Watching the Exits
One of the common activities of attackers when they break into a web server is to hijack its content, so that visitors to the web site see something different when they come. So, here's an idea: Give up on the web server machine itself, and watch the content after it leaves the server to make sure that it's approved. This idea, credited to Gilian Technologies, is called exit control.
Here's how it works. An administrator decides what is and isn't appropriate to publish on the web server. The content then goes through an approval phase, in which cryptographic fingerprints of approved content are generated. The fingerprints are then securely transferred to a box that sits at the exit point between a web server and the rest of the world. When content is requested from the web server, it passes through the box, and its authenticity is verified. Only approved content is allowed through.
Figure 1 shows an exit-control architecture. A company uses standard security tools to protect the communication between its production environment and the web server. These include firewalls, access control, and intrusion detection. The content is then served from the web server as usual. When a user accesses the server over the Internet, the requests and replies travel through the exit-control box in a transparent manner. There, the content is checked for integrity against the cryptographic fingerprints provided by the administrator at the time that something is published.
Figure 1 The exit-control architecture.
The beauty of this idea is that it no longer matters that the web server is broken into. Sure, a denial of service can result, but users visiting http://my.organization.com/ will either see content approved by my.organization, or nothing. Even if an attacker breaks into the web server, he or she can't change the content. This strategy is very powerful.
Tripwires, Screening, and Signing
There are other architectures for exit control as well. Tripwire security checks files before the web server sends them to clients, to make sure that they haven't been modified. This architecture is less robust to server compromise, as a break-in to the web server could also defeat the exit control. Trusted Computer Solutions also offers an exit-control product for screening and signing content as it moves from high-security domains to low-security domains.