General discussion

  • Creator
    Topic
  • #2080348

    Inhouse Internet Server

    Locked

    by technoman ·

    What is the best security for a internet web server that will be sitting outside your network? My company is bringing there web page hosting and development in house.

All Comments

  • Author
    Replies
    • #3901275

      Inhouse Internet Server

      by forhire ·

      In reply to Inhouse Internet Server

      A good start would be to use a Linux distribution with Apache web server. I use and recommend Debian. It’s updated regularly, and usually has the latest security patches that can be automatically updated using dselect.

      In addition, you want to limit the ports that are available to the outside world. Only have ports you absolutely need running, for example port 80 for http, and 443 for https. I would also recommend using SSH verses ftp or telnet to maintain your site, since SSH provides encryption.

      The Linux kernel can also be compiled with firewalling options. You can run it on the same server that your web site is running on, but it’s generally better to have a seperate system that serves as a firewall.

    • #3901168

      Inhouse Internet Server

      by steven.riley ·

      In reply to Inhouse Internet Server

      The Linux with Apache is a good suggestion if you have people who are good with Linux. Otherwise stick to IIS4… I know its not the most secure but it can be locked down quite well. An ideal solution would be to stick it behind a firewall but if you can’t be sure to disable all ports except the ones you really need. Unbind protocols that are not needed and so on. If you are going for an NT option check out the NSA Windows NT Security Guidelines. This will help you secure the box to a high level. If you want specific information mail me…

    • #3901159

      Inhouse Internet Server

      by ewwallace ·

      In reply to Inhouse Internet Server

      Even though NT with IIS is one of the hardest to secure, if you’d prefer to run IIS for ease of use, here’s a good tip for locking down the system: Disable the “Server” and “Workstation” services on the web server, or unbind the NetBIOS Interface from the network adapter. This disables remote communication and control using the standard Microsoft methods, including drive sharing. Thus, the only way someone could get into the system is through a weakness in the ASP scripting or permissions. (Note that you’d have to update the pages by FTP after this procedure!)

    • #3900859

      Inhouse Internet Server

      by andrewshen ·

      In reply to Inhouse Internet Server

      Setting up a firewall 😕

    • #3900850

      Inhouse Internet Server

      by pkjohnston ·

      In reply to Inhouse Internet Server

      The platform you select will most likely be chosen because of:

      1 – familiarity … Unix people WON’T choose Microsoft
      2 – easy to support … Microsoft people WON’T choose Unix
      3 – cost … Linux/Apache people! Please don’t tease the others! But don’t forget soft costs, such as training and support.
      4 – application/tools … Perl, Java, Apache can be done on NT, but thrive in a Unix world
      5 – security … I just threw this one in because it is NEVER fournd in this list. The previous 4 reasons always seem to count over security.

      Security is never an absolute – so http://www.cert.org and http://www.sans.org should be in your “autofetch” browser favourites.

      paul johnston
      opinions expressed are my own, but I’m willing to share

    • #3900820

      Inhouse Internet Server

      by rbelisle ·

      In reply to Inhouse Internet Server

      The actual hardware/software you choose should really be a factor of what your business needs are, based on the ability to support (and secure) the application long term. The security of the site can be handled in a number of ways. My recommendation isto put the web server on a seperate network off a dedicated firewall. This will allow you to use the security and logging features of the firewall to enforce the overall security posture of the site. Next harden the OS of the web server, and tighten the security of the server application. The intent is to minimize an external user’s ability to do anything on that box, except what you specifically allow. The actual methods involved in doing this will depend on the server application, theOS it is running on, and the type of firewall you are using.

    • #3896792

      Inhouse Internet Server

      by insatiable ·

      In reply to Inhouse Internet Server

      You didn’t mention the software that you use, or will be using… But for our inhouse internet webserver, or intranet, I limit access to IP ranges.
      Depending on your network, you could also have user or group authentication that would run off froman LDAP Server, or a local database housed on the webserver.
      I use Netscape Enterprise Server, called iPlanet now, on Sun.

    • #3743360

      Inhouse Internet Server

      by technoman ·

      In reply to Inhouse Internet Server

      This question was closed by the author

Viewing 7 reply threads