Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Managed Security: Build It Right the First Time : Page 2

Secure Web services require not only building a secure environment but also maintaining a strong security posture. Managed security solutions provide assistance in the aspects of maintenance that even the most diligent engineers miss.


advertisement
Footprinting Verifies Strengths and Weaknesses
You can use several methods to verify the security of your Web services and the environment in which they run. These methods entail a strong understanding of the application, the systems, and the network, and if done properly will provide an overall view of the security posture surrounding each aspect of the Web service.

Footprinting, the process of gathering data regarding a specific network environment, provides a snapshot of the entire Web service environment's security posture. By the environment, I mean not just the application, the network, and the servers, or the patch levels, hotfix levels, and service-pack levels, but all of these things and more. For example, footprinting often will detect that rogue Web server in the marketing department running an unpatched version of the OS, Web server, or application server, an inviting target that could lead to a compromise of the primary Web service platform (depending on trust issues within the corporate network environment). (see Build a Managed Security Solution for Your Web Servers with Open Source Tools for a guide to footprinting with open source scanners.)

Footprinting also will show the state of the network, the routers, and the ACLs that surround the applications and servers. Do these routers allow access to the internal network if a certain TCP/IP source port is used? Perhaps DNS zone transfers are performed regularly, and as such port 53/TCP is allowed to enter into the network. These sorts of exceptions often are inroads for an attacker. By footprinting the environment regularly and making sure to examine the results, the chances are much higher for someone within the organization to discover that rogue Web server or notice that anomalous traffic before an outsider breaks through the defenses.



Build It Right the First Time
Let's look at a simple example of a Web application architecture and its surrounding infrastructure: online stock trading in the nascent design state. The systems engineers and administrators decide on a platform, operating system (OS), and Web server. The network engineers and administrators decide on a network architecture and infrastructure. Finally, the application developers develop an application to utilize the system and network architecture. Initially, the systems engineers and administrators design a secure platform for the software. Realizing the need for strong security, they apply all available service packs, patches, and hotfixes as part of the system design specification and configure their servers and software to secure the platform at an application server level.

In tandem with the systems engineers, the network engineers design a secure network architecture that will meet the needs of the business. This architecture also incorporates patches and hotfixes for the network hardware, and includes configuration changes to control the flow of traffic between the inside and outside networks. The network is now secure for traffic to flow to and from the servers.

Finally, the developers design a secure application. They perform proper input validation, manage sessions in a viable, secure manner, and use encrypted transport mechanisms. Moreover, they place no trust on the client, a practice in application design that leads to many pitfalls.

If any of these three aspects were designed poorly: a hotfix missed, a router not configured properly, or an error in application development allowed the use of clear-text protocols, then the entire design's security will fail.



Arjuna Shunn is a consultant of secure system and network design for the Foundstone security consulting team. Focusing primarily on Linux and Solaris, he brings over a decade of experience in UNIX system security, maintenance, and administration to Foundstone's attack and penetration team.
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date