[thelist] Hardening a webserver More Exact

puru singh puru_singh2004 at yahoo.co.in
Sun Jan 16 06:58:51 CST 2005


hi
Do not mail me again please
ok
bye

Ken Schaefer <Ken at adOpenStatic.com> wrote:
A book on what?

If you need to build a "really secure" system, you need to evaluate things
from the ground up:
- physical security of the boxes
- OS configuration
- application code
- policies and procedures for authorizing and documenting changes to
configurations

In each instance, you need to evaluate threats that you face, and the price
you're prepared to pay (money-wise, and inconvenience-wise) to mitigate the
threat. 

For example, you might decide that using FTP is simply too risky for getting
code onto the server. Instead, you require someone to be physically at the
box, and use two-factor authentication to logon and update the app. Or maybe
you choose something in between.

For authenticating multiple machines, certificate based PKI is a robust and
tested method. Just be aware of the critical points - you need to secure the
CA since that's the ultimate source from which the machines trust each other,
and you need to ensure that the guardians who manage the CA can not be
"fooled" either (remember that Verisign was tricked into issuing certificates
to people claiming to be from Microsoft a few years back?)

"Real" security is not for dilettantes. I certainly won't claim to be a font
of knowledge, but I've talked to enough security pros to know that I don't
know enough (I'm consciously incompetent, which is a step beyond
unconsciously incompetent). If you need "real security", get some good
consultants in for you. There are plenty of well known and reputable security
firms that can do this for you, for a fee.

Cheers
Ken

: -----Original Message-----
: From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On
: Behalf Of Scott Wolpow
: Sent: Saturday, 15 January 2005 4:47 PM
: To: Chris Johnston; thelist at lists.evolt.org
: Subject: Re: [thelist] Hardening a webserver More Exact
: 
: Yes it helps. Any good books?
: Scott
: 
: 
: At 12:29 AM 15/01/2005 -0500, you wrote:
: >On Fri, 14 Jan 2005 23:52:14 -0500, Scott Wolpow wrote:
: > > Ok I need to take more time. Just doing to many things.
: > > Here is the plan.
: > > On the main server will be the accounts database. In the database will
be
: > > passwords and logins for other specific sites. The login form for a
: > > specific site lives on the main server. The other sites will only
accept
: > > logins from the main server along with a certificate. From the site the
: > > user will interact with various features and some of that information
will
: > > be passed to the main server and stored on the database.
: > > Currently I am running a freebsd machine with full root access, but
would
: > > change if there is a better way. I would like to keep the budget low
until
: > > this project takes off.
: > > I hope this is a better explanation.
: > >
: >
: >I am not totally sure about this, but is not the first rule of
: >security to place the database on a separate computer behind a
: >firewall? That way, if the server is hacked, the database stays
: >secure.
: >
: >I would set up three zones -- Red (being the internet), Green (being
: >behind a firewall), and DMZ or Orange (Being accessible from the
: >internet). Your web server would go in the DMZ, the database server
: >goes in the Green zone and everyone else belongs in the Red zone.
: >
: >However, in order to do this, you will need to create some form of
: >pass through functions on the main server that allow the satellite
: >servers to get information from the database. The satellite servers
: >would invoke functions on the main server, these functions would then
: >query the database and return the results. And of course this would
: >all happen using SSL. However, this is for maximum security and I am
: >not sure how much time, money and development you want to through at
: >this problem.
: >
: >As for OSes, I would definitely pick FreeBSD as already mentioned. If
: >you want a full distributed system, you could always do all of your
: >development in J2EE. This would add the security of a compiled
: >language which makes it much harder to hack the source code. Plus,
: >distributing the web app across multiple servers would probably be
: >easier as this can be handled by the app server.
: >
: >Hope some of this helps.
: >--
: >chris johnston
: >
: >www.fuzzylizard.com
: >
: >"For millions of years, mankind lived just like the animals and
: >something happened which unleashed the power of our imagination, we
: >learned to talk."
: >Pink Floyd
: >--
: >
: >* * Please support the community that supports you. * *
: >http://evolt.org/help_support_evolt/
: >
: >For unsubscribe and other options, including the Tip Harvester
: >and archives of thelist go to: http://lists.evolt.org
: >Workers of the Web, evolt !
: 
: 
: --
: 
: * * Please support the community that supports you. * *
: http://evolt.org/help_support_evolt/
: 
: For unsubscribe and other options, including the Tip Harvester
: and archives of thelist go to: http://lists.evolt.org
: Workers of the Web, evolt !
--

* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !

Yahoo! India Matrimony: Find your life partneronline.


More information about the thelist mailing list