[thelist] Hardening a webserver

Ken Schaefer Ken at adOpenStatic.com
Sat Jan 15 04:53:31 CST 2005 

>From your response, it seems you know nothing about security. Security is not
a product you can buy. Security is all about processes - knowing what threats
are out there, and then working to minimise the likelihood of the threats
eventuating, or mitigating the effects of the threat eventuating.

Saying "use a firewall", or "run the system on *nix", or "use SSL" is *not*
security.

I know someone suggested that you put your database on a different server to
your webserver, and place a firewall in between. But what does that really
give you? IMHO, not much more than a false sense of security *unless* you
know why doing so somehow makes you more secure. Anyone who can compromise
your web application can do whatever to your database that the application's
user context can (since the database doesn't know the difference between a
legitimate and malicious query coming from the webserver), and anyone who
owns your webserver owns your web application anyway - they can just change
it to do things that you never coded it to in the first place. And none of
this even matters if someone can walk into your datacenter and gain physical
access to the boxes.

I know it's a cliché, and I've posted it many times before: security is not a
destination, it's a journey. There is no such thing as "the secure system";
there are only systems that are somewhat more secure than others, and then
only in certain respects. The *first* rule of securing a system is not
separating the database server and the webserver and putting a firewall in
between (nor is it using FreeBSD). The first step is *identifying* the
threats that you need to meet, and how much you're prepared to pay to
eliminate/mitigate those threats.

Cheers
Ken

: -----Original Message-----
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Scott Wolpow
: Sent: Saturday, 15 January 2005 11:56 AM
: To: thelist at lists.evolt.org
: Subject: RE: [thelist] Hardening a webserver
: 
: I thought it was a given being that I want security. I plan to use Linux,
: but can use anything that will work.
: Scott Wolpow
: 
: At 05:45 PM 14/01/2005 -0600, you wrote:
: 
: >         It would help to know what platform you're using :-D
: >
: >-----Original Message-----
: >From: thelist-bounces at lists.evolt.org On Behalf Of Scott Wolpow
: >
: >I have to make a Webserver extremely secure. This server needs to be
: >able
: >to communicate with other servers to authenticate information. Any good
: >docs on this?
: >Thanks Scott

More information about the thelist mailing list