Security Measures to take into account when designing web sites


(original)

Here are a few measures in order to secure a web site:

  • Always create at least two network boundaries:
    1. A DMZ (i.e. Front-end machine area)
      • Web servers mainly, but it could have other machines used for communication, as long as:
        • No customer data should be hold in this network boundary
        • Machines in this boundary can only talk to machine on the next level down if that machine does not hold any confidential data (e.g. Customer Data, Partners data, Employees data, etc..)
    2. A Back-end machine area
      • Application servers
      • Database servers containing confidential data migh be here (or a third boundary network could host them)
      • Intranet web servers
      • dqw
  • A firewall must exits:
    • In front of the DMZ
    • Between the DMZ and the back-end area
  • Machines in the F-E can trust machines in the B-E
  • Machines in the B-E cannot trust machines/identities from the F-E
  • If an Employee or Partner Web site must be available from the Internet area, it must be in a different DMZ (if possible).
  • It is always a good thing to have two URLs for a web site:
    1. http://www.mysite.com/ for normal browsing (port 80)
    2. https://secure.mysite.com/ for secure browsing (port 443)
      • This enables HTTPS to be handled by hardware
      • The Encryption traffic will happen between the client’s browser and the public firewall in front of the DMZ
      • In the DMZ, the HTTP request can be handled by the normal HTTP port (80). The application can still check whether this is a secure HTTP request by looking at the domain (http://www.mysite.com/ or secure.mysite.com).
Advertisements
Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: