Next: Network security issues Up: Running a Server Previous: NCSA server side

Security

Security, as applied to computers, is a relative not an absolute concept. The only totally secure computer system is one that is switched off, is not connected to any type of network, and is kept in a locked room, watched over by armed guards! In practice security procedures must strike the right balance between protecting that which genuinely requires protection, and providing easy access to the information to be disseminated. Striking that balance includes making sure security is not so tight as to demoralize people working for the organization.

Security is not an issue specific to the Web in isolation. It has a wider context, especially in relation to networked computer systems, and it is vital to have a good appreciation of the wider context and issues. For instance, the need to be perceived as secure by outsiders varies according to the type of organization, and anything that undermines that perception can in itself pose as much of a threat to an organization's well-being or credibility as would be posed by an actual security breach. Banks and financial institutions provide the most obvious examples.

Breaches of security can arise in many diverse ways, and security is an area where a little knowledge can be a dangerous thing. All the situations outlined below have actually occurred, and some are quite commonplace.

The threats from within an organization can be just as severe as any from outside. An employee with a grudge could well have the inside knowledge to inflict a lot more damage than an outside hacker targeting at random.

Malicious damage to computer systems may take several forms. Existing data can be corrupted, or false data added. A system may be bombarded with erroneous data, clogging up the disk and causing denial of service. Hackers may be interested in using a computer system solely as a base from which to gain access to another system where their real interest lies, either to facilitate that access, or to cover their tracks, or a combination of the two. Keeping sensitive information off a system does not guarantee avoiding unwanted attentions. Unauthorized people may attempt to access the system by persuading employees to disclose passwords. It has been known for people simply to walk in off the street, sit down at an empty desk and start using a PC, without being challenged.

Confidence tricksters can be as imaginative as anyone else in how they pursue their aims. Someone might wander through a large department a few times, carrying an armful of files, smiling and chatting to people in a friendly manner. After a couple of weeks, their face becomes familiar and the bona fide employees probably just assume the person is working in another department. One day they might sit down at a PC... Such people can be very plausible.

It has even been known for someone to pose as a computer security consultant in order to gain privileged access to a system. If anyone offers their services in this capacity it is as well to check their credentials thoroughly.

You may have heard of a phenomenon known as the Trojan Horse. In the context of computer security this is a program which actually performs a useful function, seducing people into using it, but also contains a nasty surprise of some sort. It can be inadvertently introduced either via a network, or on a disk or some other physical medium.

It is not very difficult for someone with a little technical knowhow to impersonate a (real) Web site by electronic means, thus intercepting, and perhaps modifying, input and output to and from that site. This is referred to as spoofing.

Finally there is the case of the Internet worm, which was widely reported in the media. This was a program which travelled the Internet, breaking into certain versions of UNIX. Fortunately, although this program gained access to many computers its only action was to replicate itself: it did not delete or alter information on the affected systems, but did serve to demonstrate the vulnerability of networked systems. It was eventually eradicated by patching the operating systems affected, but not before a lot of disruption had been caused.

All this may sound rather alarming, but there are also various ways in which the risks can be considerably reduced. These need to be employed together, as part of a coherent security strategy, and fall into three broad areas:

 
• The definition of an official security policy and production of a statement of procedures, both of which need to be reviewed periodically. These should be given a high profile within the organization in order to facilitate:

   

• Raising awareness of the problem and thus engendering a security-conscious culture in an organization. This will include a commitment to the education of staff throughout the organization on matters of security. Formal training sessions may need to be repeated from time to time, or some other method used to keep the issue fresh in people's minds. The more understanding people have of the risks, the more likely they are to be vigilant. Those at the top of an organization's hierarchy must be seen by everyone else to be taking the matter seriously.

   

• Regular auditing of security procedures, using new methodologies as they become available. Auditing software may be used. One such system is COPS, a package for UNIX free of charge over the Net, and others are described in the literature. Auditing may take the form of reading through the code, which is particularly relevant as a method of checking CGI scripts.

Outside help and advice is at hand in the form of CERT, the Computer Emergency Response Team at the Software Engineering Institute at Carnegie Mellon University, which is a central clearing house for security information. It provides an archive site of security-related information and tools, and operates a 24 hour telephone hot-line (+1 412-268-7090) to deal with network emergencies. CERT also maintains an electronic mailing list (cert-advisory) for distributing the latest information on security problems. To join this list send electronic mail to [email protected].

Even this brief pass through the subject should have made it apparent that security is a vast area. A great deal has been written on the subject, and a selection of useful books can be found in the bibliography, which anyone involved in running computer systems in whatever capacity would be well-advised to read. A full treatment of the subject is quite beyond the scope of this book, so I am confining myself here to quite a brief discussion of those issues specific to networks in general and the Web in particular. Section provides a detailed examination of the security-related aspects of Web server configuration.

• Network security issues
  • Common forms of attack
  • Defensive measures
• Web-specific security issues
• Web access authorization
  • CERN server access protection
    • Protection set-ups
    • Server password files
    • Server group files
    • Access Control List files
  • NCSA server access protection
    • Configuring directory options
    • Authorization configuration
    • Limiting directives
  • Access protection with the GN server
    • Host access control files

Spinning the Web by Andrew Ford
© 1995 International Thomson Publishing
© 2002 Andrew Ford and Ford & Mason Ltd
Note: this HTML document was generated in December 1994 directly from the LaTeX source files using LaTeX2HTML. It was formatted into our standard page layout using the Template Toolkit. The document is mainly of historical interest as obviously many of the sites mentioned have long since disappeared.