Network Computingwww.networkcomputing.com

	Issue TOC Print full article Print this page Download as PDF E-Mail this URL Flame the author     In this article Introduction How Does This Work? Online Only: Steps for Stronger Security Online Only: A Peek Into an Attacker's Arsenal

Apply security patches. Keeping exact server replicas, including content, will let you test patches to ensure they don't hurt your environment. (This also affords you a handy backup in case of hardware failure.) This may seem elementary, but many corporations out there have yet to apply the latest security patches for servers providing outward-facing Web-based services. Keeping on top of security patches may be a full-time job -- if so, dedicate a resource to the task. Many of the various worms and exploits that swept the Web months ago are still active; for example, Nimda and CodeRed, despite the wide publicity, are still active across the Internet. If you haven't applied the patches do so now. Right now. We'll wait for you.

Sun Microsystems patches

Microsoft TechNet Security

Linux distribution patches

Now check your firewall as well. Many popular firewalls are software implementations deployed on an operating system with known exploits and vulnerabilities. Don't forget to double check this first line of defense.

The next thing you need to do is turn off extraneous services that may be running on your servers. Plenty of tools are available to provide you with a list of services that are accessible on your servers, so get one and run it against the servers that make up your Web infrastructure:

Nmap; Saint

Shut down the services that aren't absolutely necessary. Are you storing customer information in a database? If so, you need to encrypt the data. All of it would be best, but if that's impossible at least encrypt sensitive data, such as credit card and account numbers and private customer information. Doing so will ensure that if the unthinkable happens and an intruder is able to access your customer data, it will be useless. You can use software such as Application Security's DbEncrypt (www.appsecinc.com/products/dbencrypt/) or an appliance, such as Ingrian's i140 (for a review, see "When the Front Line Is Breached, Ingrian i140 Puts Up a Good Fight"), to encrypt specific fields within your database. Or you can write your own method of encryption -- anything is better than clear text. Certainly, the more complex the method, the better, but a little protection is still better than no protection.

How are your firewalls configured? You'd be surprised at the number of misconfigured firewalls that allows traffic you don't want to flow through to your servers. Allow only port-based traffic to flow from the firewall to your back-end servers on the ports that you specify. If access is available only via Port 80, then only traffic on Port 80 should be allowed and only to that specific server. Start with a "deny all" attitude, then open up only what is necessary.