Guidelines on securing public web servers

Tracy, Miles C.; Jansen, Wayne; Scarfone, Karen; Winograd, Theodore

doi:10.6028/nist.sp.800-44ver2

Cited by 11 publications

(11 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Conforming to best practice provides confidence that a security policy is upheld. For example, the National Institute of Standards and Technology (NIST) provide a set of recommended guidelines for securing public Web servers [64], recommending that "all traffic between the Internet and Web server" should be controlled and that "all inbound traffic to the Web server except traffic which is required, such as TCP ports 80 (HTTP) and/or 443 (HTTPS)" should be denied.…”

Section: Best Practice Cataloguesmentioning

confidence: 99%

“…. and is configured to perform the following" [64]. The RFC2119-style classification provides a basis with which to construct a concept hierarchy of best practice recommendations (firewall rules).…”

Section: Classification Of Best Practice Recommendationsmentioning

confidence: 99%

“…Best practice standards for network access control, including PCI-DSS [12] for systems that process credit card information, NIST for secure Webservers [64] and Internet RFCs for anti-bogon [35] have been encoded as Semantic Threat Graphs, providing a basis for firewall (iptables [28] and TCP-Wrapper [66]) configuration recommendations for known threats [22]. For the purposes of illustration in this paper the Semantic Threat Graph encoding of a fragment of NIST-800-41 [67], depicted in Table 1, is considered.…”

Section: Semantic Threat Graphs For Best Practice Standardsmentioning

confidence: 99%

“…For example, bogon firewall rules [35,49,67] are best-practice protection against spoofing-threats for internal servers and end-user workstations, while NIST recommend multiple countermeasures over an n-tier network hosting a Web-server [64]. This knowledge-base is searchable-a suitable countermeasure can be found for a given threat-and provides the basis for autonomic security configuration.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Management of security policy configuration using a Semantic Threat Graph approach

Foley

Fitzgerald

2011

JCS

View full text Add to dashboard Cite

Managing the configuration of heterogeneous enterprise security mechanisms is a complex task. The effectiveness of a configuration may be constrained by poor understanding and/or management of the overall security policy requirements, which may, in turn, unnecessarily expose the enterprise to known threats. This paper proposes a threat management based approach, whereby knowledge about the effectiveness of mitigating countermeasures is used to guide the autonomic configuration of security mechanisms. This knowledge is modeled in terms of Semantic Threat Graphs, a variation of the traditional Threat/Attack Tree, extended in order to relate semantic information about security configuration with threats, vulnerabilities and countermeasures. An ontology-based approach to representing and reasoning over this knowledge is taken. A case study based on Network Access Controls demonstrates how threats can be analysed and how automated configuration recommendations can be made based on catalogues of countermeasures. These countermeasures are drawn from best-practice standards, including NIST, IETF and PCI-DSS recommendations for firewall configuration.

show abstract

Section: Best Practice Cataloguesmentioning

confidence: 99%

Section: Classification Of Best Practice Recommendationsmentioning

confidence: 99%

Section: Semantic Threat Graphs For Best Practice Standardsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Management of security policy configuration using a Semantic Threat Graph approach

Foley

Fitzgerald

2011

JCS

View full text Add to dashboard Cite

show abstract

“…For example, bogon firewall rules [11,12,13] are best-practice protection against spoofing-threats for internal servers and end-user workstations, while NIST recommend multiple countermeasures over an n-tier network hosting a Web-server [14]. This knowledge-base is searchable-a suitable countermeasure/policy can be found for a given threatand provides the basis for autonomic security configuration.…”

Section: Introductionmentioning

confidence: 99%

An Approach to Security Policy Configuration Using Semantic Threat Graphs

Foley

Fitzgerald

2009

Data and Applications Security XXIII

View full text Add to dashboard Cite

Abstract. Managing the configuration of heterogeneous enterprise security mechanisms is a wholly complex task. The effectiveness of a configuration may be constrained by poor understanding and/or management of the overall security policy requirements, which may, in turn, unnecessarily expose the enterprise to known threats. This paper proposes a threat management approach, whereby knowledge about the effectiveness of mitigating countermeasures is used to guide the autonomic configuration of security mechanisms. This knowledge is modeled in terms of Semantic Threat Graphs, a variation of the traditional Threat/Attack Tree, extended in order to relate semantic information about security configuration with threats, vulnerabilities and countermeasures. An ontology-based approach to representing and reasoning over this knowledge is taken. A case study on Network Access Controls demonstrates how threats can be analyzed and how automated configuration recommendations can be made based on catalogues of best-practice countermeasures.

show abstract

World Wide Web Security

Nielson

2023

Discovering Cybersecurity

View full text Add to dashboard Cite

Guidelines on securing public web servers

Cited by 11 publications

References 12 publications

Management of security policy configuration using a Semantic Threat Graph approach

Management of security policy configuration using a Semantic Threat Graph approach

An Approach to Security Policy Configuration Using Semantic Threat Graphs

World Wide Web Security

Contact Info

Product

Resources

About