Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Received-SPF: pass (athena.apache.org: domain of m.watts@eris.qinetiq.com
 designates 128.98.1.9 as permitted sender)
Subject: Re: A fundamentally secure Apache server, any  interest?
From: Mark Watts <m.watts@eris.qinetiq.com>
To: dev@httpd.apache.org
Cc: "Sweere, Kevin E CTR USAF AFRL/RYT" <Kevin.Sweere@WPAFB.AF.MIL>
In-Reply-To: 
 <76ACC4E92B18BB4F9F600EEE16623686026D695F@VFOHMLAO01.Enterprise.afmc.ds.af.mil>
References: 
	 <76ACC4E92B18BB4F9F600EEE16623686026D695F@VFOHMLAO01.Enterprise.afmc.ds.af.mil>
Content-Type: multipart/signed; micalg="pgp-sha1";
 protocol="application/pgp-signature"; boundary="=-ufu+njKYA18Ke9IHZsgQ"
Organization: QinetiQ
Date: Mon, 16 Nov 2009 14:18:50 +0000
Message-Id: <1258381130.22411.58.camel@mwatts.eris.qinetiq.com>
Mime-Version: 1.0


--=-ufu+njKYA18Ke9IHZsgQ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Mon, 2009-11-16 at 08:42 -0500, Sweere, Kevin E CTR USAF AFRL/RYT
wrote:
> Greetings,
> =20
> I work for the US Air Force.  We have a prototype that dramatically,
> fundamentally increases a web server's security. =20
> =20
> We run an Apache server within a minimized, user-level-only, Linux varian=
t
> only within RAM and from only a DVD (no harddrive).  With no shells, hack=
ers
> have nowhere to go.  With no persistent memory, malware has no place to
> reside.  A simple reboot restores the website to a pristine state within
> minutes. =20
> =20
> Because a LiveDVD holds the OS, apps and content, its best for static,
> non-interactive, low-volume, high-value, highly-targeted websites.  Any
> change means burning a new DVD, but this also makes testing easier and le=
ss
> noisy.  Logs are tricky to extract.=20
> =20
> While it has worked well, some of us believe its usability drawbacks (e.g=
.
> limited ability to receive input from users, every change needs a new DVD=
)
> outweigh its great security benefits making it unmarketable (in govt or
> industry) and thus just another prototype to leave on the shelf.
> =20
> I'm curious what your group thinks.  Thanks in advance -- I don't quite k=
now
> with whom to discuss this idea.
> =20
> Kevin Sweere

Hi Kevin,

The idea of a CD/DVD-ROM based webserver isn't new, I know we did some
internal research into it many years ago and came to the same
conclusions you have - the level of security offered seriously impedes
your ability to use/manage the server.

You also run into problems if your servers don't actually have an
optical drive (eg: Blades).

If I was looking for that level of assurance that my data hasn't been
tampered with, I'd be looking at using a mechanism of snapshoting your
webserver in some way such that a rollback is trivial. Linux LVM,
Solaris ZFS or even VMWare all offer this kind of snapshot and rollback.
I'd also be using TripWire or something similar to verify my content
directories.

Apache configured with minimum modules to simply serve static ASCII and
image files is about as secure at it gets for that type of content.
SELinux stops a rogue CGI from reading /etc/shadow, and mod_security
helps to block a lot of crud from ever generating a response from the
server.


Read-Only web servers are certainly secure but by their nature, very
time-consuming to manage.


Mark.

--=20
Mark Watts BSc RHCE MBCS
Senior Systems Engineer, Managed Services Manpower
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg

--=-ufu+njKYA18Ke9IHZsgQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAksBX0oACgkQBn4EFUVUIO35mQCfZRyjuU/hdcuIhrVJuTt8UuHW
hWMAoOZMXaKJHUiDumiiG2ZY3UgeapEw
=hPV5
-----END PGP SIGNATURE-----

--=-ufu+njKYA18Ke9IHZsgQ--