|
|
HP WebWise MPE/iX Secure Web Server offers secure encrypted communications
between browser and server via the SSL and TLS protocols, as well as strong
authentication of both the server and the browsers via X.509 digital
certificates. HP WebWise MPE/iX Secure Web Server is A.03.00 and is
composed of:
Apache 1.3.22
Mod_ssl 2.8.5 SSL security add-ons for Apache
MM 1.1.3 shared memory library
Openssl 0.9.6b crytographics/SSL library
RSA BSAFE Crypto-C 5.2 cryptographic library (for the RC2. RC4,
RC5, and RSA algorithms)
HP WebWise MPE/iX Secure Web Server is NOT:
NOT a substitute for a firewall (explicitly allow
acceptable connections, etc.)
NOT a substitute for good host security practices (change
default passwords, keep the OS up-to-date, etc.)
NOT a substitute for good application security practices
(use appropriate file and user security, carefully validate all input
data, etc.)
NOT a substitute for good human security practices
(communicate the importance of protecting sensitive or proprietary
data, no password sharing, etc.)
WebWise is just one component in a secure environment and by itself does
nothing to prevent the number one cause of web server break-in events —
poorly written CGI applications. Well-written CGI applications
must rigorously validate every byte of data sent by a browser, and must refuse
to process any input data containing unexpected characters.
New Apache Functionality since 1.3.14
Most of the Apache Software Foundation development work since 1.3.14 consists
of portability enhancements and bug fixes for various problems including
security issues. Some minor new functionality has also been added, as partially
listed below:
A new LogFormat directive of %c to display the connection
status when each request is completed.
mod_auth has been enhanced to allow access to a document to
be controlled, based on the owner of the file being server.
Require file-owner will only allow files to be served where
the authenicated username matches the use that owns the document.
Require file-group works in a similar way checking that the
group matches.
SSLv2.0, SSLv3.0, and TLSv1.0 Protocols
These protocols lie between the HTTP and TCP/IP protocol layers and provide
secure, authenticated, encrypted communications between the HP WebWise MPE/iX
Secure Web Server server and browser clients.
X.509 Digital Certificates
Signed by external trusted Certificate Authorities, X.509 certificates provide
authentication for both the HP WebWise MPE/iX Secure Web Server and browser
clients.
Flexible Encryption Cipher Configuration
HP WebWise MPE/iX Secure Web Server permits you to configure a wide variety of
encryption ciphers, ranging from high-grade domestic-only algorithms to
algorithms suitable for export.
Additional Log Files
Two new log files, ssl_engine_log and ssl_request_log, allow
you to log various events associated with secure web requests.
|