|
In Cliff Stoll's The Cuckoo's Egg, an intruder breaks into a machine at the University of California, Berkeley, through a security hole and uses that machine as a starting point for more break-ins. Although the book is several years old, the problems it details ring truer than ever. Just ask the Department of Justice.
Today's intruders may be looking for your password file so that they can run programs that guess passwords and access local acc
ounts. They could be in search of confidential company information, a place to store illegal or illicit files, or a way to get free CPU time; they also simply could be doing it for the challenge. And your challenge is to protect your business from these menaces.
Security for the Web server is a complex puzzle. You must fit together a variety of pieces before the entire picture is clear. Start with the security of your physical server and its operating system. Then think about allowing access to that information for authorized people only by controlling access to the server and encrypting sensitive data when it traverses the wire.
Web Servers Against the World
Adding a Web server to your network is not going to be a simple task, especially if the server will be a repository for sensitive information. You plan to do all of your business on the Web, including credit card and other database transactions. With your business data online, the integrity of your Internet services becomes doubly impor
tant. The initial step--choosing a Web server that satisfies your need for security and flexibility--will be difficult.
First you must decide on the right combination of hardware and operating system. If you still must make the choice among MacOS, Windows NT or Unix, you can achieve varying degrees of flexibility, with the trade-off of making the system more complex and possibly less secure. The availability of software, such as a database, may dictate your selection, however. If so, you will have to deal with the security issues you inherit.
On one end of the scale sits the Apple Macintosh OS, which offers a high level of security because the Internet services available--Hypertext Transport Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and the Domain Naming Service (DNS), for example--will be the only ones you install. In contrast, on Unix, nearly every available Internet service is bundled with the operating system. You'll get a very flexible solution, including any programming language or
shell scripting, but also many vulnerabilities. MacOS has no indigenous holes, but, then, Oracle Server doesn't run on it either. Windows NT offers something in between, with a lower scalability ceiling than Unix.
Moreover, every single service--such as FTP, telnet, gopher, database applications or SMTP--provides a potential security hole. To make your machine more secure, you can disable services you or your customers don't need. This limits the number of entry points into your system and reduces the attack methods an intruder can use to break in.
If you must leave services other than HTTP enabled, don't assume they're secure. People are finding new security holes in software all the time. For example, old versions of sendmail and the Washington University ftpd have well-known holes that could be used to break into your server. Misconfigured TFTP daemons can give hackers access to your local password file. Keep up to date on the latest patches and configuration issues.
Who Gets What?
Sec
uring the machine and its operating system is the first step. Now, you need to get a handle on who can browse your server. Information on your company's Web servers probably will vary in content sensitivity. You may need to keep track of who accesses which servers and from where. Firewalls can help restrict traffic to the server. Once users have reached the server, access controls restrict them to certain content.
You may want to restrict access to a page or set of pages by user names and passwords, by IP address or by groups. If you've got a company firewall, you'll have to decide where to put your Web server. You may want an internal Web server for your intranet applications and another Web server outside of your firewall for outside users. This setup could be a problem if you want remote users to have access to internal databases through a Web interface.
It is possible, but not recommended, to have one of two other configurations, both of which trade security for flexibility. You can allow traffic
to and from the HTTP port through your firewall to an internal Web server, or set up your Web server as the firewall. But a bug in any portion of your Web server could compromise your company's security, however, by introducing an unintended path through the firewall.
|
REPORTS
ANALYTICS
Follow 
