IIS Security - Using a Linux Box as a Sentry? 13
Steven Yi asks: "This is a suggestion - why not consider IIS an 'application server', similar to they way we consider BEA WebLogic an app server? Continue using your Windows Servers to process your programming logic and ASP pages - but use a box running Apache as your true web server. This is the way many other app-server driven hardware setups are like. Internet --> (Apache Web Server) --> (IIS 'App Server'). The obvious point is that there isn't an Apache plugin to redirect Microsoft/ASP page requests, but couldn't this be written fairly quickly? I think this would be a much cheaper migration path where existing Microsoft applications/hardware can be preserved and your internet security would be greatly enhanced with a Linux/UNIX Apache server guarding the internet connection." Many saavy readers should realize that a mod_rewrite + mod_proxy combination should be all you need to implement such a feature. Has anyone deployed something similar for their production systems?
Came up not long ago. (Score:4, Informative)
Unfortunately the article seems to have disappeared but you might have better luck finding it than I did.
Re:Came up not long ago. (Score:4, Informative)
Hardware device? (Score:3, Insightful)
Just put a simple installation of Linux/*BSD/etc and a copy of Apache+modules to do this. Put a web based administration utility on it for configuring IP addresses and what-not and let it do it's thing. You could also include an update system (something along the lines of Norton Antivirus LiveUpdate) that grabs updates so it can filter any new HTTP requests that show up that can harm an IIS server as well as any holes that may show up in the appliance itself.
PHB's seem to be fond of "black boxes" even if they do run Linux. But there is no way that they'd ever allow a regular old computer run Linux, it's not the Microsoft way! Oh, the irony, but anyway.
I think it is now time to find myself a nice embeded computer...
This still isn't a "no-brainer" solution. (Score:3, Insightful)
Clueful admins can use something like mod_rewrite to sanitize HTTP requests and deny suspect (ie too long, contains a specific string..) URL requests, but if I remember correctly, even mod_rewrite doesn't let you rewrite stuff like Host: headers which can be abused as well.
I'm not saying it's a bad solution. In fact, I've suggested it in the past. It just has to be implemented carefully. It's not going to be a drop in black box solution the PHB likes.
It's pretty close to no-brainer (Score:3, Informative)
http://www.microsoft.com/scripts/../../winnt/syste m32/cmd.exe?/c+dir
Stuff like this, or URLs containing Unicode characters or known-bad sequences like ::$DATA, would be easy to filter out. In fact, Microsoft has a program designed to install on IIS servers to do just that, called something like URLCheck, I forget exactly. This job could just as easily be done by a separate dedicated box, with a config page to allow the level of paranoia to be specified, or new URL blocking templates to be installed.
Re:Anti-virus scanners in hardware (Score:1)
Firewalls afaik, also only look at the header most of the time, but there's probly exceptions to this.
Re:Anti-virus scanners in hardware (Score:3, Informative)
http://www.avolio.com/apgw+spf.html
You might want to look up the 7 layer OSI model as well. Routers live in level 3. Stateful packet inspection firewalls live in level 4. It takes a little faster network and muscle to keep up with routers, but it's being done all across the 'net as we speak.
(I think the levels are right! Lord knows I'm going to be crucified if I'm wrong...)
Re:Anti-virus scanners in hardware (Score:1)
(I am familiar with the OSI model, it's just been a while.
Try sanctum appshield (Score:1)
If it just hands unhandled stuff over verbatim it won't help.
I figure if you can't or don't want to fix the broken IIS webserver/apps you should look at Sanctum Appshield.
www.sanctuminc.com
Expensive but that's what you pay for not getting it right at the start.
I have no links to Sanctum Inc. But I thought of a similar idea before- everything not explicitly allowed by the webpages or admin is denied, and found out these guys are already doing it.
Have fun,
Link.
Macromedia (Allaire) ColdFusion (Score:2, Interesting)
Just use URLScan (Score:3, Interesting)