Uploaded bygeorge.james
PPT, PDF3,810 views

Web Servers: Architecture and Security

This document summarizes the architecture and security of major web servers like IIS, Apache, and Sun JSWS. It discusses trends toward modularity, extensibility, and security. It also covers HTTP connections and keeping them alive for AJAX applications. Web servers have evolved from document retrieval to application delivery platforms.

Embed presentation

Downloaded 307 times
Web Servers: Architecture and Security Chris Munt M/Gateway Developments Ltd
Agenda Web Servers Microsoft IIS, Apache, Sun JSWS Development trends Extending Web Servers Support for application development environments Performance and Scalability Security The Web Server is very much on the “front line”
Evolution “ Since 1999, the web has grown from a document retrieval system into an application delivery system. ” Douglas Crockford at AjaxWorld 2008 Implications for: Web Server extensibility Resilience Performance and scalability Architecture Security
Web Servers: Market Share 2005: Apache 71% IIS 20% 2008: Apache 50% (Trend: falling slightly) IIS 35% (Tend: increasing slightly) Source: Netcraft
Internet Information Services ( IIS) v1.0 Introduced as free add-on for NT v3.51 (mid 1990s) Single multi-threaded process Extensibility Common Gateway Interface (CGI) Internet Server Application Programming Interface (ISAPI)
IIS: CGI Modules implemented as stand-alone scripts/executables Application requests processed in separate server process Non-optimal but secure Overhead of starting new process to serve each request; Overhead of inter-process communication Application crash does not impact hosting web server Architecturally the same for all web servers
IIS: ISAPI Modules implemented as Windows DLLs Can be a Filter (e.g. GZIP) or Extension (e.g. PHP, CSP) Application requests serviced in process space of IIS host Optimal but there are risks No overhead in process management and inter-process communication Application crash does impact hosting web server Supported for all versions of IIS The only web server API (excluding CGI) that’s completely backwards (and forwards) compatible!
IIS v5.0 & Windows 2000 Concept of isolation levels (or application protection levels). Low All in same process Medium ISAPI extensions run in a separate process High ISAPI extensions run in a separate process per application An application is broadly defined in terms of its path
IIS: Security alert: code red worm Exploiting a buffer overrun in the Windows 2000 Indexing Service DLL GET /default.ida?NNNNNNNN Inject code after provoking overrun Microsoft reference: MS01-033 Wake-up call to severity of compromises caused by bad extensions
IIS v6.0 & Windows 2003 Concept of Worker Process Isolation and Application pools Application pool Applications associated with one or more worker processes Web Gardens Multiple worker processes supporting an application Not to be confused with web farms where multiple web server installations manage the work load Process recycling Process idle-time timeout
IIS v7.0 & Windows 2008 Major upgrade Previewed in Vista: A good reason to get Vista Modular architecture Administrators choose the modules required Improved security Application pools New configuration schema. XML based. New API ISAPI still supported (as a supplied module) Third-party modules can be added
IIS Resources www.microsoft.com www.iis.net Particularly interesting because IIS developers participate
Apache v1.0 Consolidated in mid-90s Robert McCool Successor to NCSA HTTPd ( National Center for Supercomputing Application) Modular architecture Multi-threaded for Windows; Multi-process for UNIX Extensibility Common Gateway Interface (CGI) Apache API
Apache: API Modules implemented as Dynamic Shared Objects (DSOs) DLLS for Windows, Shared Objects/Libraries for UNIX, Shareable Images for OpenVMS Modules can process any phase of request/response cycle Request handling (e.g. mod_csp, mod_weblink) Authentication (e.g. mod_auth) Security (e.g. mod_ssl) Filters (e.g. mod_deflate) Miscellaneous (e.g. mod_rewrite)
Apache: v2.0 - 2002 Substantial rewrite of core with improved modularization Multi-threaded for Windows and OpenVMS Support for UNIX threading Multi-process/Multi-threaded hybrid server New API Use mod_csp2.so instead of mod_csp.so
Apache: v2.2 - 2005 Improved Modules – particularly for authorization Same API but binary incompatibilities Use mod_csp22.so instead of mod_csp2.so
Web Servers based on Apache HP Secure Web Server (HPSWS) For OpenVMS v1.3-1 based on Apache v1.3.26 v2.1-1 based on Apache v2.0.52 Tomcat (Java/JSP), Perl, PHP CSP Many others
Apache: Resources www.apache.org Access to various forums for support
Sun JSWS Netscape Enterprise (mid 1990s) FastTrack – lightweight offering iPlanet (late 1990s) America Online, Sun Sun ONE (early 2000s) Sun Java System Web Server (mid 2000s) Resources: www.sun.com
Sun JSWS Multi-threaded for Windows Multi-process/Multi-threaded hybrid for UNIX Extensibility Common Gateway Interface (CGI) Netscape Server Application Programming Interface (NSAPI) Modules implemented as DLLS for Windows, Shared Objects/Libraries for UNIX Binary incompatibility between Netscape Enterprise v2 and v3
Trends: All web servers Multi-process/Multi-threaded servers Increased flexibility/extensibility through modularization Better security
Trends: Implications for WebLink and CSP State-aware mode (preserve mode 1 for CSP) increasingly non-optimal Connection pool distributed amongst multiple process with no control over the relationship between requests and processes Using Network Service Daemon (NSD) in single process mode becomes essential Channel load into single multi-threaded process Maintain single process pool
Web Standards? Applications using AJAX techniques generate much more HTTP traffic than conventional web applications. Poor performance unless connection between client and server is kept open between requests. HTTP v1.0: Asymmetric protocol by default Client opens connection to server then sends request Server sends response then closes connection to server
HTTP Keep-Alive Connection kept open between requests HTTP v1.0: Default off Connection: Keep-Alive (switch on) HTTP v1.1: Default on Connection: Close (switch off) Must send response size notification Content-Length Chunked transfer (HTTP v1.1) Transfer-Encoding: chunked WebLink/CSP Gateway will do this automatically
HTTP Connections: The current status Standard specifies the maximum number of simultaneous connections to a given server HTTP v1.0: usually 4 HTTP v1.1: always 2 (Section 8.1.4 RFC2616) Objective: to improve response times and avoid congestion. Can change setting in browser configuration Inappropriate for web based applications Proxys will implement standard
HTTP Connections: The future Now recognised that high-bandwidth connections are now commonplace Key development since HTTP v1.1 which was drafted in January 1997. Client-side bandwidth no longer gating factor in connection speed. IE v8 will almost certainly increase the number of connections to 6 Direct response to needs of AJAX applications
Security through Obscurity Most attacks on web servers are against known vulnerabilities Hide identity of web server Use header masking facilities if they are available Don’t rely on standard error pages
Securing Applications: High grade Two aspects Client authentication Protecting content SSL/TLS Transport Layer Security (successor to SSL) Usually authenticates server to a non-authenticated client Certificate issued to server. Client identifies him/herself using a username/password over the secure channel (all communications encrypted). Supports mutual authentication Certificate issued to both client and server Kerberos Possible (apparently)
Securing Applications: Low grade authentication HTTP Basic authentication Supported by all browsers Client credentials passed to server in the clear Really only useful for secured (internal) networks HTTP digest authentication Protection for password Some compatibility issues with browsers Still not as strong as authentication over SSL/TLS or Kerberos.
Conclusion Keep web servers updated with upgrades and service packs for best security Keep eye on developments in standards Use HTTP Keep-alive for applications using AJAX techniques Don’t use state-aware mode in WebLink or CSP

More Related Content

PPTX
Web ,app and db server presentation
byParth Godhani
 
PPTX
IBM Websphere introduction and installation for beginners
byShubham Gupta
 
PPT
Web servers – features, installation and configuration
bywebhostingguy
 
PPS
Web Site Design Principles
byMukesh Tekwani
 
PPTX
Entity Framework Core
byKiran Shahi
 
PPTX
Web server architecture
byTewodros K
 
PDF
PDO: Capa de abstracción de base de datos con PHP
byArsys
 
PPTX
Web servers
byKuldeep Kulkarni
 
Web ,app and db server presentation
byParth Godhani
 
IBM Websphere introduction and installation for beginners
byShubham Gupta
 
Web servers – features, installation and configuration
bywebhostingguy
 
Web Site Design Principles
byMukesh Tekwani
 
Entity Framework Core
byKiran Shahi
 
Web server architecture
byTewodros K
 
PDO: Capa de abstracción de base de datos con PHP
byArsys
 
Web servers
byKuldeep Kulkarni
 

What's hot

PPT
IIS
byGiritharan V
 
PPT
Developing an ASP.NET Web Application
byRishi Kothari
 
ODP
web server
bynava rathna
 
PDF
JavaScript - Chapter 11 - Events
byWebStackAcademy
 
PDF
Spring Framework
byNexThoughts Technologies
 
PDF
ES2015 / ES6: Basics of modern Javascript
byWojciech Dzikowski
 
PPT
Introduction to the Web API
byBrad Genereaux
 
PPTX
ASP.NET Lecture 1
byJulie Iskander
 
PPTX
Cookie & Session In ASP.NET
byShingalaKrupa
 
PPT
Js ppt
byRakhi Thota
 
PPTX
Apache web server
byzrstoppe
 
PPSX
Introduction to .net framework
byArun Prasad
 
PPT
Error Handling in Mulesoft
byAmit Singh
 
PPTX
Introduction to Node.js
byAMD Developer Central
 
PDF
Event Driven programming(ch1 and ch2).pdf
byAliEndris3
 
PPT
Active server pages
bymcatahir947
 
PPTX
Installing JDK and first java program
bysunmitraeducation
 
PPTX
Web Server - Internet Applications
bysandra sukarieh
 
PPTX
How to create a REST pass through in Oracle Service Bus (OSB) 12c
bycoolaboration
 
PPT
ASP.NET MVC Presentation
byivpol
 
IIS
byGiritharan V
 
Developing an ASP.NET Web Application
byRishi Kothari
 
web server
bynava rathna
 
JavaScript - Chapter 11 - Events
byWebStackAcademy
 
Spring Framework
byNexThoughts Technologies
 
ES2015 / ES6: Basics of modern Javascript
byWojciech Dzikowski
 
Introduction to the Web API
byBrad Genereaux
 
ASP.NET Lecture 1
byJulie Iskander
 
Cookie & Session In ASP.NET
byShingalaKrupa
 
Js ppt
byRakhi Thota
 
Apache web server
byzrstoppe
 
Introduction to .net framework
byArun Prasad
 
Error Handling in Mulesoft
byAmit Singh
 
Introduction to Node.js
byAMD Developer Central
 
Event Driven programming(ch1 and ch2).pdf
byAliEndris3
 
Active server pages
bymcatahir947
 
Installing JDK and first java program
bysunmitraeducation
 
Web Server - Internet Applications
bysandra sukarieh
 
How to create a REST pass through in Oracle Service Bus (OSB) 12c
bycoolaboration
 
ASP.NET MVC Presentation
byivpol
 

Viewers also liked

PPTX
Types of Servers - Basic Differences
byVR Talsaniya
 
PPTX
Presentation about servers
bySasin Prabu
 
PPTX
Client server architecture
byWhitireia New Zealand
 
PPT
Web Servers (ppt)
bywebhostingguy
 
PPT
Introduction server Construction
byJisu Park
 
PDF
Web Server Hardening
byn|u - The Open Security Community
 
PPT
Semantic Web Servers
bywebhostingguy
 
PPT
5 introduction to internet
byVedpal Yadav
 
PPT
Presentation (PowerPoint File)
bywebhostingguy
 
PPTX
Internet applications
byNur Azlina
 
PPT
Download It
bywebhostingguy
 
PDF
Servers & Web Hosting
byReza San
 
PPTX
Web servers
byMostafa Alinaghi Pour
 
PPT
5-WebServers.ppt
bywebhostingguy
 
PDF
Web Servers - How They Work
byBrian Gallagher
 
PPTX
What Happens When You Own Google.com For A Minute?
byBhoomi Patel
 
PPT
Understanding
bywebhostingguy
 
PPT
Web Server Primer
bywebhostingguy
 
PPT
Web servers
byMohamed Zeinelabdeen Abdelgader Farh jber
 
PDF
Chrome OS user guide
byKhairul Aizuddin
 
Types of Servers - Basic Differences
byVR Talsaniya
 
Presentation about servers
bySasin Prabu
 
Client server architecture
byWhitireia New Zealand
 
Web Servers (ppt)
bywebhostingguy
 
Introduction server Construction
byJisu Park
 
Web Server Hardening
byn|u - The Open Security Community
 
Semantic Web Servers
bywebhostingguy
 
5 introduction to internet
byVedpal Yadav
 
Presentation (PowerPoint File)
bywebhostingguy
 
Internet applications
byNur Azlina
 
Download It
bywebhostingguy
 
Servers & Web Hosting
byReza San
 
Web servers
byMostafa Alinaghi Pour
 
5-WebServers.ppt
bywebhostingguy
 
Web Servers - How They Work
byBrian Gallagher
 
What Happens When You Own Google.com For A Minute?
byBhoomi Patel
 
Understanding
bywebhostingguy
 
Web Server Primer
bywebhostingguy
 
Web servers
byMohamed Zeinelabdeen Abdelgader Farh jber
 
Chrome OS user guide
byKhairul Aizuddin
 

Similar to Web Servers: Architecture and Security

PPT
Scalable Web Architectures and Infrastructure
bygeorge.james
 
ODP
Web Server-Side Programming Techniques
byguest8899ec02
 
PPT
Web servers
bywebhostingguy
 
PDF
Php apache vs iis By Hafedh Yahmadi
byTechdaysTunisia
 
PPT
web_server_browser.ppt
byLovely Professional University
 
PPTX
05.m3 cms list-ofwebserver
bytarensi
 
PPT
web_programming.ppt it's about web programming
byHeroHero795215
 
PPT
Apache web-server-architecture
byIvanGeorgeArouje
 
PPSX
Web server
byNirav Daraniya
 
PPT
Web servers (l6)
byNanhi Sinha
 
DOCX
Comparing IIS and Apache - Questions and Answers
bybutest
 
PPT
Understandingiis 120715123909-phpapp01
byarunparmar
 
PPT
Understanding iis part1
byOm Vikram Thapa
 
PPT
9.Application Design and Development.ppt
byDeguMossie
 
PPT
Apache Web Server Architecture Chaitanya Kulkarni
bywebhostingguy
 
PPTX
Presentation_2_ecommerce1111111111111111111111.pptx
byDipeshThakur30
 
DOCX
Understanding a web server and types of web servers ppt
byNivi Sharma
 
PPT
INLS461_day14a.ppt
bywebhostingguy
 
PPTX
Windows Loves drupal
byAlessandro Pilotti
 
PDF
LEC_10_Week_10_Server_Configuration_in_Linux.pdf
byMahtabAhmedQureshi
 
Scalable Web Architectures and Infrastructure
bygeorge.james
 
Web Server-Side Programming Techniques
byguest8899ec02
 
Web servers
bywebhostingguy
 
Php apache vs iis By Hafedh Yahmadi
byTechdaysTunisia
 
web_server_browser.ppt
byLovely Professional University
 
05.m3 cms list-ofwebserver
bytarensi
 
web_programming.ppt it's about web programming
byHeroHero795215
 
Apache web-server-architecture
byIvanGeorgeArouje
 
Web server
byNirav Daraniya
 
Web servers (l6)
byNanhi Sinha
 
Comparing IIS and Apache - Questions and Answers
bybutest
 
Understandingiis 120715123909-phpapp01
byarunparmar
 
Understanding iis part1
byOm Vikram Thapa
 
9.Application Design and Development.ppt
byDeguMossie
 
Apache Web Server Architecture Chaitanya Kulkarni
bywebhostingguy
 
Presentation_2_ecommerce1111111111111111111111.pptx
byDipeshThakur30
 
Understanding a web server and types of web servers ppt
byNivi Sharma
 
INLS461_day14a.ppt
bywebhostingguy
 
Windows Loves drupal
byAlessandro Pilotti
 
LEC_10_Week_10_Server_Configuration_in_Linux.pdf
byMahtabAhmedQureshi
 

More from george.james

PPT
Fosdem 2010 GT.M and OpenStreetMap
bygeorge.james
 
PPT
M/DB and M/DB:X
bygeorge.james
 
PDF
Lost In The Clouds
bygeorge.james
 
PPT
On a cloudy day you can scale forever
bygeorge.james
 
PPT
Bad Light Stops Play
bygeorge.james
 
ODP
Securing The Cloud
bygeorge.james
 
ODP
Out Of The Slipstream Proposal
bygeorge.james
 
PPT
Lightning In The Clouds
bygeorge.james
 
ODP
Lost In The Clouds
bygeorge.james
 
PPT
Mumps the Internet scale database
bygeorge.james
 
PPT
Web Development Environments: Choose the best or go with the rest
bygeorge.james
 
PPT
Google's BigTable
bygeorge.james
 
PPT
Report from DEVCON 2008
bygeorge.james
 
PPT
Michelle's Wallpaper
bygeorge.james
 
PPT
The experiences of migrating a large scale, high performance healthcare network
bygeorge.james
 
PPT
Beyond The MVC
bygeorge.james
 
PPT
Amazon S3 and EC2
bygeorge.james
 
PDF
FIS-PIP™ – A high end database application development platform
bygeorge.james
 
PPT
Web Design and Programming
bygeorge.james
 
PPT
Querying the Web
bygeorge.james
 
Fosdem 2010 GT.M and OpenStreetMap
bygeorge.james
 
M/DB and M/DB:X
bygeorge.james
 
Lost In The Clouds
bygeorge.james
 
On a cloudy day you can scale forever
bygeorge.james
 
Bad Light Stops Play
bygeorge.james
 
Securing The Cloud
bygeorge.james
 
Out Of The Slipstream Proposal
bygeorge.james
 
Lightning In The Clouds
bygeorge.james
 
Lost In The Clouds
bygeorge.james
 
Mumps the Internet scale database
bygeorge.james
 
Web Development Environments: Choose the best or go with the rest
bygeorge.james
 
Google's BigTable
bygeorge.james
 
Report from DEVCON 2008
bygeorge.james
 
Michelle's Wallpaper
bygeorge.james
 
The experiences of migrating a large scale, high performance healthcare network
bygeorge.james
 
Beyond The MVC
bygeorge.james
 
Amazon S3 and EC2
bygeorge.james
 
FIS-PIP™ – A high end database application development platform
bygeorge.james
 
Web Design and Programming
bygeorge.james
 
Querying the Web
bygeorge.james
 

Recently uploaded

PDF
6f0f6b8445ec521879693a52223a777er3e4.pdf
bytostyhazel456
 
PDF
Abdallah Dahhan: Harnessing Risk as a Compass for Resilient Innovation
bybmmseo25
 
PDF
Buy LinkedIn Accounts_ Step-by-Step Guide for 2025.pdf
byndsfcm3nubx18jc4s6f4
 
PDF
How to Buy Snapchat Account( 9.7) A Step-by-Step Guide ... (2).pdf
byxuexmv3qbymlv32ohdjf
 
PDF
Recommandation from Rail 1520 a rail car leasing company
byHaim R. Branisteanu
 
PPTX
Business Improvement blue and white scribble art presentation
byAndrew Laurey
 
PDF
LCP-Pension-Submisson-CDC-Superfund-December-2025.pdf
byHenry Tapper
 
PPTX
AI for Business - Strategy and Planning Webinar
byChristopherVicGamuya
 
PDF
Updated-costings-on-changes-to-PPF-compensation-levels---with-31-March-2025-f...
byHenry Tapper
 
PDF
Buy Verified Western Union Accounts - in the United States (1).pdf
bykeb2bq5cegc6m2xa32ay
 
PDF
Kelli Molczyk - A Seasoned Brand Strategist
byKelli Molczyk
 
PDF
Dark Side of Hosting_ Why People Buy Verified Airbnb Accounts
byUsaviral Wave
 
PDF
BTP - GK 2025-4 (1) Consulting Marketing.pdf
byAyushNath13
 
PDF
Myocardial Infarction- MI for Nursing Students.pdf
byhttps://www.facebook.com/profile.php?id=61578457231735
 
PDF
Aagami Corporate Presentation December 2025
byAagami, Inc.
 
PDF
Top 10 Best Sites To Buy USA Facebook Accounts You ....pdf
bykeb2bq5cegc6m2xa32ay
 
PPTX
Securing_Digital_Health_With_Icons_Illustrations.pptx
byAndiNovianto6
 
PDF
How to Safely Buy Instagram Accounts in 2025 (1).pdf
byxuexmv3qbymlv32ohdjf
 
PDF
Bio, Pic and Speaker Vita for Attorney Dar'shun Kendrick
byKairos Capital Legal Advisors,LLC
 
PDF
_How to Safely Buy Instagram Accounts in 2025.pdf
byzze2jltsflran03jy3m
 
6f0f6b8445ec521879693a52223a777er3e4.pdf
bytostyhazel456
 
Abdallah Dahhan: Harnessing Risk as a Compass for Resilient Innovation
bybmmseo25
 
Buy LinkedIn Accounts_ Step-by-Step Guide for 2025.pdf
byndsfcm3nubx18jc4s6f4
 
How to Buy Snapchat Account( 9.7) A Step-by-Step Guide ... (2).pdf
byxuexmv3qbymlv32ohdjf
 
Recommandation from Rail 1520 a rail car leasing company
byHaim R. Branisteanu
 
Business Improvement blue and white scribble art presentation
byAndrew Laurey
 
LCP-Pension-Submisson-CDC-Superfund-December-2025.pdf
byHenry Tapper
 
AI for Business - Strategy and Planning Webinar
byChristopherVicGamuya
 
Updated-costings-on-changes-to-PPF-compensation-levels---with-31-March-2025-f...
byHenry Tapper
 
Buy Verified Western Union Accounts - in the United States (1).pdf
bykeb2bq5cegc6m2xa32ay
 
Kelli Molczyk - A Seasoned Brand Strategist
byKelli Molczyk
 
Dark Side of Hosting_ Why People Buy Verified Airbnb Accounts
byUsaviral Wave
 
BTP - GK 2025-4 (1) Consulting Marketing.pdf
byAyushNath13
 
Myocardial Infarction- MI for Nursing Students.pdf
byhttps://www.facebook.com/profile.php?id=61578457231735
 
Aagami Corporate Presentation December 2025
byAagami, Inc.
 
Top 10 Best Sites To Buy USA Facebook Accounts You ....pdf
bykeb2bq5cegc6m2xa32ay
 
Securing_Digital_Health_With_Icons_Illustrations.pptx
byAndiNovianto6
 
How to Safely Buy Instagram Accounts in 2025 (1).pdf
byxuexmv3qbymlv32ohdjf
 
Bio, Pic and Speaker Vita for Attorney Dar'shun Kendrick
byKairos Capital Legal Advisors,LLC
 
_How to Safely Buy Instagram Accounts in 2025.pdf
byzze2jltsflran03jy3m
 

Web Servers: Architecture and Security

  • 1.
    Web Servers: Architectureand Security Chris Munt M/Gateway Developments Ltd
  • 2.
    Agenda Web ServersMicrosoft IIS, Apache, Sun JSWS Development trends Extending Web Servers Support for application development environments Performance and Scalability Security The Web Server is very much on the “front line”
  • 3.
    Evolution “ Since1999, the web has grown from a document retrieval system into an application delivery system. ” Douglas Crockford at AjaxWorld 2008 Implications for: Web Server extensibility Resilience Performance and scalability Architecture Security
  • 4.
    Web Servers: MarketShare 2005: Apache 71% IIS 20% 2008: Apache 50% (Trend: falling slightly) IIS 35% (Tend: increasing slightly) Source: Netcraft
  • 5.
    Internet Information Services ( IIS) v1.0 Introduced as free add-on for NT v3.51 (mid 1990s) Single multi-threaded process Extensibility Common Gateway Interface (CGI) Internet Server Application Programming Interface (ISAPI)
  • 6.
    IIS: CGI Modulesimplemented as stand-alone scripts/executables Application requests processed in separate server process Non-optimal but secure Overhead of starting new process to serve each request; Overhead of inter-process communication Application crash does not impact hosting web server Architecturally the same for all web servers
  • 7.
    IIS: ISAPI Modulesimplemented as Windows DLLs Can be a Filter (e.g. GZIP) or Extension (e.g. PHP, CSP) Application requests serviced in process space of IIS host Optimal but there are risks No overhead in process management and inter-process communication Application crash does impact hosting web server Supported for all versions of IIS The only web server API (excluding CGI) that’s completely backwards (and forwards) compatible!
  • 8.
    IIS v5.0 &Windows 2000 Concept of isolation levels (or application protection levels). Low All in same process Medium ISAPI extensions run in a separate process High ISAPI extensions run in a separate process per application An application is broadly defined in terms of its path
  • 9.
    IIS: Security alert:code red worm Exploiting a buffer overrun in the Windows 2000 Indexing Service DLL GET /default.ida?NNNNNNNN Inject code after provoking overrun Microsoft reference: MS01-033 Wake-up call to severity of compromises caused by bad extensions
  • 10.
    IIS v6.0 &Windows 2003 Concept of Worker Process Isolation and Application pools Application pool Applications associated with one or more worker processes Web Gardens Multiple worker processes supporting an application Not to be confused with web farms where multiple web server installations manage the work load Process recycling Process idle-time timeout
  • 11.
    IIS v7.0 &Windows 2008 Major upgrade Previewed in Vista: A good reason to get Vista Modular architecture Administrators choose the modules required Improved security Application pools New configuration schema. XML based. New API ISAPI still supported (as a supplied module) Third-party modules can be added
  • 12.
    IIS Resources www.microsoft.comwww.iis.net Particularly interesting because IIS developers participate
  • 13.
    Apache v1.0 Consolidatedin mid-90s Robert McCool Successor to NCSA HTTPd ( National Center for Supercomputing Application) Modular architecture Multi-threaded for Windows; Multi-process for UNIX Extensibility Common Gateway Interface (CGI) Apache API
  • 14.
    Apache: API Modulesimplemented as Dynamic Shared Objects (DSOs) DLLS for Windows, Shared Objects/Libraries for UNIX, Shareable Images for OpenVMS Modules can process any phase of request/response cycle Request handling (e.g. mod_csp, mod_weblink) Authentication (e.g. mod_auth) Security (e.g. mod_ssl) Filters (e.g. mod_deflate) Miscellaneous (e.g. mod_rewrite)
  • 15.
    Apache: v2.0 -2002 Substantial rewrite of core with improved modularization Multi-threaded for Windows and OpenVMS Support for UNIX threading Multi-process/Multi-threaded hybrid server New API Use mod_csp2.so instead of mod_csp.so
  • 16.
    Apache: v2.2 -2005 Improved Modules – particularly for authorization Same API but binary incompatibilities Use mod_csp22.so instead of mod_csp2.so
  • 17.
    Web Servers basedon Apache HP Secure Web Server (HPSWS) For OpenVMS v1.3-1 based on Apache v1.3.26 v2.1-1 based on Apache v2.0.52 Tomcat (Java/JSP), Perl, PHP CSP Many others
  • 18.
    Apache: Resources www.apache.orgAccess to various forums for support
  • 19.
    Sun JSWS NetscapeEnterprise (mid 1990s) FastTrack – lightweight offering iPlanet (late 1990s) America Online, Sun Sun ONE (early 2000s) Sun Java System Web Server (mid 2000s) Resources: www.sun.com
  • 20.
    Sun JSWS Multi-threadedfor Windows Multi-process/Multi-threaded hybrid for UNIX Extensibility Common Gateway Interface (CGI) Netscape Server Application Programming Interface (NSAPI) Modules implemented as DLLS for Windows, Shared Objects/Libraries for UNIX Binary incompatibility between Netscape Enterprise v2 and v3
  • 21.
    Trends: All webservers Multi-process/Multi-threaded servers Increased flexibility/extensibility through modularization Better security
  • 22.
    Trends: Implications forWebLink and CSP State-aware mode (preserve mode 1 for CSP) increasingly non-optimal Connection pool distributed amongst multiple process with no control over the relationship between requests and processes Using Network Service Daemon (NSD) in single process mode becomes essential Channel load into single multi-threaded process Maintain single process pool
  • 23.
    Web Standards? Applicationsusing AJAX techniques generate much more HTTP traffic than conventional web applications. Poor performance unless connection between client and server is kept open between requests. HTTP v1.0: Asymmetric protocol by default Client opens connection to server then sends request Server sends response then closes connection to server
  • 24.
    HTTP Keep-Alive Connectionkept open between requests HTTP v1.0: Default off Connection: Keep-Alive (switch on) HTTP v1.1: Default on Connection: Close (switch off) Must send response size notification Content-Length Chunked transfer (HTTP v1.1) Transfer-Encoding: chunked WebLink/CSP Gateway will do this automatically
  • 25.
    HTTP Connections: Thecurrent status Standard specifies the maximum number of simultaneous connections to a given server HTTP v1.0: usually 4 HTTP v1.1: always 2 (Section 8.1.4 RFC2616) Objective: to improve response times and avoid congestion. Can change setting in browser configuration Inappropriate for web based applications Proxys will implement standard
  • 26.
    HTTP Connections: Thefuture Now recognised that high-bandwidth connections are now commonplace Key development since HTTP v1.1 which was drafted in January 1997. Client-side bandwidth no longer gating factor in connection speed. IE v8 will almost certainly increase the number of connections to 6 Direct response to needs of AJAX applications
  • 27.
    Security through ObscurityMost attacks on web servers are against known vulnerabilities Hide identity of web server Use header masking facilities if they are available Don’t rely on standard error pages
  • 28.
    Securing Applications: Highgrade Two aspects Client authentication Protecting content SSL/TLS Transport Layer Security (successor to SSL) Usually authenticates server to a non-authenticated client Certificate issued to server. Client identifies him/herself using a username/password over the secure channel (all communications encrypted). Supports mutual authentication Certificate issued to both client and server Kerberos Possible (apparently)
  • 29.
    Securing Applications: Lowgrade authentication HTTP Basic authentication Supported by all browsers Client credentials passed to server in the clear Really only useful for secured (internal) networks HTTP digest authentication Protection for password Some compatibility issues with browsers Still not as strong as authentication over SSL/TLS or Kerberos.
  • 30.
    Conclusion Keep webservers updated with upgrades and service packs for best security Keep eye on developments in standards Use HTTP Keep-alive for applications using AJAX techniques Don’t use state-aware mode in WebLink or CSP