NIST: nuova versione della guida per la sicurezza dei siti web pubblici (SP800-44v2)
<!--StartFragment -->NIST annuncia cinque nuove pubblicazioni, una in versione definitiva (final) e quattro in bozza (draft)
- Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers,
- Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security,
- Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide,
- Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security,
- Draft SP 800-110, Information System Security Reference Model.
SP 800-44 version 2, Guidelines on Securing Public Web Servers
È l’unica guida pubblicata in versione definitive ed ha come oggetto l’installazione, configurazione e manutenzione di un sito web pubblico daò punto di vista della sicurezza. Comprende suggerimenti e raccomandazioni sulle modalità di autenticazione e cifratura. Il docuemento sostituisce la versione precedente SP 800-44 pubblicata nel 2002. Gli autori sono Miles Tracy, Wayne Jansen, Karen Scarfone e Theodore Winograd. Disponibile in formato pdf (1.3 M, 142 pp)
Indice del documento
Executive Summary
1. Introduction
1.1 Authority
1.2 Purpose and Scope
1.3 Audience and Assumptions
1.4 Document Structure
2. Background
3. Planning and Managing Web Servers
3.1 Installation and Deployment Planning
3.2 Security Management Staff
3.2.1 Senior IT Management/Chief Information Officer
3.2.2 Information Systems Security Program Managers
3.2.3 Information Systems Security Officers
3.2.4 Web Server and Network Administrators
3.2.5 Web Application Developers
3.3 Management Practices
3.4 System Security Plan
3.5 Human Resources Requirements
3.6 Alternative Web Server Platforms
3.6.1 Trusted Operating Systems
3.6.2 Web Server Appliances
3.6.3 Pre-Hardened Operating Systems and Web Servers
3.6.4 Virtualized Platforms
3.7 Checklist for Planning and Managing Web Servers
4. Securing the Web Server Operating System
4.1 Installing and Configuring the Operating System
4.1.1 Patch and Upgrade Operating System
4.1.2 Remove or Disable Unnecessary Services and Applications
4.1.3 Configure Operating System User Authentication
4.1.4 Configure Resource Controls Appropriately
4.1.5 Install and Configure Additional Security Controls
4.2 Security Testing the Operating System
4.3 Checklist for Securing the Web Server Operating System
5. Securing the Web Server
5.1 Securely Installing the Web Server
5.2 Configuring Access Controls
5.2.1 Configuring the Permissions of the Web Server Application
5.2.2 Configuring Secure Web Content Directory
5.2.3 Uniform Resource Identifiers and Cookies
5.2.4 Controlling Impact of Web “Bots” on Web Servers
5.3 Checklist for Securing the Web Server
6. Securing Web Content
6.1 Publishing Information on Public Web Sites
6.2 Observing Regulations about the Collection of Personal Information
6.3 Mitigating Indirect Attacks on Content
6.3.1 Phishing
6.3.2 Pharming
6.4 Securing Active Content and Content Generation Technologies
6.4.1 Vulnerabilities with Client-Side Active Content Technologies
6.4.2 Vulnerabilities with Server-Side Content Generation Technologies
6.4.3 Server-Side Content Generator Security Considerations
6.4.4 Location of Server-Side Content Generators
6.4.5 Cross-Site Scripting Vulnerabilities
6.5 Checklist for Securing Web Content
7. Using Authentication and Encryption Technologies
7.1 Determining Authentication and Encryption Requirements
7.2 Address-Based Authentication
7.3 Basic Authentication
7.4 Digest Authentication
7.5 SSL/TLS
7.5.1 SSL/TLS Capabilities
7.5.2 Weaknesses of SSL/TLS
7.5.3 Example SSL/TLS Session
7.5.4 SSL/TLS Encryption Schemes
7.5.5 Implementing SSL/TLS
7.5.6 SSL/TLS Implementations
7.6 Brute Force Attacks
7.7 Checklist for Using Authentication and Encryption Technologies for Web Servers7-14
8. Implementing a Secure Network Infrastructure
8.1 Network Composition and Structure
8.1.1 Inadvisable Network Layout
8.1.2 Demilitarized Zone
8.1.3 Outsourced Hosting
8.1.4 Management Network
8.2 Network Element Configuration
8.2.1 Router/Firewall Configuration
8.2.2 Intrusion Detection and Prevention Systems
8.2.3 Network Switches
8.2.4 Load Balancers
8.2.5 Reverse Proxies
8.3 Checklist for Implementing a Secure Network Infrastructure
9. Administering the Web Server
9.1 Logging
9.1.1 Identifying the Logging Capabilities of a Web Server
9.1.2 Identifying Additional Logging Requirements
9.1.3 Recommended Generic Logging Configuration
9.1.4 Reviewing and Retaining Log Files
9.1.5 Automated Log File Analysis Tools
9.2 Web Server Backup Procedures
9.2.1 Web Server Backup Policies and Strategies
9.2.2 Maintain a Test Web Server
9.2.3 Maintain an Authoritative Copy of Organizational Web Content
9.3 Recovering From a Security Compromise
9.4 Security Testing Web Servers
9.4.1 Vulnerability Scanning
9.4.2 Penetration Testing
9.5 Remotely Administering a Web Server
9.6 Checklist for Administering the Web Server
Appendices
Appendix A— Online Web Server Security Resources
Appendix B— Glossary
Appendix C— Web Security Tools and Applications
Appendix D— References
Appendix E— Web Server Security Checklist
Appendix F— Acronym List
Appendix G— Index
List of Tables and Figures
Figure 7-1. SSL/TLS Location within the Internet Protocol Stack
Table 7-1. SSL/TLS Cipher Suites
Figure 7-2. Sample CSR
Figure 7-3. Sample Encoded SSL/TLS Certificate
Figure 8-1. Simple Single-Firewall DMZ
Figure 8-2. Two-Firewall DMZ
Figure 8-3. Service Leg DMZ
Figure 8-4. Outsourced Web Server Hosting
Articoli collegati
- NIST:
- NIST: New Tools to Help Configure Secure Operating Systems (via Feliciano Intini’s blog)
- NIST: The Common Vulnerability Scoring System (CVSS)
- NIST: Special Publication 800-95 - Guide to Secure Web Services
- NIST: le nuove frontiere della sicurezza delle informazioni
- Tutti gli articoli su NIST
- Sicurezza
Link
- 8247 letture
- Versione stampabile
- Send to friend
- PDF version