Guidelines on Securing Public Web Servers

7.  Authentication and Encryption Technologies  

Public Web servers often support a range of technologies for identifying and authenticating 

users with differing privileges for accessing information.  Some of these technologies are 

based on cryptographic functions that can provide an encrypted channel between a Web 

browser client and a Web server that supports encryption.   

Without user authentication, organizations will not be able to restrict access to specific 

information to authorized users.  All information that resides on a public Web server will then 

be accessible by anyone with access to the server.  In addition, without some process to 

authenticate the server, users of the public Web server will not be able to determine if the 

server is the  authentic  Web server or a counterfeit version operated by a malicious entity.  

Encryption can be used to protect information traversing the connection between a Web 

browser client and a public Web server.  Without encryption, anyone with access to the 

network traffic can determine, and possibly alter, the content of sensitive information, even if 

the user accessing the information has been authenticated carefully.  This may violate the 

confidentiality and integrity of critical information. 

7.1  Determining Authentication and Encryption Requirements 

Organizations should periodically examine all information accessible on the public Web server 

and determine the necessary security requirements.  While doing so, the organization should 

identify information that shares the same security and protection requirements.  For sensitive 

information, the organization should determine the users or user groups that should have 

access each set of resources.  

For information that requires some level of user authentication, the organization should 

determine which of the following technologies or methods would provide the appropriate level 

of authentication and encryption.  Each has its own unique benefits and costs that should be 

weighed carefully with client and organizational requirements and policies.  It may be 

desirable to use some authentication methods in combination.   

7.2 Address Based 

Authentication 

The simplest authentication mechanism that is supported by most Web servers is address 

based authentication.  Access control is based on an Internet Protocol (IP) address and/or host 

name of the host requesting information.  Although easy to implement for small groups of 

users, address authentication can be unwieldy for Web sites that have a large potential user 

population (i.e., most public Web servers).  It is susceptible to several types of attacks, 

including IP spoofing and Domain Name Service (DNS) poisoning.  This type of 

authentication should be use only where minimal security is required, unless it is used in 

conjunction with stronger authentication methods.   

7.3 Basic 

Authentication 

The basic authentication technology uses the Web server content's directory structure.  

Typically, all files in the same directory are configured with the same access privileges.  A 

requesting user provides a recognized user identification and password for access to files in a 

52