How to check for HTTP servers on your network

HTTP Background
Designed in the early 1990s, HTTP is an application layer protocol that is sent over TCP, though any reliable transport protocol could theoretically be used. Typically it uses TCP port 80 but this can be changed. Due to its extensibility, it is used to not only fetch hypertext documents, but also images and videos or to post content to servers, like with HTML form results. HTTP can also be used to fetch parts of documents to update Web pages on demand.

Google are promoting a move away from HTTP
For the past several years, Google have moved towards a more secure web by strongly advocating that sites adopt HTTPS encryption. It started back in 2014 when they announced that they were using HTTPS as a ranking signal. If you moved your site away from HTTP and onto HTTPS you would receive a tiny boost in the Google search rankings.
Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. If you host your own web servers it could mean that users will be less likely to interact with them if their browsers are marking them as insecure. Now is the time to move your websites from HTTP to HTTPS.
Generating an inventory of HTTP servers using network traffic analysis.
HTTP servers normally run over TCP port 80.However, you can configure HTTP servers to run over any port so generating a list of web servers running over TCP port 80 may not result in the complete list. Another method to detect webservers would be to use a network scanning too that would check for anything listening on port 80 or other ports.
One thing to watch with the scanning approach is to make sure all servers are powered up when you run the network scan. Another issue with this approach is that you won’t be able to find out if users from outside your network are accessing these servers, you will just know that they are active.
Our recommended appoach is to monitor network traffic going to and from your web servers. You can do this by setting up a SPAN\Mirror port or by using a TAP device. If you are only concerned about users outside of your network, you just need to monitor your Internet gateway points. The video below goes through the process of getting network monitoring in place at your network edge.
Once you have a data source in place (SPAN\Mirror\TAP) you can then check for web server activity by searching for specific metadata such as a HTTP GET. For small networks you can manually do this using tools like Wireshark. For larger networks you can automate this with an application such as our own LANGuardian. It has built in web traffic decoders which can automatically build a HTTP server inventory 24/7.
Using LANGuardian to passively detect HTTP servers on your network
LANGuardian comes with an application recognition engine which can report on what applications are in use on your network. If you combine these reports with filters you can quickly find out what web servers are on your network and also which are being accessed by clients and their countries outside your network.
The image below shows an example of the output. Here we can see that we had 6 HTTP servers active on our network for the past 1 hour sample time period. Also worth noting is that some of these web servers are running on non standard ports; 8080 and 5357.
If you have a LANGuardian on your network you need to select the “Top Website Domains” report and use these filters
- Source = External
- Destination = Internal
- Protocol = HTTP
Click on the image above to access this report directly on our live demo system and drill down.