Building a Secure Site
March 30, 2001

by Carla King

The future is bleak for those companies that take an ad-hoc approach to security -- spending a fraction of their operating budgets when they should be spending more. Consider this: The cost of data loss, system downtime, and recovery from a major incident probably exceeds the money you're now spending to prevent one.

The Engineering Institute's CERT® Coordination Center, a federally funded research and development center for Internet security operated by Carnegie Mellon University, defines an incident as:

• An attempt to gain unauthorized access to a system or its data
• An unwanted disruption or denial of service
• The unauthorized use of a system for the processing or storage of data
• Changes to system hardware, firmware, or software characteristics

The following sections discuss what it takes to prevent these mishaps. Each element and its associated protocols, software, and application development considerations are discussed.

Figure 1 shows the hardware configuration of a secure site.

Figure 1: Configuration of a secure site (Click image to enlarge.)

Creating a Demilitarized Zone (DMZ)

The use of routers, proxy servers, and intruder identification software can create a demilitarized zone (DMZ). A DMZ is a neutral zone between your network and the outside world that is created by your computer hardware and software.

Firewalls
Firewalls placed at carefully considered points in your network create a DMZ that will keep out most intruders. As shown in Figure 1, a firewall can be used to buffer your servers from Internet traffic, third-party processing operations, and your corporate intranet. A good way to implement a firewall is to wire a packet router directly to the server to create a physical barrier between it and the outside world.

Proxy Servers
A proxy server filters traffic to your servers by determining if an inbound request is already in the cache. If it is, the proxy server answers the request with its own IP address, hiding your server's identity. ISPs use proxy servers to cache often-accessed pages to provide prompt service to customers and lighten server load.

Database Server Placement
To keep your database servers out of the reach of potential intruders, consider placing a firewall between your Web servers and the database servers, opening only a few necessary ports between them. This is an expensive but reliable way to ensure complete data privacy and integrity.

Vendor Communication
There are many ways to handle secure communications between yourself and external payment processors and other vendor operations -- directly from the firewall gateway via a private line, or through a service that uses a secure connection (VPN or HTTPS) over the Internet.

Intrusion Detection Software
Intrusion detection software (IDS) is a new and rapidly evolving technology. IDS packages are different, but basically they monitor your network activity; examine message packets; note patterns of abnormal activity; identify known electronic attack signatures and misuse; and provide an alarm to alert you when suspicious activities occur. Like a firewall, IDS must be placed strategically in your network to maximize protection of your DMZ. You can implement an IDS system yourself or hire a service to do it for you.

Implementing a Public Key Infrastructure (PKI)

A public key infrastructure allows you to control key creation, certification, and authentication to provide positive user identification and privacy through data encryption. A PKI involves:

• Creating encryption keys (for client authentication)
• Applying for a digital certificate
• Implementing authentication (for example, SSL/TLS)

Applications need to be PKI-enabled in order to be effective. More software vendors are taking PKI into consideration now, and your application development staff should, too.

Creating a Key
Before you can apply for a digital certificate or implement an authentication protocol, you must first create a key. (The procedure should be described in your server's system documentation.) However, creation of this key cannot be completed until you send the information to a certificate authority (CA), a service that issues digital certificates. Once the CA verifies your information, it will send you the necessary data to complete the key creation process.

Obtaining a Certificate
You'll need to apply to a CA such as Verisign or Thawte (or one of the many others listed on the Web) to purchase a certificate that verifies you are a legitimate and trustworthy business entity. Once your certificate, key, and authentication protocol have been set up, your users can log on using smart cards, send encrypted e-mail, code-sign documents, and so on.

You can set up your own CA to handle key and certificate assignments for use within your company network. To do business with the outside world, you'll need to purchase certificates from a CA. There are several levels of keys available, each requiring different levels of authentication.

Implementing an Authentication Protocol (SSL/TLS)
SSL (Secure Sockets Layer) and the newer, even more secure TLS (Transport Layer Security) protect your Web applications by ensuring that valuable customer information is encrypted and cannot be read if it is intercepted during transmission over TCP/IP (HTTP, FTP, Telnet). You may choose an open-source toolkit or a vendor package to implement SSL/TLS.

When you use SSL/TLS, your customer's Web browser is directed to access your site via SSL/TLS port 443 instead of via port 80 (non-secure HTTP access). The URL on the customer's screen changes to reflect access via the secure port and displays the secure HTTP (https://) address. Users accessing HTTPS sites will also see a gold lock at the bottom of their browser.

Tightening up Your Network and Internal Systems

Operating system bugs and sloppy administration practices can render your network and internal systems insecure, providing an intruder with a pipeline straight into your Web servers, or worse, into your database. Tighten your internal systems to keep intruders and viruses from reaching your site via that internal pipeline. Start by turning off ALL of the port openings in the firewall. Then decide which ports must be opened, and document each in detail. Here are some more tips to get you started.

Code development - Use the JavaScript programming language instead of CGI scripts -- security holes are a common feature of the latter. If you must use CGI scripts, place them in wrappers and terminate CGI activity after three seconds.

Mail and any new software - Test mail and any new software on your development servers before opening or installing them on your Web servers.

Virus control - Disassociate e-mail from your site servers. Place a separate send-only e-mail server in your internal network and a receive-only e-mail server in the DMZ. Implement an antivirus gateway-based product to scan SMTP traffic via your firewall router, as well as an e-mail-based antivirus solution to protect your users from each other and from intruders on the Internet.

Vital data - Divide especially sensitive files -- such as payroll, client data, and inventory -- by placing them in databases with limited connections to the outside world. This is key, particularly when you're storing credit-card information.

Plug-ins and ActiveX - Instruct users to turn off ActiveX on their desktop browsers, and encourage them to download plug-ins from only trusted sources. Users could unknowingly download a malicious program -- which appears as a cool interactive element -- written by someone who wants to screw up their computers.

Setuid shell scripts - Eliminate your use of setuid shell scripts. UNIX bugs make them security risks.

Desktop security - Implement personal firewalls, virus protection, and VPNs to control access at all points.

FTP and Telnet - Disable FTP and Telnet to halt unauthorized visitors from exploring your site. These protocols are easy to re-enable (on a case-by-case basis) if users need them.

TFTP - Disable TFTP or ensure that it is configured with restricted access because it can be used to get your password file.

Directory browsing - Deactivate directory browsing to discourage casual browsing of your site directories.

Guest accounts - Disable generic guest accounts and require that guests ask you for temporary accounts. And name them something other than "guest." Many operating systems come configured with guest accounts, and some don't require passwords.

Passwords - Set up user passwords and change them often. Don't use obvious passwords such as family names, ID numbers, license plates, zip codes, phone numbers, and pet names. Avoid using long passwords -- this increases the likelihood that your staff will write them down, which poses a security risk.

Admin account - Name your administrator account other than "admin" so potential intruders can't access your network unless they know both your administrator user name and your password.

Software updates - Keep your software current. Old software versions often have security problems that intruders can exploit.

File and directory protection - Establish appropriate file and directory protections and ownership for system files.

Security consultants and services - Hire experts in security -- they can help you identify and correct the weaknesses in your systems.

Documentation: Creating Good Security Policies and Procedures

Experts agree that documentation is essential to creating a secure site. Policies and procedures documentation establishes security management standards and methods; provides a map for technical development, administrative tasks, emergency procedures, and budget versus risk; and offers a means for ensuring cross-departmental agreement. There are some good Web resources available. A good document on security policies and procedures contains the following elements.

Value and risk - Determine the value of assets, the existing threats and likelihood of future threats, and the consequences of loss or vandalism. Identify specific data and processes that must be protected, and acceptable risk calculation versus available funds. In short, decide how much money you're willing to part with to secure your systems.

Standards - Establish clear, reasonable and enforceable standards, some of which might include access control (physical and remote); architectures and configurations; firewall implementation; programming languages and tools; network traffic rules; encryption technology; customer data protection; transaction security; and backup procedures.

Systems hardware and software - Provide virus protection (e-mail or gateway or both) for your server, firewall, and network; authentication protocol (SSL/TLS); encryption; certification (PKI); and intrusion detection software. Also, implement security methods for desktop workstations, network servers, public Web servers, and remote computers.

Diagrams - Maintain updated diagrams -- they are reliable maps of the past and present system configuration, connections, port openings, and so on, and can be used to visualize and evaluate security risks.

Tasks - Set up a computer-incident response team; a team to keep up-to-date on security technology, products, and services; and test and review teams to examine firewall integrity, code review, and so on.

Vendor services - Assess your current workforce's capabilities, your budget, and your requirements to implement a reasonable level of security. If your talent pool doesn't include security experts, you may require third-party security services and consulting, a development team expert in securing sites, or other services.

Web Resources

Computer Security Institute - For the information, computer, and network security professionals
http://www.gocsi.com/

CERT® Coordination Center (CERT/CC) - A center of Internet security expertise
http://www.cert.org

IT Security Cookbook - A self-help guide to computer and network security, primarily for security managers, programmers, and system administrators
http://www.boran.com/security/

Linux firewall survey, Part 1: Open source product roundup - Open-source solutions, commercial products, and firewall appliances
http://www.idg.net/go.cgi?id=340020

Apache-SSL - A secure Web server based on Apache and SSLeay/Open SSL
http://www.apache-ssl.org/

RSA Security - Encryption and PKI information
http://www.rsasecurity.com/