6.3. Supporting Services

This section describes how you can secure supporting services used by SGD, such as authentication and application hosting. Information on using intrusion detection systems and penetration testing of servers is also included.

6.3.1. Firewall Policies

For a basic SGD deployment using a single Gateway, you generally need to use two firewalls, as shown in Figure 6.1, “Firewalls for a Gateway Deployment”.

Figure 6.1. Firewalls for a Gateway Deployment

Firewalls for a Gateway Deployment

The external firewall need only be configured to pass encrypted traffic on port 443 to the Gateway. The LAN firewall then passes encrypted traffic to the SGD servers in the array, on port 443 and port 5307.

Additional internal firewalls may also need to be configured to pass traffic on other ports for services used by SGD. For example you might need to allow RDP traffic for connections to Windows application servers, and LDAP traffic for user authentication.

The source IP address for connections to other services should only be from SGD servers. You should limit the allowed destination IP addresses to be the addresses of specific servers.

Your firewalls should also provide basic protection against Denial Of Service Attacks, (DOS) and Distributed Denial of Service (DDOS) such as "Ping of Death", SYN Flood, Ping Flood, smurfd, and similar attack types. Note that most so called "application firewall" technologies are not useful until the traffic is decrypted.

See Section 3.2, “Firewalls and Ports” for more information about the ports used by SGD.

6.3.2. Use Two-Factor Authentication for Internet Deployments

If you are going to publish applications to users on the Internet, it is strongly advised that you use a two-factor authentication system, such as RSA SecurID.

For example, if a user uses an uncontrolled client device, such as a computer at an Internet cafe, it is possible for software or hardware on the client device to capture the user's keystrokes. A user may reveal their username and password when using such a compromised system.

Use of a two-factor authentication with a one-time password component will prevent such stolen credentials from being used successfully in an attack.

SGD supports the following methods of implementing two-factor authentication:

6.3.3. Intrusion Detection and Prevention Systems

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are designed to monitor network traffic and look for patterns and behaviors that may indicate an unwanted intrusion is being attempted. The IPS system differs from the IDS system in that the IPS system takes active measures to immediately counter the perceived attack, by blocking the offending source IP address, resetting the connection, or through other mechanisms.

IDS and IPS systems can generally be broken down into host-based solutions, and network-based solutions. Host-based solutions are installed on the systems they are meant to protect, while network-based solutions will usually monitor traffic at one or more points "in front of" the host or hosts being protected. These devices may act in-line, so that all traffic must pass through them, or may simply act as passive sensors, often with no assigned IP address, which monitor traffic by setting its network interface in promiscuous mode.

Some IDS and IPS systems perform protocol decoding, while others do not. Protocol decoding for SGD would primarily examine HTTP traffic. In order to do this effectively, the IDS or IPS system must be able to view the traffic in unencrypted mode.

One mechanism to do this is to use an SSL accelerator, which decrypts the HTTP traffic, and forwards it onto the SGD server. The network sensor is placed on the network between the accelerator and the SGD server.

For more information on configuring SGD for an SSL accelerator, see Using External SSL Accelerators.

Two IDS and IPS tools that can prove useful for SGD deployments are:

  • mod_security. This is an example of a host-based IPS. More specifically, it is a web application firewall, because it specifically monitors and evaluates web traffic.

    mod_security is a plug-in to the Apache web server, and comes with a set of "core" rules that detect protocol violations and known attack signatures to prevent web-based attacks. For more info, visit the mod_security home page.

  • SNORT. This program has a variety of modes, including packet decoding, but is most commonly deployed as a network-based IDS and IPS tool. SNORT is claimed to be the most widely deployed IDS in the world, and is an open-source project.

6.3.4. Perform Penetration Testing

When deploying SGD on the Internet, it is recommended that you perform active penetration testing to ensure you have covered the most obvious issues.

Penetration testing is often performed by outside consultants, while some organizations have their own internal test teams. If you wish to perform some basic tests on your own, consider some of the following tools:

  • nmap. A utility that is commonly used to scan for hosts, determine the OS, and determine what services a host may be offering. An intruder would use a tool like this to perform network reconnaissance, the first step in attempting to break-in. Be sure to provide as little information about your installation to would-be intruders as possible.

  • nessus. An automated vulnerability scanner which uses plug-ins to test for specific types of vulnerabilities, such as cross-site scripting vulnerabilities, known web server bugs, and so on. This is free for home use only.

  • nikto. An automated web server scanner, which also tests for a variety of web server problems.

  • firewalk. A firewall reconnaissance tool, which tries to determine what access control lists you have on your firewall.