Solved

Web Server behind Firewall used for Intranet and Extranet

Posted on 2003-11-13
3
420 Views
Last Modified: 2010-04-22
I would like to get some feedback about possible security concerns with my proposal...

Server Config: RedHat 9.0, Apache 2.0, PHP 4.2.2, MySQL 3.23.52
Firewall: WatchGuard, forwarding port 80 to this server
Applications: phpMyAdmin, Mambo Open Source?, Custom Reports and XML outputs to be imported into Accounting System (Windows 2000 Server)

Three examples of the how this will be used:
1 - A user comes fills out a Purchase Order Form on our site and an XML file is produced and imported into our Accounting System.
2 - Our accounting system produces monthly reports that will be published on line for specific users to view.
3 - New projects will be added to the database by internal staff which will produce and XML file used for setting up the project in the Accounting System.  As well modifications may be made by the external owner of the project and these changes will need to be imported into the our system.

Needless to say I will be storing a lot of sensitive information in my MySql database.  Some of which I want external public users to be able to see.  Other information I want to make accessible to external private users as well as give them the ability to edit the information.  Finally internal users will have access to the most information, this information will be need to be transferred to our windows server.

My main concerns are:
- Network vulnerabilities by opening port 80
- Server security, how to ensure external users don't access private information
- Exploiting holes in any of the above technologies
- Probably a stupid question but would Mambo security suffice for securing data?

Considerations:
- Should I just host this server remotely?
- Should I put it in a DMZ?
- Recommendations
0
Comment
Question by:hibbits
3 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
Comment Utility
Provided that you religously keep your RH 9 system up to date w/respect to the RedHat 9 errata there's no inherit risk, server wise, of exposing the system to only HTTP requests. However, that doesn't mean that your application code can be negelected. The most likely means of exposing more than you want to would arise from poorly designed or implemented web applications. Given that you'll have data stored in a MySQL database, some of which you would never want outsiders to see I'd use a second system as the MySQL DB server. And I'd design the application(s) to use more than one database. Only "publically viewable" data would be in one or more databases and private data in others. The web server would only have access to the "public data" and internal users would have access to the rest.

Also keep in mind that this server is only as secure as the rest of the machines on your network are. If you have other systems that have Internet access and that might be compromised they could be used to successfully attack this server(s). At the least I'd install & run Tripwire to detect unauthorized modifications and I'd set up a host based firewall on the linux server(s) that only allows inbound connections on 80/TCP and ssh from "known secure"internal machines. Along with that I'd severly limit the number of folks that have direct (non web) access to the server(s). For the best security this system(s) and any that have ssh access should be located in rooms that are locked when a responsible user isn't present.

Also keep in mind that support for RedHat 9 will end in April 2004. You'd be well advised to swith to RedHat Enterprise Linux 3.0 ES for this application as it will have a 5 year service life. See the RedHat site for more information.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
as jlevie said: if there is private sensitive data somewhere, keep it away from any application accessable via internet.
If you have more than one (web-)application using your MySQL, each of them might be used to get unauthorised access.
My aproach is to have copies/extracts of an database be copied to the external server for internet access.
0
 

Expert Comment

by:amikeliunas
Comment Utility
Run also the http://bastille-linux.org/ program to harden the security on your box.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now