topic protecting a web server in Network Security

protecting a web server

Amos Kafwembe — Tue, 12 Mar 2019 03:03:36 GMT

i have set up my ASA 5505 with a DMZ, in the DMZ i have my web server. Is it possible for my server to be attacked by hackers? what do i need to do to "harden" the config and make sure i avoid ANY attacks on my server. Most of my users access this server via FTP and this is a vulnerability, i ned to harden my ASA 5505 in this place.

protecting a web server

Karsten Iwen — Tue, 12 Nov 2013 09:52:37 GMT

First: You will never make your server 100% secure, but with some effort you can rise the bar that mach, that a casual attacker won't have much luck in that.

Some things to do:

1) Host-security / patch-management. That depends on the OS and the application you use.

2) Application-Inspection on the ASA. The ASA can inspect many protocols for protocol-conformance and application-layer attacks. That are the layer5-7 policy-maps. These are available both for your used protocols FTP and also HTTP. For that you first have to understand the applications and the protocol they are using.

3) Use IPS. The build-in IPS of the ASA is completely outdated to a module is needed. Fot the 5505 the module is EOL announced and so it's probably not an option.

So you are left with hardening the server and then look into the Layer7-policies.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

protecting a web server

Amos Kafwembe — Tue, 12 Nov 2013 10:02:28 GMT

Hi Karsten,

thanks for the response. please see below, are those the application inspections you are refering to? i didnt configure them though, they were there by default. do i need to changeanything?

thanks.

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

protecting a web server

Karsten Iwen — Tue, 12 Nov 2013 10:08:43 GMT

no, that's the Layer3-4 inspection. Here is the link to the L7-inspection in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_basic.html#wp2161256

Before you can start on configuring that you have to know exactly how you want to protect the protocol.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

protecting a web server

Amos Kafwembe — Tue, 12 Nov 2013 15:29:28 GMT

Hi Karsten,

is there an easy way to do this like through ASDM? i have tried to go throgh the link you pasted but eesh i dont get it. am not the best of ASA admins. Thanks for the link too!

protecting a web server

Karsten Iwen — Tue, 12 Nov 2013 15:42:59 GMT

Yes, you can configure that also through ASDM, but it's still complex:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/inspect_basic.html#wp2161256

Perhaps you should first focus on the host-security of your server.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni