HPE Community
Operating System - HP-UX
1821983 Members
3245 Online
109638 Solutions
New Discussion юеВ

Bastille and Protected System Web Server?

 
Norman Dignard
Regular Advisor

тАО12-06-2007 02:02 PM

тАО12-06-2007 02:02 PM

Bastille and Protected System Web Server?

We're going to setup a web server running 11v3 IA64. This is going to host our mid-tier app that accesses a backend db server.

This box is going to be accessed on our intranet as well as the internet.

Can someone tell me what the dirrernces are between Bastille and Protected System Web Server? I can across these in the sw download section.

We're going to need to harden our system but I am not familiar with these are what is required for initial Os install.
0 Kudos
Reply
2 REPLIES 2
Matti_Kurkela
Honored Contributor

тАО12-06-2007 03:39 PM

тАО12-06-2007 03:39 PM

Re: Bastille and Protected System Web Server?

Bastille is a tool for generic system hardening at a basic-to-intermediate level.

Protected System Web Server (PS-Webserver) is a specific package for advanced-level hardening of a web server running Apache, Tomcat, CGI programs and/or Web proxies. To successfully use it, you should become familiar with the Security Containment and RBAC features of the operating system (optional in 11i v2, included in 11iv3 and mandatory with PS-Webserver).

If you're intending to use PS-Webserver, read the documentation and prepare to spend significant time in planning your setup. To get the most out of the compartmentalization scheme, you must understand in detail how the requests flow from one component of your web application to another, so that you can define the appropriate compartments and access rules for each component.

PS-Webserver is *not* a magic wand that makes your system secure: it is a kit of professional power tools that allows you to build a very secure web server... or to shoot yourself in the foot with a high-caliber slug.

If you don't understand _and plan for_ the requirements of the PS-Webserver, you may end up doing the equivalent of "chmod 777" to make the application work. Of course, this negates all the additional protection a properly configured PS-Webserver might offer.

You'll want your application designed so that the requests coming from the client-side compartments are as well-defined and restricted as possible. The idea of the compartmentalization is to severely limit the things the intruder can do *when* one compartment is compromised.

For example, the static content of your webpages (images, stylesheets etc.) should be placed so that the primary Apache compartment has no write access to it.

If an intruder gains access to the Apache compartment (by some new Apache exploit, for example), he/she still has no way to deface your web site, even if he/she uses further exploits to gain root access within the compartment... and the presence of root-level processes in the Apache compartment is a good condition for triggering an automatic intrusion alarm.

Disclaimer: I have not used the PS-Webserver, but a quick look through the administration manual in docs.hp.com suggests it has many of the features of the VirtualVault HP-UX 11.04, a special high-security version of 11.00. I maintained some VirtualVault servers for several years, through two major software upgrades.

MK
MK
0 Kudos
Reply
Keith Buck
Respected Contributor

тАО12-17-2007 08:43 AM

тАО12-17-2007 08:43 AM

Re: Bastille and Protected System Web Server?

Bastille is a general purpose hardening tool with a GUI question/answer format that walks you through the hardening process including tradeoffs. You should be able to safely (i.e. no application breakages) use Bastille just by erring on the conservative side and answering "No" to not make the system more secure.

If I remember correctly, PS-Webserver uses the Bastille backend to do many of the required hardening steps specific to a webserver, and adds some layers on top of that.

Hope that helps.

-Keith
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.