RE: how to secure a commercial web site

["Levenglick, Jeff" <JLevenglick () fhlbatl com>]

Bilur,

As long as your thinking, your not making a terrible mistake. Your smart
move was to ask others for advise. You would be surprised at how many people
do not think to much about security.

Anyway.. here is a quick list:

Unix systems -
Secure the OS. Best - run a trusted OS version. Ok - run a chroot'ed system.
Always make sure it is patched current
Run the many security audit tools out there. (cost you little or nothing!)
Secure the web server. Apache and Netscape are popular.
Get a SSL server cert
Get a firewall and DMZ the web server.
Proxy ssl/http traffic through the firewall.
Get a tripwire or Intrusion protection program for the server.


Windows system -
<<get a unix system... :)  >>
Try to secure the OS.
Make sure it is patched current.
Run the many IIS audit tools.
get a ssl server cert
Get the firewall....ect from above


<<options>>
Get a radius,token or single signon server/software. They offer better protection
down to the application. Radius/Tokens will offer better login protection.

It does not have to cost you an arm and a leg. Most people would tell you to spend
all your money on security. As I said before... nothing is totally secure. More time
spent on configuration and audits is worth all the money in the world.

Jeffrey 


-----Original Message-----
From: info () biledge com [mailto:info () biledge com]
Sent: Wednesday, May 12, 2004 07:02 AM
To: Levenglick, Jeff; webappsec () securityfocus com
Subject: RE: how to secure a commercial web site


Jeffrey, if i get what i pay for, i would do it..but this is the problem, they are not
secure enough, i can see this with my half knowledge..it means even if i pay for a certificate,
the reality will remain same : the security is depending on the user's computer's security. 
and even if every user has its own private key, it wont be a solution. am i making a 'terrible'
mistake in my thinking ??
...
alternative (and weak) thought : if i prepare my web page as https and if i put it into a secure 
server, and if i create my own certificate; will i have a 'secure' system ?
 
thank you for your patience,
regards,
bilur

On 11 May 2004 at 9:51, Levenglick, Jeff wrote:

> James,
>
> I think he was only asking/looking at ssl. We would have a very
> long email if we were to talk about security. (Firewall,app level
> security, tokens, secure os ....ect)
>
> It is very common and cheap for people to want to just setup a quick
> web server for business. (ssl) Secure? Not really, but what really is?
> Expensive? Yes.. you get what you pay for. 
>
> Jeffrey 
>
> -----Original Message-----
> From: Brown, James F. [mailto:James.F.Brown () fmr com]
> Sent: Tuesday, May 11, 2004 09:26 AM
> To: Levenglick, Jeff; info () biledge com; webappsec () securityfocus com
> Subject: RE: how to secure a commercial web site
>
>
> There is a LOT more to security than having a certificate on your
> server. It's necessary, but not sufficient.
>
> ================================
> James F. Brown, CISM
> Sr. Director, Information Security
> Fidelity Investments
> james.f.brown AT fmr.com
> http://www.fidelity.com
>
>
> -----Original Message-----
> From: Levenglick, Jeff [mailto:JLevenglick () fhlbatl com] 
> Sent: Tuesday, May 11, 2004 8:58 AM
> To: info () biledge com; webappsec () securityfocus com
> Subject: RE: how to secure a commercial web site
>
>
> Bilur,
>
> You can buy your own cert server. (RSA Keon for example) 
> At that point, you can create your own certs. (expire them when you
> want..ect)
>
> Also..
>
> You then have two options.
>
> 1) Pay a fee and have your cert server 'trusted' via Verisign or other
> CA's
> or
> 2) Leave it 'private' and just provide your CA cert to the users so they
> will
> trust you. (if you don't it will still work. They will just see a
> message about
> trusting your site)
>
>
> Jeffrey 
> -----Original Message-----
> From: info () biledge com [mailto:info () biledge com]
> Sent: Tuesday, May 11, 2004 05:12 AM
> To: webappsec () securityfocus com
> Subject: how to secure a commercial web site
>
>
> hi,
> i am trying to secure -SSL certificated- a commercial web site without
> using verisign, global 
> sign, etc. it seems there is a monopoly an i want to be out of it. does
> anyone know a better 
> way to secure the web site or do i have to pay money, (even) for
> security ?   
> regards, bilur
>
>
> -----------------------------------------
> This e-mail message is private and may contain confidential or
> privileged information.
>
> -----------------------------------------
> This e-mail message is private and may contain confidential or privileged information.




-----------------------------------------
This e-mail message is private and may contain confidential or privileged information.