开发者

Advice regarding website security

开发者 https://www.devze.com 2022-12-21 12:33 出处:网络
We have just finished developing a new website for my company using the .NET MVC framework. The sql server supporting our application holds some critical data such as the profiles of other web users a

We have just finished developing a new website for my company using the .NET MVC framework. The sql server supporting our application holds some critical data such as the profiles of other web users and we would like to make sure this data is never leaked due to a reputational risk to the company.

We have a number of ideas on things to do to secure our website but I would like to get the stackoverflow take on them. We will be using SSL for login screens and we prevent against basic attach methods such as sql injection, cross site scripting attacks.

However we are worried about the physical machine being taken over using some exploit. We will be running the webserver (Windows Server 2008 SP2 with IIS7) in a DMZ with only port 80 and 443 open to the internet. Currently the sql server sits on the webserver machine but we are considering if this is a security risk. Would hosting the sql server in a machine in a second DMZ help in security?

We also considered using an Ubuntu box running Apache with mod_proxy in one DMZ that will be "redirecting" the 80 or 443 r开发者_如何学编程equests to separate windows machine in a second DMZ that will do the web serving and sql server hosting.

Some other suggestions we are getting is to use a product such as WatchGuard that can apparently filter the http packets for standards compliance thus blocking dodgy packets from reaching the webserver.

What other things should we be looking to secure?

Thanks


Allowing only 80 and 443 is a very good idea. DMZ stands for Demilitarized Zone, this is to define a machine on a NAT that is accessible by all traffic and this should be avoided. Allowing SQL Server and port 445 will get you hacked, after all you are running windows and its only a matter of time before yet another RPC vulnerability comes out.

The most important thing you must do is TEST YOUR SECURITY. Its not enough to say that you are preventing xss and sql injection. All secuirty systems must be proven that they can stop attacks.

How do you test your system? I like Acunetix but it is over priced, however there is a free xss tester. For SQL Injection and other vulnerabilities i recommend using Wapiti which is free. I recommend using OpenVAS which is the new open source version of Nessus which is now a commercial product. OpenVAS will tell you if your server is misconfigured or if you are running old software. You should do a full port scan of the system to test your firewall, this command will work nmap -sT -p 1-65535 domain.com, this can also be done form OpenVas.

After testing your system. Then install a Web Application Firewall, mod_secuirty is a good choice for Apache, you can use a reverse proxy to get mod_security to work with IIS. Aqtronix is an open source WAF built for IIS, but i haven't used it.


1- Critical data must be encrypted in your tables.

2- Take care from all types of SQL Injections.

3- encrypt the connection string in web.config file

0

精彩评论

暂无评论...
验证码 换一张
取 消