(original)
Here are a few measures in order to secure a web site:
-
Always create at least two network boundaries:
-
A DMZ (i.e. Front-end machine area)
-
Web servers mainly, but it could have other machines used for communication, as long as:
-
No customer data should be hold in this network boundary
-
Machines in this boundary can only talk to machine on the next level down if that machine does not hold any confidential data (e.g. Customer Data, Partners data, Employees data, etc..)
-
-
-
A Back-end machine area
-
Application servers
-
Database servers containing confidential data migh be here (or a third boundary network could host them)
-
Intranet web servers
-
dqw
-
-
-
A firewall must exits:
-
In front of the DMZ
-
Between the DMZ and the back-end area
-
-
Machines in the F-E can trust machines in the B-E
-
Machines in the B-E cannot trust machines/identities from the F-E
-
If an Employee or Partner Web site must be available from the Internet area, it must be in a different DMZ (if possible).
-
It is always a good thing to have two URLs for a web site:
-
http://www.mysite.com/ for normal browsing (port 80)
-
https://secure.mysite.com/ for secure browsing (port 443)
-
This enables HTTPS to be handled by hardware
-
The Encryption traffic will happen between the client’s browser and the public firewall in front of the DMZ
-
In the DMZ, the HTTP request can be handled by the normal HTTP port (80). The application can still check whether this is a secure HTTP request by looking at the domain (http://www.mysite.com/ or secure.mysite.com).
-
-
Joao @ iLab8 