David RodriguezFINAL PROJECT: WEB SERVER SECURITY

Introduction: Web server security:Changing platforms

In the past only html code -required a lot of coding hours to maintain

Content Management Systems emerged (CMS) – reduced coding time significantly

CMS’s are database driven (developers store more data)

CMS’s are far more functional and lend themselves to more activity.

CMS’s have a large group of 3rd party developers (software can be vulnerable).

CMS platform vulnerabilities are widely known.

Introduction: Web server security: Front line risks

Web Servers are:

Generally out of the box most insecure platform

Available for hacking all the time

Good gateway into more sensitive areas

Generally have databases residing on the server or connected to the server

Increased customer functionality can provide PII

Many more risks

Introduction: Web server security:Information Gap

There are many resources that can be identified that will address very specific areas of risk. However, not many can be found regarding the entire holistic security coverage of a web server.

Introduction: Web server security:Information Gap

The information gap is due to a few reasons:

First: It’s a SECURITY ISSUE.Second: It’s a living.Third: It changes all the time.

Introduction: Web server security:Areas of Protection

Physical Security

Network Level Security

vmWare Security

Operating System security

Web Server Security

Database Security

CMS Security

Application Security

Introduction: Web server security:Project of Focus: Server Suite

The real world project of focus for the report:

An agency needs to submit sensitive information via a html form and then import this information into a enterprise wide system.

The agency needs ad-hoc and scheduled reports on these submissions.

This entire process needs to be functional, flexible, secure, resilient.

Introduction: Web server security: Project of Focus: Server Suite

Introduction: Web server security:Backup Everything/Disaster Recovery/Logging

Backup needs to occur:

AT THE FILE LEVEL

AT THE DATABASE LEVEL

AT THE VMLEVEL

SAN SNAPHOTS

MULTIPLE ACCESSIBLE BACKUPS FOR EACH LEVEL

REMOTE SYNC LOCATION

LOG EVERYTHING AT EVERY LEVEL

Introduction: Web server security:Stay Active

AUDIT - Examine your web server configuration often

MAINTAIN – Establish maintenance activity processes/people

REVIEW – Establish a review process that covers auditing/maintenance. Review need periodically to make sure server is organizationally needed.

Introduction: Web server security:Questions

?