflect the highest quality standards.

- Implementation of common gateway interchange (CGI) scripts will be strictly monitored and controlled.

- In order to avoid buffer overflows, systems developers must keep buffer sizes defined when accepting data. In order to avoid CGI vulnerabilities, regular testing will be performed and appropriate security measures taken.

- All user input to any Web site, internal and external, will be filtered for appropriate content.

- In the case of third party applications interacting with programs that contain buffers that do not check for incoming data correctness, it is important that these applications are monitored and patched appropriately.

Web Server Security Policies and Procedures

Most businesses, governments, and organizations have external Web sites describing their purpose and structure, and often provide the opportunity for public interaction. E-commerce on the Internet is not something that only large businesses can afford to do. It can be a profitable operation for every "Mom and Pop" enterprise as well. For security reasons, Internet Web servers are usually positioned inside the packet-screening firewall that faces the Internet and inside the firewalls that protect precious interior networks. Such architecture has a good security track record if implemented correctly, and is called the demilitarized zone (DMZ).

Organizations may also choose to develop and deploy intranet Web sites for employee use. In these cases, the Web servers are located inside the interior network, as these systems are not intended for outside eyes. Regardless of the organization's size and whether it has Internet or intranet Web sites, considerable amounts of money and resources are spent in the development of a suitable Web site that is informative yet practical. In a very real sense, the company's Web site reflects the organization's branding, image, and business reputation.

The development, maintenance, management, and administration of the company's Internet Web site is usually assigned to a team of experts within the enterprise or outsourced. It is possible a director of online marketing development is responsible for identifying and implementing new online business development opportunities while the company's Webmaster takes charge of the site's technical excellence, content development, management, and security. On the part of the Webmaster, there is a development team responsible for site design, coding, graphics, and business features such as shopping carts.

Internal company Web sites are generally used for posting information relevant to employees. Birthdays, presentations, corporate calendars, directories, organizational charts, and project information are often posted. Project management information posted to an internal network can provide a central reference point for the project team and senior managers with project oversight. Internal Web sites do not have the same visibility as Internet Web sites, but they have the same need to be managed through specific policies and procedures.

Intrusion Detection Policies

You are a senior manager with the responsibility of overseeing the company's network administration and security. Your platforms range from servers, firewalls, routers, and related equipment. Your employees are above average in their technical skills and do their best to develop and maintain a secure operating environment. Yet, you find yourself dealing with the skills of an aggressive and persistent attacker. Many senior managers put their trust in firewalls and rely on their administrators to lock down network services and workstations. Other managers have enough wisdom and knowledge to marry effective policies and procedures with technology-based security solutions.

For most businesses, a combination of network administrator skills, policy and procedure, and technology solutions are the approaches best addressing system vulnerabilities.

The IDS dream is a set of distributed systems that identify and sound alarms when systems are being attacked in real-time. Regrettably, it is easier to dream the dream than implement the system. Current IDS products are extremely valuable security tools but generally they do not deliver as much as advertised.

Network and Host IDSs
The host-based vs. network-based intrusion-detection strategy debate has been raging for some time. Currently, the consensus is moving toward a unified approach combining the two technologies.

Network-based products are built on the concept of a real-time wiretap. A sensor examines every information packet traveling through the system. These sensors apply a set of rules or attack "signatures" to the captured packets, attempting to identify hostile traffic. Basically, network IDS sensors are network sniffers with built-in, rule-based comparison engines. If a malicious packet is detected, then the network IDS sounds the alarm.

But the network IDS approach has its problems. It does not scale very well in that it has difficulty keeping up at network speeds of 100 Mbps. With gigabit network speeds arriving in business networks, these network IDS systems do not keep up with the traffic. Additionally, network IDS systems are based on attack signatures that will always be a step behind the latest vulnerability exploits. IDS product vendors have not caught up with all the known attacks, and there are new attacks announced every few days.

Nevertheless, network IDS enjoys some advantages. The greatest feature is stealth. Network IDS can be deployed in an unobtrusive manner, with little or no effect on existing systems. Once deployed, network IDS sensors will listen for attacks, regardless of the destination.

Host-Based IDS
Host-based IDS primarily function within the system audit and event logs. In place of identifying attack-profile packets, they aim to identify known patterns of local and remote users doing things they should not be doing. One type of host IDS product produces a one-way hash of critical files located on a host. These files include user accounts, configuration, and audit operations. If anything changes in these accounts, e.g., an intruder establishes an account on the root level, then the host IDS would notify the system administrator. The host IDS cannot identify what, but it can tell the administrator that something important has changed. Host IDSs have their problems in portability. They run only on specific operation systems platforms so it is possible your favorite operation system is not on the list.

IDSs in general are incredibly useful but the hope of turning them loose on your systems and giving them control is not feasible. IDS technology is not very mature but it is getting better. It is strongly recommended that IDS technology is given serious implementation consideration. But it should be considered being used in conjunction with other critical asset preservation measures and not replace any of them.