WebApp Sec mailing list archives
RE: how to secure a commercial web site
From: "Levenglick, Jeff" <JLevenglick () fhlbatl com>
Date: Wed, 12 May 2004 10:43:10 -0400
Bilur, As long as your thinking, your not making a terrible mistake. Your smart move was to ask others for advise. You would be surprised at how many people do not think to much about security. Anyway.. here is a quick list: Unix systems - Secure the OS. Best - run a trusted OS version. Ok - run a chroot'ed system. Always make sure it is patched current Run the many security audit tools out there. (cost you little or nothing!) Secure the web server. Apache and Netscape are popular. Get a SSL server cert Get a firewall and DMZ the web server. Proxy ssl/http traffic through the firewall. Get a tripwire or Intrusion protection program for the server. Windows system - <<get a unix system... :) >> Try to secure the OS. Make sure it is patched current. Run the many IIS audit tools. get a ssl server cert Get the firewall....ect from above <<options>> Get a radius,token or single signon server/software. They offer better protection down to the application. Radius/Tokens will offer better login protection. It does not have to cost you an arm and a leg. Most people would tell you to spend all your money on security. As I said before... nothing is totally secure. More time spent on configuration and audits is worth all the money in the world. Jeffrey -----Original Message----- From: info () biledge com [mailto:info () biledge com] Sent: Wednesday, May 12, 2004 07:02 AM To: Levenglick, Jeff; webappsec () securityfocus com Subject: RE: how to secure a commercial web site Jeffrey, if i get what i pay for, i would do it..but this is the problem, they are not secure enough, i can see this with my half knowledge..it means even if i pay for a certificate, the reality will remain same : the security is depending on the user's computer's security. and even if every user has its own private key, it wont be a solution. am i making a 'terrible' mistake in my thinking ?? ... alternative (and weak) thought : if i prepare my web page as https and if i put it into a secure server, and if i create my own certificate; will i have a 'secure' system ? thank you for your patience, regards, bilur On 11 May 2004 at 9:51, Levenglick, Jeff wrote:
James, I think he was only asking/looking at ssl. We would have a very long email if we were to talk about security. (Firewall,app level security, tokens, secure os ....ect) It is very common and cheap for people to want to just setup a quick web server for business. (ssl) Secure? Not really, but what really is? Expensive? Yes.. you get what you pay for. Jeffrey -----Original Message----- From: Brown, James F. [mailto:James.F.Brown () fmr com] Sent: Tuesday, May 11, 2004 09:26 AM To: Levenglick, Jeff; info () biledge com; webappsec () securityfocus com Subject: RE: how to secure a commercial web site There is a LOT more to security than having a certificate on your server. It's necessary, but not sufficient. ================================ James F. Brown, CISM Sr. Director, Information Security Fidelity Investments james.f.brown AT fmr.com http://www.fidelity.com -----Original Message----- From: Levenglick, Jeff [mailto:JLevenglick () fhlbatl com] Sent: Tuesday, May 11, 2004 8:58 AM To: info () biledge com; webappsec () securityfocus com Subject: RE: how to secure a commercial web site Bilur, You can buy your own cert server. (RSA Keon for example) At that point, you can create your own certs. (expire them when you want..ect) Also.. You then have two options. 1) Pay a fee and have your cert server 'trusted' via Verisign or other CA's or 2) Leave it 'private' and just provide your CA cert to the users so they will trust you. (if you don't it will still work. They will just see a message about trusting your site) Jeffrey -----Original Message----- From: info () biledge com [mailto:info () biledge com] Sent: Tuesday, May 11, 2004 05:12 AM To: webappsec () securityfocus com Subject: how to secure a commercial web site hi, i am trying to secure -SSL certificated- a commercial web site without using verisign, global sign, etc. it seems there is a monopoly an i want to be out of it. does anyone know a better way to secure the web site or do i have to pay money, (even) for security ? regards, bilur ----------------------------------------- This e-mail message is private and may contain confidential or privileged information. ----------------------------------------- This e-mail message is private and may contain confidential or privileged information.
----------------------------------------- This e-mail message is private and may contain confidential or privileged information.
Current thread:
- how to secure a commercial web site info (May 11)
- Re: how to secure a commercial web site Jeffrey Weiss (May 11)
- Re: how to secure a commercial web site Sean Radford (May 12)
- <Possible follow-ups>
- RE: how to secure a commercial web site Levenglick, Jeff (May 11)
- RE: how to secure a commercial web site Griffiths, Ian (May 11)
- RE: how to secure a commercial web site info (May 12)
- RE: how to secure a commercial web site Jason Gregson (May 12)
- Re: how to secure a commercial web site Rogan Dawes (May 12)
- RE: how to secure a commercial web site Levenglick, Jeff (May 12)
- Re: how to secure a commercial web site Jeffrey Weiss (May 11)