esigning a managed security solution (MSS) for your Web servers will cost you, but it doesn’t have to be money. Time and diligence are the only things you need to expend when you deploy various freely available tools that you can use to build your Web server MSS.

Port Scanners
First of all, to build a complete MSS you need to be aware of any unauthorized activity on your network and your Web servers. Use port scanners to footprint your environment and determine whether you’ve left doors open to intruders via the Web. These scanners detect rogue machines running on your server and even rogue servers running on your network by initiating TCP connections to the ports and IP address ranges that you specify and checking whether each port has an open connection.

Make sure you specify only the ports that make sense for you on your target scan list. You probably don’t want to scan the entire range of 65,535 available ports, so limit the your target range to the ones that most concern you (e.g., ports 80, 8080, 443, and 3128 are common Web-related services ports).

The port scanners will return a wealth of data. Some of them can identify the operating system running on a target machine or even retrieve the banner off a connected, but unauthorized, server. However, the most useful information a scanner will produce for security purposes is server IP addresses, corresponding open ports, and banners from the servers. With these three pieces of data, you can gain a big picture understanding of the Web-related activity on your network.

The following is a list of freely available port scanners you can download implement into your managed security solution:

• Nmap?Nmap is the best known port scanner. It can perform various scans, identify a target machine’s operating system, and even tell you whether the TCP ISN it generates is random enough for strong security. Nmap runs on both Windows and Unix platforms, but it does not retrieve the port banner.
  
• FScan and SuperScan?FScan is a small, fast command-line tool that runs only on the Windows platform. It grabs banners, if any exist. SuperScan also is a free scanner that runs on Windows. It offers a graphic user interface through which you control your scans and view your results.
  
• Nessus?Nessus is more than just a port scanner. It scans for client/server architecture vulnerabilities as well. You can use it as a port scanner to scan your specified IP range and port, and then run it as a vulnerability scanner afterwards.
  
• WotWeb?This small tool written and released freely by Robin Keir not only scans ports but also generates a list of IP addresses, open ports, and the banners it grabs from open ports. Because its results are in the ASCII format, you can easily import them into a spreadsheet for future reference.

What’s It All Mean?
You have to understand your port scanner’s output format so you can grab just the information you need. For example, with FScan, you can use the ‘-o’ switch to generate its output to a text file. When it detects an open port on a certain host, the following result would be shown:

10.0.0.31          80/tcp     HTTP/1.1 400 Bad Request[0D][0A]Server: Microsoft-IIS/4.0[0D][0A]Date: Mon   , 15 Oct 2001 20:04:00 GMT[0D][0A]Content-Type: text/HTML[0D][0A]Content-L   ength: 87[0D][0A][0D][0A]The    parameter is incorrect. 

The first line displays the IP address and the port number (80 in this case). Now you can extract the information we need using this regular expression:

 ([d.]+)s+(d+)/tcp

The first variable will be the IP address, and the second will be the port number. You will then have a list of servers and the ports open on them. The same method can be applied to the other port scanners.

Intrusion Detection System
An intrusion detection system (IDS) can’t block an attack on your Web server, but it helps you understand what kind of attacks your Web servers face everyday by logging every intrusion attempt in data files. The most popular free IDS is Snort, and with a little manipulation, you can have it monitor only Web-related attacks. By limiting Snort’s rules or signature files before deploy it, you can keep watch over your Web servers. The following files contain the rules you need to look into:

• Web-cgi.rules
  
• Web-coldfusion.rules
  
• Web-frontpage.rules
  
• Web-iis.rules
  
• Web-misc.rules

You can include only these rule files or edit them even more to fit your needs (e.g., if you don’t have ColdFusion, why bother to have rules for ColdFusion?), and then deploy your IDS just for your Web servers. By limiting the rules you also are increasing the amount of data the IDS can process?very important when you have large network bandwidth or a server farm.

After you’ve deployed the Snort IDS, you can use ACID (Analysis Console for Intrusion Databases) or snortsnarf to generate reports from your Snort log files.

Keep Your Security Up to Date
One thing you need to keep in mind regarding a MSS is the number of security vulnerabilities you will contend with only increases as time moves forward. You have to keep your Web servers and their security up to date. Assumably, you update your Web servers whenever a vendor vulnerability advisory is published, but you shouldn’t rely only on your diligence for keeping up with these advisories. You also need to verify that your servers have the most recent patches and the most up-to-date security configurations.

If you are running Microsoft IIS on your Web servers, you can download and use two free tools Microsoft has developed to secure your servers: Network Security Hotfix Checker (HFNetChk) and IIS Lockdown Tool. HFNetChk checks the servers for missing IIS patches, while the IIS Lockdown Tool turns off “unnecessary features” that attackers could exploit for attacks. Because HFNetChk produces its results in raw text format, another free tool, Hotfix Reporter, converts them into HTML with links to the missing patches and additional information. You should run these tools on your test systems before applying them to your production systems to avoid any unexpected results.

For you Apache users, you won’t find any tools equivalent to HFNetChk or IIS Lockdown Tools for your servers. One possible reason is that most of the vulnerabilities you’ll face are on the application level (e.g., PHP) rather than on the Apache server itself. But you can still refer to the Apache Security Tips for Server Configuration page.

Know Your Enemy and Yourself
Building a complete solution to manage your Web server security will take some time, but it doesn’t have to cost money with the open source tools currently available. By learning how to apply and use these tools, you not only will gain a better assessment of the risks your Web servers or even your corporate network are facing, you probably also will learn what a malicious Internet user can do to your systems with these same tools. Armed with the data from your scanners, IDS, and server-monitoring tools, you will know yourself and your enemy better, thereby having better knowledge about what you should improve and what you should monitor closely. Your MSS will grow from that knowledge. As the “Art of War” by Sun Tzu says: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”