On Mon, 2009-11-16 at 08:42 -0500, Sweere, Kevin E CTR USAF AFRL/RYT wrote: > Greetings, > > I work for the US Air Force. We have a prototype that dramatically, > fundamentally increases a web server's security. > > We run an Apache server within a minimized, user-level-only, Linux variant > only within RAM and from only a DVD (no harddrive). With no shells, hackers > have nowhere to go. With no persistent memory, malware has no place to > reside. A simple reboot restores the website to a pristine state within > minutes. > > Because a LiveDVD holds the OS, apps and content, its best for static, > non-interactive, low-volume, high-value, highly-targeted websites. Any > change means burning a new DVD, but this also makes testing easier and less > noisy. Logs are tricky to extract. > > While it has worked well, some of us believe its usability drawbacks (e.g. > limited ability to receive input from users, every change needs a new DVD) > outweigh its great security benefits making it unmarketable (in govt or > industry) and thus just another prototype to leave on the shelf. > > I'm curious what your group thinks. Thanks in advance -- I don't quite know > with whom to discuss this idea. > > Kevin Sweere
Hi Kevin, The idea of a CD/DVD-ROM based webserver isn't new, I know we did some internal research into it many years ago and came to the same conclusions you have - the level of security offered seriously impedes your ability to use/manage the server. You also run into problems if your servers don't actually have an optical drive (eg: Blades). If I was looking for that level of assurance that my data hasn't been tampered with, I'd be looking at using a mechanism of snapshoting your webserver in some way such that a rollback is trivial. Linux LVM, Solaris ZFS or even VMWare all offer this kind of snapshot and rollback. I'd also be using TripWire or something similar to verify my content directories. Apache configured with minimum modules to simply serve static ASCII and image files is about as secure at it gets for that type of content. SELinux stops a rogue CGI from reading /etc/shadow, and mod_security helps to block a lot of crud from ever generating a response from the server. Read-Only web servers are certainly secure but by their nature, very time-consuming to manage. Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer, Managed Services Manpower www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg
signature.asc
Description: This is a digitally signed message part
