|
Date of last update: May 29, 2008 |
_____________
Quick Start
Only registered web servers are visible from the Internet. To register a web server visit the Web Server Registration site.
If your web server does not need to be visible from the Internet, it does not need to register.
Please be aware of Web Server Security Expectations and guidelines for Moderating Web Server Content.
Overview
Beginning on August 1, 2008 (tentatively), web servers must register in order to be visible from the Internet.
By default, web servers that are not registered have the common web ports 80/tcp and 443/tcp denied from the Internet. Web server owners wanting their web server to be accessible from the Internet must register at the web server registration website. At the registration website the owner specifies the host they wish to be accessible and in real time the web server becomes accessible from the Internet. The owner who registered the web server, or authorized staff, can unregister the web server; thus removing the accessibility from the Internet.
Terminology
The term web server can be used in various ways. For the purposes of this site a web server is defined as a device that listens on tcp port 80, normally for the HTTP protocol, or tcp port 443, normally for HTTPS protocol.
Web servers not accepting port 80 or port 443 traffic from outside the LBNL network are termed intranet web servers. Intranet web servers are outside the scope of web server registration. Any network device can offer intranet web services without registration.
Web server registration only applies to host on the Berkeley Lab network. Registration is not currently required for JGI, ESnet, or NERSC.
Drivers
There are a number of drivers for web server registration:
- Reduced internet footprint. It is beneficial to reduce the Lab's exposure of unneeded and unmanaged web servers. Examples include printers and cameras, as well as misconfigured and abandoned web servers. Additionally, some web servers only require onsite (intranet) access.
- Facilitate monitoring. With less web servers exposed to the hostile Internet, CPP can focus on monitoring and scanning the exposed web servers. Less noise in monitoring logs and more precise knowledge from scans allow for better protection.
- Awareness of openness to the Internet. Web server owners specifically acknowledge the increased risk of opening their web server to the Internet. This acknowledgement will increase awareness of the risks and thus incentivizing properly securing exposed web servers.
In summary, web server registration is a low cost, low impact activity that has reasonable and specific benefits.
How to Register
In order to register a web server, visit the Web Server Registration site. Login to this site using your LDAP username and password.
On the first page there are two sections. The first section, "Register a New Web Server" allows you to enter an IP address or hostname and register a new web server. The second part shows "Currently Registered Web Servers". You can use the radial buttons to switch the views between "My web servers" and "All web servers". The former shows all web server where the person logged in is the primary or secondary contact. The latter shows all web servers that anyone at the lab has registered.
After entering an "IP Address or Hostname" and clicking "Register", you are brought to the following screen which asks for additional details about the web server you are registering. In this form you must to enter the Division that owns the web server and a secondary contact. Optionally you can enter alterative email addresses, including lists, to contact about the web server and any notes you may want to keep. Please read the the text in the "I Agree" text box and check "I Agree", then click Register. That's it.
After you have registered a web server you will see it appear in the list of registered web servers. You can use the icons to the left of the division column to view, edit, or unregister web servers for which you are the primary or secondary contact.
When a web server for which you are the primary or secondary contact is registered, modified, or unregistered, you will receive an email such as the one below.
Email List for Registration
If you would like to get an email when any web server at the lab is registered, modified, or unregistered you can join the webserver-registration mailing list.
In order to join the webserver-registration mailing list you can use the form located here.
FAQ
Q1: How long after I register will the web server become accessible from the Internet?
Almost immediately, within a few seconds.
Q2: Can I register a DCHP host as a web server?
No. In order to register a web server and have the web server be visible to the Internet, you must acquire a static IP address. Web servers must use static IP addresses per the DHCP perimeter protection rules. You can acquire a static IP address by using the IP Request form.
Q3: What about web servers on non-standard ports?
We recognize that a web server can listen on any port, e.g. a non-standard port. Normally a web server listens on 80/tcp and a SSL enabled web server listens on port 443/tcp. The case where web servers run on non-standard ports is not addressed by web server registration at this time. If you would like to run a web server on a non-standard port, no registration is required. The cost-benefit-calculus for registering web servers on non-standard ports or requiring web servers to use standard ports is not clear.
Q4: I need to run some other application, that is not a web server, on 80/tcp or 443/tcp. Do I need to register?
Yes. If you have some device or application that is not a web server and needs 80/tcp or 443/tcp to be visible from the Internet, it must be registered. For example, if you have a web camera that you control from the Internet via 443/tcp, the camera needs to be registered.
Q5: Will I have to renew the web server registration?
Some type of renewal is necessary otherwise the registration information will become stale. The exact details have not been decided, but annual verification seems to make sense.
Help/Feedback
If you have questions or comments about this website, please contact the CPP group via email at cppm@lbl.gov.
If you need general computer assistance, please contact the LBNL Help Desk at x4357, help@lbl.gov, or online at http://help.lbl.gov.
|
