3.6 Network Security
Most Web systems use routers and firewalls, hereafter referred to as simply firewalls, in order to restrict access to the computers that support the Web system. Firewalls are capable of preventing incoming connections and packets from reaching certain hosts or parts of hosts located on the Web system's local network. Typically, a Web system restricts outside access to all ports except for port 80, which is the main HTTP port. When using secure HTTP, the site also allows connections to a secure port, usually 443.
The main reason for implementing a firewall is to prevent unwanted connections to services or computers residing on the Web site's local network. Some computers run services, such as FTP, for which access is not acceptable for the general public through the Internet. Such services are often the source of break-ins or other exploits that can ultimately compromise the security of the site. It is also desirable to prevent users from being able to see certain computers, such as database servers, from outside the firewall. Certain types of servers should be accessible only by the site's Web servers, not by external users.
Port scanning is the process of attempting to connect to many or all Transmission Control Protocol/Internet Protocol (TCP/IP) or User Datagram Protocol/Internet Protocol (UDP/IP) ports on a wide range of servers on the Internet. An attacker runs the scanner over a period of time and reviews the resulting list of open ports found on each computer. Often, the response from the computer indicates the service type running on that port and possibly also the version. Thus, port scanning gives the attacker a catalog of potential entry points. If the Web site is relatively well known, the attacker may simply try several common service ports, such as HTTP (web server), FTP (file transfer server), DNS (name lookup service), LPD (printing service), SMTP (electronic mail), or NNTP (Internet news), in an attempt to locate a vulnerable service. This manual method of attack requires only the knowledge of which ports to examine, and this is generally common knowledge for network intruders. Many utilities are available for port scanning a target host, and these utilities can be used by site administrators to determine whether the site's firewall or servers have vulnerabilities. Many of these tools are also used by potential attackers against the Web site.
As port scanning finds network services on the machine, they should be located in the process list of the server and removed from the server's configuration files. For some services, the port scanner will not know the type of service that is listening on the port, making it difficult to locate the responsible process. On a UNIX system, it is possible to associate a port with a process by using the lsof command. For example, on some UNIX systems, the following command lists the process(es) associated with port 21:
lsof P | grep :21
In some cases, the port scanner may detect a service listening on the server, but the service cannot be located in the process list or by using the lsof command. If this occurs, it may be necessary to manually connect to the service from another machine prior to examining the process list or using the lsof command, as some services are started on demand. This can be accomplished on most platforms by using the telnet command and supplying an alternative port number.