[rescue] Hosting a WWW server at home?

Loomis, Rip rescue at sunhelp.org
Mon Dec 10 09:18:46 CST 2001


Michael--

> A friend asked me to locate his WWW server at my house. I can get a
> business DSL conenction from my existing ISP. The traffic 
> will be low so a
> 384Kb DSL will probably be fine. The ISP will put a baby 
> router at my house.
I'm going to assume that the 384k "business DSL" is an SDSL
line.  If not, you might want to look into SDSL as opposed
to ADSL/RADSL, since most of the web server bandwidth you'll
need is outbound.
  
> I was thinking of using NetBSD on a SPARC LX for a firewall. Is that
> reasonable?
If all you want is stateful packet filtering, then you can
use NetBSD (with integral IPFilter), OpenBSD 2.9 (after upgrading
its IPFilter), or OpenBSD 3.0 (with the new "pf").  I'm testing
OpenBSD 3.0 with pf as a stateful packet filter in a low-end
production environment, and it works fine so far (now that I've
figured out that NAT'd interfaces are handled a little differently
than IPFilter).  Pick your poison.

If you're going to be hosting two web servers *and* using the
DSL line for your own connectivity, you may want to put the
web servers in a DMZ-type set up.  That way if they get compromised,
they can't be used to sniff/attack your other local systems.
(If I were doing something similar, I would split things up
this way--preferably by using a firewall box with at least
three network interfaces).  You can play some neat tricks
using IPFilter/PF as a firewalling bridge.

Note also that IPFilter/PF don't do anything intrinsically to
protect you against attacks in HTTP requests.  For that, you
need an application-layer gateway A/K/A proxy firewall.  If
this were a non-commercial application, I would recommend
that you look at the HTTP proxy (http-gw) portions of FWTK.
  http://www.fwtk.org
as a free (beer) solution.  For a commercial installation
(which this is, I have no doubt) then FWTK isn't a legal
option.

Note that FWTK was a great tool when it started, and the
foundation of the Gauntlet firewall, and that it's still being
maintained on a volunteer basis...but getting http-gw up-and-
running to provide useful protection would take some non-trivial
care and feeding.  At the same time, I'm not aware of any
completely-free (usable for a commercial installation without
cost) HTTP proxies that enforce suitable security etc.  You
could do certain things with junkbuster or squid, but those
don't really grok the content of the HTTP requests.  SOCKS
is another firewalling tool, but again it doesn't really
understand content.  If you want a HTTP proxy that will actually
provide useful protection against common attack methods
(within "standard" HTTP requests), it would appear to be
something that costs Real Money.

Your best bet may be to combine the stateful packet filter
with the DMZ architecture and a good IDS (snort should do).
Set up some reasonable status monitoring, and set it up
to page you.  Using packet filtering instead of application
proxies will help your network performance (throughput/
latency) as well, which is why a lot of major websites
don't bother with proxies.

Of course, there are still all the other concerns of
hosting--A/C, reliable power supply, out-of-band/secure
remote administration, etc....you'll also want to ensure
that the web server boxes are themselves patched, locked
down, and generally suitable for production use.  One poorly
written CGI script, combined with a couple of missing patches,
can spell doom.

Good luck and let me know how it turns out...I've been
approached to do something similar, but I've always
turned such things down for fear of being more enslaved
by my basement than I already am.

--
Rip Loomis
Senior Systems Security Engineer
SAIC Center for Information Security Technology 



More information about the rescue mailing list