Server Security

Notes:

Server security is concerned with making sure that those systems that do provide services, either to local users or the Internet at large, do so in a safe manner. Site security may be compromised by a poorly configured server, whether or not data encryption or firewall systems are in place. The job of network administration has been greatly complicated by the arrival of many new kinds of service and demands from users (and management) that they should be run in an open and flexible manner.
At one time all the servers that were required to run an Internet site were delivered with the operating system itself (Unix) by the manufacturer. Often they originated from the same source tree (probably a student project at Berkeley university). This meant that if security holes were identified fixes were applied by the manufacturer in the next release.
The arrival of services such as Gopher and especially the World Wide Web has brought a vast number of competing products. These are may be written by inexperienced programmers with limited knowledge of security. Certainly very few will be written with reference to a trusted computing base (see the DoD rainbow books). Competition means that untested products get released directly to market. The inclusion of gateways to local programs introduces a whole range of new problems especially as many writers of gateway code are undertaking their first programming project. To illustrate the size of this problem over a 4 week period in Feb/March 1997 a dozen serious security flaws were reported in Microsoft’s Internet products alone and Microsoft is by no means the only transgressor.