Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have a server behind a firewall. It runs a web application (Java servlets under Apache Tomcat) and responds only to port 443 (HTTPS). There is no scripting code in the pages served - the forms use HTTP POST to receive the form, process the data (with appropriate input filtering) and then output an HTTP result page.
I am currently using an appliance firewall, but it is 'hardware-flakey'. I have been looking at upgrading to a more 'industrial strength' solution, but the vendor is quite insistant that I purchase a subscription to their "deep packet inspection" software. He claims that even web servers need this kind of protection.
I am not convinced, but do not have the security background to be certain. The firewall would sit between the "world" and my server, and use "port forwarding" to allow only ports 443 and 22 (for maintenance) to reach the server.
So - do I really need this deep packet inspection, or not?
Given that the only protocols that you're interested in (ssh and https) are "negotiate encryption on connect" there's little that a standard firewall will be able to inspect after that point. Once the SSL/SSH session is established the firewall will only see encrypted packets. Ask your vendor what their product examines in this context.
Alternatively, it is possible that the device acts more like a proxy -- that it acts as the server-side end-point for the connection before relaying on to your real server -- in which case it is possible that the product does something deeper, although this isn't the case if the firewall really is "port forwarding" as you say. Again, your vendor should be able to explain how their device operates.
Also you may want to ask what vulnerabilities/risks the inspection system is intended to protect against. For example: Does it look out for SQL injection? Is it targetted to a particular platform? (If your web server runs on a SPARC CPU, for example, then there's little point inspecting URLs for x86 shellcode).
As a network security professional, this sounds like overkill to me.
Martin Carpenter's answer is 100% on target. Anytime you're considering security, you need to understand
What you're securing,
What you're securing it against,
The likelihood of an attack, and
Your risk if an attack succeeds.
For your application, which allows only encrypted, authenticated communication on only 2 ports, I can see only a few vulnerabilities:
Denial-of-service (DOS) is always a threat unless your firewall blocks those attacks.
You might have other applications listening on other ports, but you can detect them with any simple port scanning program.
You may want to restrict outbound communication to prevent a user or rogue application from initiating communication to an unauthorized server.
I also agree that it's a good idea to ask the vendor what "deep packet inspection" means to him and why your particular situation requires it. Unless you get a specific, knowledgeable answer, in layman's terms, that makes sense to you, I'd go elsewhere. There's nothing about network security that can't be explained simply, without buzzwords.
Update on several fronts...
First - I now have reason to believe that part of the flakiness of the OTS hardware product is a combination of low-powered CPU and insufficient buffer memory. In weeks of logging and a few crashes, there are no entries in the logs before the crash, yet I'm logging everything according to the log control. Talking with another firewall vendor, it was indicated that may suggest the buffer is filling faster than it can empty during heavy use. This corresponds with findings - the most used IP is the one crashing the most often.
So I checked, and the firewall did have some deep packet inspection stuff turned on. I've turned it off to see if things improve.
The firewall's main purpose in my network scenario is "gate keeper". That is, I want the firewall to prevent all traffic EXCEPT http, https and some ssh from ever getting beyond the WAN port. Since there are no users inside the firewall, any traffic generated from the inside comes from my application and can be allowed out.
Further talks with the one vendor indicated that they no longer thing deep packet inspection is necessary - the other fellow was just trying to "upsell" me on the unit in question. I also found out their hardware won't really do all that I want without spending a ton of money.
I'm now seriously exploring the use of OpenBSD and a PF firewall to do what I reauire in a cost-effective manner.
Related
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
i am a senior developer and I'm trying to advance my knowledge of security to a deeper level. That is to say that i know what these hackers can do/what the risks are, but I'd like to know how they do it in general. On that note, if anyone can enlighten me on the following items, i would be most grateful:
Packet sniffing: I know that packets can be sniffed out and analyzed, but how do they do it? my understanding was that in order to do this, there would need to be actual software running on the server itself since it needs access to the network card to do so... is that accurate? If not, how can they remotely capture incoming packets to a server without access to that box directly?
Session Hijacking: Once again, i am confused here. I know they can do it, but how? The session ID is issues by the server itself, and then returned to the browser based on what? the caller's ip address? mac address? what is used by these hackers to capture the session id from a web session? is it software on a pc that is infected?
Site Hijacking: again, i know they can do this, but from my current knowledge, this would mean that they would have to have hijacked/infected a DNS publishing server and redirecting queries for that site to their choice of IP address... again: is that accurate?
Hijacking a server: how is this possible? how can an open port, for example, allow any hacker to gain full fledged access yo a box so that they can infect it or install some piece of software that would enable 1, 2 and 3 above? My current understanding is that ports are used to communicate, but that unless some software/service is monitoring that port and waiting for commands, nothing would come of that port being open... is that accurate? and if so, why is so much importance given to ports being closed and such?
Hijacking some super secure site: i work every day with security in mind, and constantly use things like: SSL, RSA, SHA512, SSL TOKENS, IP restriction, etc... my question is: how in the crapper are they STILL able to get in with all of these things enabled?
i know that's a lot of stuff, but i really am curious and want to take my security knowledge to the next level. If you're a developer with the same mindset as me, you have issues just using some pre-built library or control without knowing what it does in the background in details, and you'll understand why I'm not happy just knowing which protocols, libraries or encryption methods to implement.
Know the enemy, right?
First of all, I love hacking (only for good), and I think the more people are educated about it the safer we all will be, so I applaud you for your curiosity.
These are great questions, but a good answer would literally require an entire book or two. I have read all of these books in my studies and I personally recommend them. I recommend the following to get you started:
This will get you started with basic tools and techniques. This book doesn't go very deep so if you're looking for the meat, skip it and read the other three unless you are very new to security: The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, Patrick Engebretson (Full disclosure, the author was a professor of mine at DSU. The book rocks though)
For a relatively deep introduction to security, including an excellent background in OSes and networking:Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition), Edward Skoudis (probably my favorite book of all time)
To dive very deep (Assembly language level) into how the attacks work:Hacking, The Art of Exploitation, Jon Erickson
To dive deeply into the Web app side of things:The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, Dafydd Stuttard, Marcus Pinto (Full disclosure, the technical editor was a professor of mine at DSU)
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I've been going over the documentation for Elastic Search and I'm a big fan and I'd like to use it to handle the search for my ASP.NET MVC app.
That introduces a few interesting twists, however. If the ASP.NET MVC application was on a dedicated machine, it would be simple to spool up an instance of Elastic Search and use the TCP Transport to connect locally.
However, I'm not on a dedicated machine for the ASP.NET MVC application, nor does it look like I'll move to one anytime soon.
That leaves hosting Elastic Search on another machine (in the *NIX world) and I would probably go with shared hosting there.
One of the biggest things lacking from Elastic Search, however, is the fact that it doesn't support HTTPS and basic authentication out of the box. If it did, then this question wouldn't exist; I'd simply host it somewhere and make sure to have an incredibly secure password and HTTPS enabled (possibly with a self-signed certificate).
But that's not the case.
That given, what is a good way to expose Elastic Search over the Internet in a secure way?
Note, I'm looking for something that hopefully, will not require writing code to provide shims for the methods that I want (in other words, writing forwarders).
A plugin for elasticsearch that allows you to replace the HTTP transport with an embedded instance of Jetty is now available.
Because it uses Jetty to handle the HTTP transport, it can handle SSL connections as well as be configured for authentication.
(Note, the following is still sound advice, in that it's generally good practice to abstract your operations out in this manner)
After a number of discussions on the ElasticSearch mailing list, I've discovered that the current solution is to host ElasticSearch behind another application layer and then to secure that layer.
The reasoning is solid; ElasticSearch is akin to a database, and you wouldn't make your database public-facing to all.
Something that I (and others) trip up on is that because ElasticSearch uses HTTP as a transport and uses JSON as the syntax for operations, that ElasticSearch is meant to be public-facing.
However, there is currently a request to add HTTPS transport support (assuming a certificate is provided) along with basic (digest) authentication.
You'll have to firewall the machine in some way, permitting only the traffic from the appserver, e.g. using iptables on linux, or some kind of personal firewall on windows.
This takes you into serverfault.com territory, though - there isn't a programming solution to this one.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I'm about to start a project for coding a remote control software for windows machines and I would like to start from the server side application. I need something like OpenSSH server because the main purpose of the program would be to provide http tunneling of the client through the server,something like proxy but more secure and with encryption. I have some experience mainly with a several unix-based daemons and clients in C++ or Python, but here I am facing with something bigger. My major problem for now is the tunneling part - I don't know how to do it and it's very important to implement. The clients should be able to surf the web through the server (like SSH tunneling) and i have no idea how this works. I would like someone to point me to some nice links where this is explainned well, or at least recommend me some books i should look up.
Thanks.
I currently in a project use a combination of an openvpn tunnel to a windows machine and then use Cygwin on Windows for SSH access to Windows machines. It works, it's simple and it's free :)
http://www.cygwin.com/
You don't describe the threat against which you want to provide security, so I'm going to assume that you want to prevent an attacker located between the client and server from reading and/or modifying the web traffic, and this is why you require encryption.
To do that, you don't need to write your own code. Instead, you can get what you need by running a HTTP proxy (such as squid) and an SSH server (such as openssh) on the server, and tunneling access to the HTTP proxy over SSH.
You would configure the HTTP proxy to accept connections only from "localhost", while the SSH server accepts connections from your client systems.
A nice description of how such a setup would be used from a Windows client can be found at http://kimmo.suominen.com/docs/proxy-through-ssh/ (It describes using such a setup to get into an intranet from the internet, but the principle is the same)
For security, you'll want to go through the SSH server configuration file and disable everything but port forwarding of the one specific port that's needed to access the HTTP proxy.
That's what you describe as "the main purpose" taken care of. If there are other things that you require the server to do on behalf of the clients, my suggestion would be to implement those as a separate application running on the server, with a HTTP interface (CherryPy is a simple way to do that in python) that clients can access via the HTTP proxy.
Not sure if this is what you need but I guess you could use a VPN. OpenVPN builds an encrypted vpn and you can configure it to send gateway (with DHCP) and routes you want to clients so you can redirect all client http traffic to the server you want though the encripted connection.
Doc. link if you need
You can run an OpenSSH server on Windows, e.g.: http://sshwindows.sourceforge.net/
Unfortunately that particular link points to a dead project with the latest release made in 2004. How many security updates were there since 2004? More than zero, I'm sure...
I'm looking to implement a basic product activation scheme such that when the program is launched it will contact our server via http to complete the activation. I'm wondering if it is a big problem (especially with bigger companies or educational organizations) that firewalls will block the outgoing http request and prevent activation. Any idea how big as issue this may be?
In my experience when HTTP traffic is blocked by a hardware firewall then there is more often than not a proxy server which is used to browse the internet. Therefore it is good practice to allow the user to enter proxy and authentication details.
The amount of times I have seen applications fail due to not using a corporate proxy server and therefore being blocked by the firewall astonishes me.
there are personal software solutions to purposely block outgoing connections. Check out little snitch. This program can set up rules that explicitly block your computer from making connections to certain domains, IP's and / or Ports. A common use for this program is to stop one's computer from "phoning home" to an activation server.
I can't tell you how prevalent this will be, sorry. But I can give you one data point.
In this company Internet access is granted on an as needed basis. There is one product I have had to support which is wonderful for its purpose and reasonably priced, but I will never approve its purchase again - the licensing is too much of a hassle to be worth it.
I'd say that it may not be common, but if any one of your customers is a business it's likely that you will encounter someone who tryes to run your software behind a restricted internet connection or a proxy. Your software will need to handle this situation, otherwise you will ahve a pissed off customer who cannot use your product, and you will lose the sale for sure.
If you are looking for a third party tool, I've used InstallKey (www.lomacons.com) for product activations. This thing has functionaility that allows for validating with and without an internet connection.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I have a Linux web server farm with about 5 web servers, web traffic is about 20Mbps.
We currently have a Barracuda 340 Load Balancer (keep away from this device - piece of crap!) that is acting as a firewall. I want to put in a dedicated firewall and I'd like to know what peoples opinions are on building versus buying a dedicated firewall.
Main requirements:
Dynamically block rouge traffic
Dynamically rate limit traffic
Block all ports except 80, 443
Limit port 22 to a set of IPs
High availability setup
Also if we go for the build route, how do we know what level traffic the system can handle.
As they say - "there are more than one way to skin a cat":
Build it yourself, running something like Linux or *BSD. The benefit of this, is that it makes it easy to do the dynamic part of your question, it's just a matter of a few well-placed shell/python/perl/whatever scripts. The drawback is that your ceiling traffic rate might not be what it would be on a purpose-built firewall device, although you should still be able to achieve data rates in the 300Mbit/sec range. (You start hitting PCI bus limitations at this point) This may be high enough to where it won't be a problem for you.
Buy a dedicated "firewall device" - Possible drawbacks of doing this, is that doing the "dynamic" part of what you're trying to accomplish is somewhat more difficult - depending on the device, this could be easy (Net::Telnet/Net::SSH come to mind), or not. If you are worried about peak traffic rates, you'll have to carefully check the manufacturer's specifications - several of these devices are prone to the same traffic limitations as "regular" PC's, in that they still run into the PCI bus bandwidth issue, etc. At that point, you might as well roll your own.
I guess you could read this more as a "pro's and con's" of doing either, if you want.
FWIW, we run dual FreeBSD firewalls at my place of employment, and regularly push 40+Mbit/sec with no noticeable load/issues.
Definitely build. I help manage an ISP and we have two firewalls built. One is for fail over and for redundancy. We use a program called pfsense. I couldn't recommend this program more. It has a great web interface for configuring it and we actually run it off a compact flash card.
in my current startup, we have used PFSense to replace multiple routers/firewalls, and it has throughput which replaces much more expensive routers.
Maybe that is why Cisco is having trouble? :)
Related to high availability: OpenBSD can be configured in a failover / HA way for firewalls. See this description. I've heard that they've done demos where such setups done as well (if not better) as high-end Cisco gear.
Over the last 8 years we maintained a small development network with about 20 to 30 machines. We had one computer dedicated to be the firewall.
Actually, we never run into serious problems we are now replacing it with a dedicated router/firewall solution (though we haven't decided yet which). Reasons for that are: simplicity (the goal is the firewall, not to maintain the linux for running it as well), less space and less power consumption.
Don't know much about this field, but maybe an Astaro security gateway?
Hi I would go for a dedicated firewall product in this scenario. I have used the Checkpoint firewall range of products for many years and I have always found them to be easy to setup and manage and they have great support. Using Checkpoint or one of their competitors is a fairly expensive option, especially if you're comparing it to open source software, so it depends on your budget.
I've also used Cisco's line of PIX and ASA firewalls. These are also good, but in my opinion are more difficult to manage