|
Last update: November 4, 2008 |
_____________
Quick Start
To register a web server visit the Web Server Registration page, which is only available from on-site.
Only registered web servers are visible from the Internet. If your web server does not need to be visible from the Internet, it does not need to register.
Please be aware of Web Server Security Expectations and guidelines for Moderating Web Server Content.
Terminology
For the purposes of this policy, we use the following definitions:
- web traffic - network traffic on tcp port 80 or tcp port 443
- web server - any device that accepts web traffic, that is, that listens on tcp port 80, normally for the HTTP protocol, or tcp port 443, normally for HTTPS protocol
- internet - any address space outside of 131.243.* and 128.3.*. (Note this includes the address space of organizations closely affiliated with Berkeley Lab, such as NERSC, ESnet, JGI, and others)
- intranet - the address space within 131.243.* and 128.3.*
- Berkeley Lab network - synonymous with intranet
Policy
- Web servers that wish to accept web traffic from the internet must register.
- Web server that only accept intranet web traffic do not need to register at this time.
- Web server registration only applies to web servers located within the Berkeley Lab network.
Drivers
There are a number of drivers for web server registration:
- Reduced internet footprint - it is beneficial to reduce the Lab's exposure of unneeded and unmanaged web servers. Examples include printers and cameras, as well as misconfigured and abandoned web servers. Additionally, some web servers only require onsite (intranet) access.
- Facilitate monitoring - with less web servers exposed to the hostile Internet, CPP can focus on monitoring and scanning the exposed web servers. Less noise in monitoring logs and more precise knowledge from scans allow for better protection.
- Awareness of openness to the Internet - web server owners specifically acknowledge the increased risk of opening their web server to the Internet. This acknowledgement will increase awareness of the risks, thus incentivizing properly securing exposed web servers.
In summary, web server registration is a low cost, low impact activity that has reasonable and specific benefits.
How to Register
In order to register a web server, visit the Web Server Registration page, which is only available from on-site. Login to this site using your LDAP username and password.
On the first page there are two sections. The first section, "Register a New Web Server" allows you to enter an IP address or hostname and register a new web server. The second part shows "Currently Registered Web Servers". You can use the radial buttons to switch the views between "My web servers" and "All web servers". The former shows all web server where the person logged in is the primary or secondary contact. The latter shows all web servers that anyone at the lab has registered.
After entering an "IP Address or Hostname" and clicking "Register", you are brought to the following screen which asks for additional details about the web server you are registering. In this form you must to enter the Division that owns the web sever and a secondary contact. You also need to decide if your webserver needs "http" or "http and https" access from the Internet. Optionally you can enter alterative email addresses and notes. Please read the the text in the "I Agree" text box and check "I Agree", then click Register. That's it!
After you have registered a web server you will see it appear in the list of registered web servers. You can use the icons to the left of the division column to view, edit, or unregister web servers for which you are the primary or secondary contact.
When a web server for which you are the primary or secondary contact is registered, modified, or unregistered, you will receive an email such as the one below.
Email List for Registration
If you would like to get an email when any web server at the lab is registered, modified, or unregistered you can join the webserver-registration mailing list.
In order to join the webserver-registration mailing list you can use the form located here.
FAQ
Q1: How long after I register will the web server become accessible from the Internet?
Almost immediately, within a few seconds.
Q2: Can I register a DCHP host as a web server?
No. In order to register a web server and have the web server be visible to the Internet, you must acquire a static IP address. Web servers must use static IP addresses per the DHCP perimeter protection rules. You can acquire a static IP address by using the IP Request form.
Q3: Do I need to register all the web servers virtual hosts and hostnames (i.e. cnames)?
The policy that enforces web server registration only understands IP addresses. Hence, web server registration is essentially IP based. If the computer has multiple named-based virtual hosts or cnames branched from one IP address, only the one IP address needs to register. If the host uses multiple IP addresses, one for each virtual hosts, all of the IP addresses need to be registered.
Q4: Do I need to register 'HTTP' or 'HTTP and HTTPS'?
It depends. You may have to check with your server administrator or web programmer. The vast majority of web servers at the lab only have HTTP accesses from the Internet. If you are not sure, you can see if port 443/tcp is open on your web server. If the port is not open, it is unlikely you need HTTPS. CPP can help determine if you need HTTPS access, just let us know.
Q5: How can I confirm my web servers is registered?
You can confirm a web server is registered in at least three ways.
1) Use onestop page at http://netinfo/onestop and examine the reported port exceptions.
Thu Oct 30 17:31:31 PDT 2008
Report for 128.3.9.203
LBL wide area port exceptions: OK (80)
2) Login to https://register.lbl.gov and list all webserver. Look for the web server in question by hostname or IP.
3) Observe the raw ACL entries at: http://netinfo/acl/er1kgw-acl-bro.txt. They are the ones like: permit tcp any host 128.3.130.31 eq 80
Q6: What about Internet accessibility to other ports on my web server?
Web server registration does not affect any ports besides 80/tcp and 443/tcp. Internet accessibility to all other ports on your web server is unaffected by web server registration. For example, if you want to SSH (22/tcp) to your webserver, that access remains unaffected whether or not your register your web server. Keep in mind CPP always recommends you configure your computer for minimum exposure to the Internet, while meeting your business needs.
Q7: What about web servers on non-standard ports?
We recognize that a web server can listen on any port, e.g. a non-standard port. Normally a web server listens on 80/tcp and a SSL enabled web server listens on port 443/tcp. The case where web servers run on non-standard ports is not addressed by web server registration at this time. If you would like to run a web server on a non-standard port, no registration is required. The cost-benefit-calculus for registering web servers on non-standard ports or requiring web servers to use standard ports is not clear.
Q8: I need to run some other application, that is not a web server, on 80/tcp or 443/tcp. Do I need to register?
Yes. If you have some device or application that is not a web server and needs 80/tcp or 443/tcp to be visible from the Internet, it must be registered. For example, if you have a web camera that you control from the Internet via 443/tcp, the camera needs to be registered.
Q9: Will I have to renew the web server registration?
Some type of renewal is necessary otherwise the registration information will become stale. The exact details have not been decided, but annual verification seems to make sense.
Q10: Are registered web servers open to the entire Internet?
Not necessarily. Registration allows traffic to reach a webserver through the LBNL border router, but host or local firewalls may further restrict access. CPP recommends and encourages web servers be configured to restrict traffic to the minimum required, commonly referred to as the principle of least privilege. For example, if your webserver only needs to be accesses from NERSC, implement local firewall rules that only allow access from NERSC.
Timeline
Completed
- Feb 15, 2006 - Project proposed to CPP advisory committed (CPIC)
- June 8, 2007 - Project proposed to Information Technology Advisory Committee (ITAC)
- Nov 28, 2007 - Project update to CPP advisory committed (CPIC)
- Feb 20, 2008 - Project update to CPP advisory committed (CPIC)
- May 21, 2008 - Demo to CPP advisory committed (CPIC)
- Sep 17, 2008 - Registration site goes live
- Sep 24, 2008 - IT help desk and MPGS communication
- Sep 25, 2008 - LBLnet communication
- Sep 29, 2008 - CIO briefed
- Sep 29, 2008 - Targeted email to web server contacts (round 1)
- Oct 3, 2008 - TABL article and Cycom notification
- Oct 14, 2008 - Cycom notification
- Oct 7, 2008 - Targeted email to unregistered web server contacts (round 2)
- Oct 14, 2008 - Targeted email to unregistered web server contacts (round 3)
- Oct 21, 2008 - Targeted email to unregistered web server contacts (round 4)
- Oct 26, 2008 - Targeted email to unregistered web server contacts (round 5)
- Oct 29, 2008 - Targeted email to unregistered web server contacts (round 6)
- Oct 29, 2008 - CPIC assistance for remaining hosts
- Oct 29, 2008 - Phone calls placed to remaining host contacts
- Nov 3, 2008 - Final notifications and phone calls
- Nov 5, 2008 - Implemented ACL deny rule
Help/Feedback
If you have questions or comments about this website, please contact the CPP group via email at cppm@lbl.gov.
If you need general computer assistance, please contact the LBNL Help Desk at x4357, help@lbl.gov, or online at http://help.lbl.gov.
|
