Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

A fundamentally secure Apache server, any interest?

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


Kevin.Sweere at WPAFB

Nov 16, 2009, 5:42 AM

Post #1 of 5 (503 views)
Permalink
A fundamentally secure Apache server, any interest?
Greetings,
 
I work for the US Air Force.  We have a prototype that dramatically,
fundamentally increases a web server's security. 
 
We run an Apache server within a minimized, user-level-only, Linux variant
only within RAM and from only a DVD (no harddrive).  With no shells, hackers
have nowhere to go.  With no persistent memory, malware has no place to
reside.  A simple reboot restores the website to a pristine state within
minutes.  
 
Because a LiveDVD holds the OS, apps and content, its best for static,
non-interactive, low-volume, high-value, highly-targeted websites.  Any
change means burning a new DVD, but this also makes testing easier and less
noisy.  Logs are tricky to extract. 
 
While it has worked well, some of us believe its usability drawbacks (e.g.
limited ability to receive input from users, every change needs a new DVD)
outweigh its great security benefits making it unmarketable (in govt or
industry) and thus just another prototype to leave on the shelf.
 
I'm curious what your group thinks.  Thanks in advance -- I don't quite know
with whom to discuss this idea.
 
Kevin Sweere
 
 
 
 
Attachments: smime.p7s (5.11 KB)


dreamice.jiang at gmail

Nov 16, 2009, 6:08 AM

Post #2 of 5 (474 views)
Permalink
Re: A fundamentally secure Apache server, any interest? [In reply to]
I support you!

2009/11/16 Sweere, Kevin E CTR USAF AFRL/RYT <Kevin.Sweere [at] wpafb>

> Greetings,
>
> I work for the US Air Force. We have a prototype that dramatically,
> fundamentally increases a web server's security.
>
> We run an Apache server within a minimized, user-level-only, Linux variant
> only within RAM and from only a DVD (no harddrive). With no shells,
> hackers
> have nowhere to go. With no persistent memory, malware has no place to
> reside. A simple reboot restores the website to a pristine state within
> minutes.
>
> Because a LiveDVD holds the OS, apps and content, its best for static,
> non-interactive, low-volume, high-value, highly-targeted websites. Any
> change means burning a new DVD, but this also makes testing easier and less
> noisy. Logs are tricky to extract.
>
> While it has worked well, some of us believe its usability drawbacks (e.g.
> limited ability to receive input from users, every change needs a new DVD)
> outweigh its great security benefits making it unmarketable (in govt or
> industry) and thus just another prototype to leave on the shelf.
>
> I'm curious what your group thinks. Thanks in advance -- I don't quite
> know
> with whom to discuss this idea.
>
> Kevin Sweere
>
>
>
>
>


m.watts at eris

Nov 16, 2009, 6:18 AM

Post #3 of 5 (471 views)
Permalink
Re: A fundamentally secure Apache server, any interest? [In reply to]
On Mon, 2009-11-16 at 08:42 -0500, Sweere, Kevin E CTR USAF AFRL/RYT
wrote:
> Greetings,
>
> I work for the US Air Force. We have a prototype that dramatically,
> fundamentally increases a web server's security.
>
> We run an Apache server within a minimized, user-level-only, Linux variant
> only within RAM and from only a DVD (no harddrive). With no shells, hackers
> have nowhere to go. With no persistent memory, malware has no place to
> reside. A simple reboot restores the website to a pristine state within
> minutes.
>
> Because a LiveDVD holds the OS, apps and content, its best for static,
> non-interactive, low-volume, high-value, highly-targeted websites. Any
> change means burning a new DVD, but this also makes testing easier and less
> noisy. Logs are tricky to extract.
>
> While it has worked well, some of us believe its usability drawbacks (e.g.
> limited ability to receive input from users, every change needs a new DVD)
> outweigh its great security benefits making it unmarketable (in govt or
> industry) and thus just another prototype to leave on the shelf.
>
> I'm curious what your group thinks. Thanks in advance -- I don't quite know
> with whom to discuss this idea.
>
> Kevin Sweere

Hi Kevin,

The idea of a CD/DVD-ROM based webserver isn't new, I know we did some
internal research into it many years ago and came to the same
conclusions you have - the level of security offered seriously impedes
your ability to use/manage the server.

You also run into problems if your servers don't actually have an
optical drive (eg: Blades).

If I was looking for that level of assurance that my data hasn't been
tampered with, I'd be looking at using a mechanism of snapshoting your
webserver in some way such that a rollback is trivial. Linux LVM,
Solaris ZFS or even VMWare all offer this kind of snapshot and rollback.
I'd also be using TripWire or something similar to verify my content
directories.

Apache configured with minimum modules to simply serve static ASCII and
image files is about as secure at it gets for that type of content.
SELinux stops a rogue CGI from reading /etc/shadow, and mod_security
helps to block a lot of crud from ever generating a response from the
server.


Read-Only web servers are certainly secure but by their nature, very
time-consuming to manage.


Mark.

--
Mark Watts BSc RHCE MBCS
Senior Systems Engineer, Managed Services Manpower
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg
Attachments: signature.asc (0.19 KB)


sctemme at apache

Nov 16, 2009, 8:11 AM

Post #4 of 5 (464 views)
Permalink
Re: A fundamentally secure Apache server, any interest? [In reply to]
Hi Kevin,

Definitely not the right list: this is where we discuss development of the Apache HTTP Server code. users [at] httpd may be a better forum within apache.org. Outside Apache, several initiatives exist to look into hardening web servers. The Center for Internet Security <http://www.cisecurity.org/> is one of them.

On Nov 16, 2009, at 8:42 AM, Sweere, Kevin E CTR USAF AFRL/RYT wrote:

> I work for the US Air Force. We have a prototype that dramatically,
> fundamentally increases a web server's security.
>
> We run an Apache server within a minimized, user-level-only, Linux variant
> only within RAM and from only a DVD (no harddrive). With no shells, hackers
> have nowhere to go. With no persistent memory, malware has no place to
> reside. A simple reboot restores the website to a pristine state within
> minutes.

I agree. Putting the entire OS and content on a read-only device (whether DVD or otherwise) significantly reduces your exposure to attacks for all these reasons. The OS will need *some* writable space (like /tmp and /var/run), but I assume you made like Knoppix and Ubuntu Live and their ilk, and use RAM disks for that.

> Because a LiveDVD holds the OS, apps and content, its best for static,
> non-interactive, low-volume, high-value, highly-targeted websites. Any
> change means burning a new DVD, but this also makes testing easier and less
> noisy. Logs are tricky to extract.

You could write logs to a RAM disk, with obvious implications on retention. Or you could spool them to another server either through a network mount or mod_log_spread. The httpd configuration language allows you to put log files in any place you like, and there are several approaches to rotating log files if space is an issue. Or you can use a third party module to write logs like the aforementioned mod_log_spread, which is not part of httpd itself.

> While it has worked well, some of us believe its usability drawbacks (e.g.
> limited ability to receive input from users, every change needs a new DVD)
> outweigh its great security benefits making it unmarketable (in govt or
> industry) and thus just another prototype to leave on the shelf.

You are in for a perpetual war between Operations (whose pager goes off when things break) and dev (whose time-to-market is implicated by the fixed environment). You could mitigate that problem by reading site content from a remote machine, either continuously over a network mount or by copying it into a RAM disk on boot. The former might be slower, but would allow for more frequent site updates. It's a trade-off, as usual.

Keeping the remote mount read-only (even for root) will allow you achieve your goal of a read-only environment.

More comprehensive upgrades that would involve adding modules or changing configuration parameters should trigger a change management process that would lead to an update of the boot image.

> I'm curious what your group thinks. Thanks in advance -- I don't quite know
> with whom to discuss this idea.

As Mark points out, this would be very secure but very hard to manage, and my impression is that time-to-market pressure and available expertise frequently cause ideas like this to fall by the wayside.

Fundamentally, booting web heads from a read-only medium like an optical drive or PXE is a sound idea. Any initiative, installation method or distribution that makes this easier to manage might increase adoption.

S. <bikeshed>I'd base it on BSD though</bikeshed>

--
Sander Temme
sctemme [at] apache
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Attachments: smime.p7s (2.16 KB)


jorge.schrauwen at gmail

Nov 16, 2009, 11:05 AM

Post #5 of 5 (451 views)
Permalink
Re: A fundamentally secure Apache server, any interest? [In reply to]
On Mon, Nov 16, 2009 at 5:11 PM, Sander Temme <sctemme [at] apache> wrote:
> Hi Kevin,
>
> Definitely not the right list: this is where we discuss development of the Apache HTTP Server code.  users [at] httpd may be a better forum within apache.org.  Outside Apache, several initiatives exist to look into hardening web servers.  The Center for Internet Security <http://www.cisecurity.org/> is one of them.
>
> On Nov 16, 2009, at 8:42 AM, Sweere, Kevin E CTR USAF AFRL/RYT wrote:
>
>> I work for the US Air Force.  We have a prototype that dramatically,
>> fundamentally increases a web server's security.
>>
>> We run an Apache server within a minimized, user-level-only, Linux variant
>> only within RAM and from only a DVD (no harddrive).  With no shells, hackers
>> have nowhere to go.  With no persistent memory, malware has no place to
>> reside.  A simple reboot restores the website to a pristine state within
>> minutes.
>
> I agree.  Putting the entire OS and content on a read-only device (whether DVD or otherwise) significantly reduces your exposure to attacks for all these reasons.  The OS will need *some* writable space (like /tmp and /var/run), but I assume you made like Knoppix and Ubuntu Live and their ilk, and use RAM disks for that.
>
>> Because a LiveDVD holds the OS, apps and content, its best for static,
>> non-interactive, low-volume, high-value, highly-targeted websites.  Any
>> change means burning a new DVD, but this also makes testing easier and less
>> noisy.  Logs are tricky to extract.
>
> You could write logs to a RAM disk, with obvious implications on retention.  Or you could spool them to another server either through a network mount or mod_log_spread.  The httpd configuration language allows you to put log files in any place you like, and there are several approaches to rotating log files if space is an issue.  Or you can use a third party module to write logs like the aforementioned mod_log_spread, which is not part of httpd itself.
>
>> While it has worked well, some of us believe its usability drawbacks (e.g.
>> limited ability to receive input from users, every change needs a new DVD)
>> outweigh its great security benefits making it unmarketable (in govt or
>> industry) and thus just another prototype to leave on the shelf.
>
> You are in for a perpetual war between Operations (whose pager goes off when things break) and dev (whose time-to-market is implicated by the fixed environment).  You could mitigate that problem by reading site content from a remote machine, either continuously over a network mount or by copying it into a RAM disk on boot.  The former might be slower, but would allow for more frequent site updates.  It's a trade-off, as usual.
>
> Keeping the remote mount read-only (even for root) will allow you achieve your goal of a read-only environment.
>
> More comprehensive upgrades that would involve adding modules or changing configuration parameters should trigger a change management process that would lead to an update of the boot image.
>

You could just mount everything ro from a remote host then, even the
config for example, could be mounted from a remote host.

I guess a rw usb key with OS + config would work too if you can
somehow force it ro only when booting from it.

>> I'm curious what your group thinks.  Thanks in advance -- I don't quite know
>> with whom to discuss this idea.
>
> As Mark points out, this would be very secure but very hard to manage, and my impression is that time-to-market pressure and available expertise frequently cause ideas like this to fall by the wayside.
>
> Fundamentally, booting web heads from a read-only medium like an optical drive or PXE is a sound idea.  Any initiative, installation method or distribution that makes this easier to manage might increase adoption.
>
> S. <bikeshed>I'd base it on BSD though</bikeshed>
>
> --
> Sander Temme
> sctemme [at] apache
> PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF
>
>
>
>

Thats all that comes to mind atm.

Jorge

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.