| Lesson 5 | Server Security |
| Objective | Design for e-commerce system security at Server level |
Server Level Components to take into consideration when designing e-commerce system security
- Database servers: The best option for securing database servers is to run them on a completely different system. You can then use a different network protocol, such as IPX/SPX or even NetBEUI, to establish communication between the Web server and the database. This arrangement allows full connectivity with the Web server but no direct connectivity from the Internet.
- Middleware: Application servers and Java servlets can create security issues, mainly because they require extensive customization and because many are built from scratch. As your site implements middleware servers, take the time to learn about the workings of such servers so that you can change any defaults or address possible security problems on an individual basis.
- Web Servers: The key to securing the Web server is to segment the operating system, the Web server program, and the server's files on their own hard drive or partition. If a breach occurs, such segmentation will help limit a hacker's activity to specific hard drives, or even parts of hard drives, that are not essential to the rest of the system.
- FTP servers: Securing the file transfer protocol (FTP)[1] server is similar to securing the Web server. The FTP server should be separated from the files it downloads by using partitions. Whenever possible, FTP user accounts and access options must be separated from those used to access the Web. The FTP server should not allow access to sensitive files.
FTP Server Security
FTP servers are often vital to developing an e-commerce site. They are perfect for transferring large files and for providing common access to files during projects. If possible, disable anonymous access to the server. If anonymous access is required, consider enforcing one-time passwords. Such a scheme would require you to invest in costly software, but in certain instances, strong authentication is often worth the cost and inconvenience. It is also possible to deny read access to the FTP directories accessed by anonymous users. Under this less costly strategy, a hacker can't list the directory to learn about what files exist on the server. Legitimate users can simply remember what files they have uploaded and can ask a trusted colleague about the files they need to download. Also, you can create virtual FTP directories that are hidden from anonymous users. It is possible to password protect such directories, as well. Simple solutions like these can help you increase the security of your site. Some cost and hassle may be involved. It is up to you to consider how much is appropriate for your site.
Many times third-party software packages, such as web servers and FTP servers, will provide banners that indicate the version of the software that is running. Attackers can use this information to narrow their search of exploits to apply to these targets. In most cases, these banners can be suppressed or altered.
FTP is one of the oldest and most popular services found on the on the internet today. Serving as an easy and effective method by which to transfer files over a network, FTP has become a standard that is both accepted and widely accessible to users across almost every network and operating system in use today. In this article we will examine 10 options available native in Windows that can be used to secure an FTP site. FTP is one of the oldest and most popular services found on the on the internet today. Serving as an easy and effective method by which to transfer files over a network, FTP has become a standard that is both accepted and widely accessible to users across almost every network and operating system in use today.
Windows 2000 comes with an FTP server as a part of IIS 5.0. Installed as a stand alone service, it is very rich in features. When combined with the other resources available inside Windows 2000 server, administrators are empowered with different options that can help make an FTP site more secure. Having said that, we will examine 10 options available native in Windows 2000 that can be used to secure an FTP site. Some are pretty obvious but some are creative approaches that are not readily thought of by administrators. In addition to the tips below, add-on services such as VPNs or SSH are things to consider since there is the pesky issue of sending passwords clear text over the wire.
Many times third-party software packages, such as web servers and FTP servers, will provide banners that indicate the version of the software that is running. Attackers can use this information to narrow their search of exploits to apply to these targets. In most cases, these banners can be suppressed or altered.
FTP is one of the oldest and most popular services found on the on the internet today. Serving as an easy and effective method by which to transfer files over a network, FTP has become a standard that is both accepted and widely accessible to users across almost every network and operating system in use today. In this article we will examine 10 options available native in Windows that can be used to secure an FTP site. FTP is one of the oldest and most popular services found on the on the internet today. Serving as an easy and effective method by which to transfer files over a network, FTP has become a standard that is both accepted and widely accessible to users across almost every network and operating system in use today.
Windows 2000 comes with an FTP server as a part of IIS 5.0. Installed as a stand alone service, it is very rich in features. When combined with the other resources available inside Windows 2000 server, administrators are empowered with different options that can help make an FTP site more secure. Having said that, we will examine 10 options available native in Windows 2000 that can be used to secure an FTP site. Some are pretty obvious but some are creative approaches that are not readily thought of by administrators. In addition to the tips below, add-on services such as VPNs or SSH are things to consider since there is the pesky issue of sending passwords clear text over the wire.
In an e-commerce setting, focus on securing your server resources as shown in the diagram below.
- A packet filtering router and an application gateway firewall should separate the trusted network from the Internet. These enforce access control as well as encryption and authentication. Intrusion detection software should be installed on the Web server and database.
- The Web server communicates with the outside world via SSL. The Web server and database should be communicating with each other via a different protocol than TCP/IP, such as IPX/SPX or NetBEUI, to help ensure the security of the database.
Securing Resources
Email Servers
Simple Mail Transfer Protocol (SMTP): The Internet standard protocol to transfer electronic mail messages from one computer to another. It specifies how two mail systems interact, as well as the format of control messages they exchange to transfer mail. Servers often offer security features, such as reverse domain name system (DNS) lookup, to help ensure that the email sender is actually who he or she claims to be. Advanced SMTP servers can scan email transparently by placing the email messages in a temporary holding area. Advanced virus scanners can search email attachments for malicious code. Such programs and servers scan the files, and then forward the email as appropriate. Whenever possible, use such authentication[2] and access control measures. In the next lesson, you will learn about application security.
Security Issues - Quiz
Click the Quiz link below to take a multiple-choice quiz on security issues.
Security Issues - Quiz
Security Issues - Quiz
[1] File transfer protocol: The File Transfer Protocol, or FTP, is the set of communication rules that computers use to exchange files.
[2] Authentication: Establishes a person's identity. Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity.