HostedDB - Dedicated UNIX Servers

-->
IT Baseline Protection Manual - Chapter 7.5 WWW server

7.5 WWW-Server

Description

A WWW server is an IT system using an information database and providing WWW clients with files. A WWW client, also called a browser, displays the information from a WWW server on the user's computer. The most well-known browsers are Mosaic, Netscape, Internet Explorer, Hot Java and Lynx. If the users inform the browser (e.g. with a mouse click) which document they would like to read, the program creates a network connection to the corresponding WWW server. The latter then sends the required document via the network to the client, which then displays it on the screen or prints it.

The WWW service is based on HTML (Hypertext Markup Language), a simple programming language which makes it possible to manage text with formatting (including determining headings, indenting, bold or italic sections of text), as well as images, even video and audio sequences. Individual documents are linked through what are known as hyperlinks. These can be a reference to another document on the same WWW server or another WWW server, to another section of the same text, to an image or something similar. Such links are normally marked in the text, usually through underlining or a different colour. Images and other embedded elements can also represent hyperlinks. The address of a WWW document (text, image, etc.) is the so called URL (Uniform Resource Locator). WWW

The security of WWW use is mainly based on

In order to secure a WWW server, it must be ensured that

Threat Scenario

For baseline protection, the following threats are seen as typical for a WWW server:

Organisational Shortcomings:

Human Failure:

Technical Failure:

Deliberate Acts:

Recommended countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules"), as described in chapters 2.3 and 2.4, is recommended.

In this chapter, only the threats and safeguards specific to a WWW server are described. In addition, chapter 6.1 Server-supported Network must be implemented to ensure the security of the organisation's own network.

In order to ensure that the connection of the WWW server to public networks (such as the Internet) is secure, attention should be paid to chapter 7.3 Firewall. This is also the case for the connection of several Intranets to an extensive Intranet. The controlled connection of external connection points (e.g. of telecommuting workstations via ISDN) is dealt with in chapter 9.3 Telecommuting.

A WWW server should be installed in a separate server room. The appropriate safeguards are described in Chapter 4.3.2. If no server room is available, the WWW server can alternatively be set up in a server cabinet (see chapter 4.4 Protective Cabinets).

In order to set up a WWW server successfully and securely, a number of safeguards must be implemented. The steps and measures involved are described below:

1. Creating a concept for the WWW server (see S 2.172 Developing a concept for using the WWW) and determining a WWW security strategy (see S 2.173 Determining a WWW security strategy):

2. Implementing the WWW server (see S 2.175 Setting up a WWW server):

3. Operating the WWW server (see S 2.174 Secure operation of a WWW server):

6. Secure operation of WWW clients

Alongside the safeguards described in chapter 5 additional safeguards outlined in S 5.45 Security of WWW-browsers should be observed.

The following describes the safeguards for the area "WWW server". For reasons of redundancy, safeguards from other chapters will not be repeated here.

Organisation:

Personnel:

Hardware/Software:

Communications:


© Copyright by
Bundesamt für Sicherheit in der Informationstechnik
last update:
July 1999
home