Link to home
Start Free TrialLog in
Avatar of Ridgejp
RidgejpFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Website Security and External Visiblity

Hi,

Have a few questions ... may seems obvious to everyone but hope you can help?

If I was building a new property on a new road in a new location the general public could drive past and determine a change in the environment. They could if they wished drive up and have a good nosey around the property peering in through the windows (to see the internal layout) and what is being developed etc.

As such they'd be able to determine the number of doors/windows and entry points - how secure the building was and what the accessibility of the building was from the front/side/rear etc.

On this basis I have a number of questions: -

When you send a website live how do you determine what others can see, from this perspective? If someone finds your domain can they wander around it like you would a house, viewing and trying to probe at what the various sub-php pages are or does it stop at the domain name? Is there ways too probe for the pages below the domain etc, and exploit them? I understand ports etc can be locked down to control/restrict access - but how do you self-examine what you built for yourself and whether its water-tight or infact you've left a side window open accidentally?

I'm building a website that will host some internal functions for aspects of my business that are currently performed on an internal network using access and want to take it live using MySql using a LAMP installation. I'm building the website (more of a portal really) to have a login system but am intrigued to understand how the web location will be seen by the outside world and what extra precautions are needed to protect my data.

Hope you can help.

J
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

One of the simplest methods is to use 'wget' or 'httrack' to download everything that is 'visible'.  Do that from another computer and then you will be able to tell what is linked in your pages and visible to the public.  You should note that everything that appears on a web page is visible to the public or the browser would not be able to display it.
You don't need to stick to a user/pass only auth system at all, there are a lot of different ways to make sure that certain users can only do certain things or even get into the site. It's not so much of an issue if it's just something for the family in the grand scheme of things but when the stakes are higher it can be a total disaster (see all the data breaches, someone has my SSN... an hopefully they're paying my student loans associated with it, from a data breach, but I also diligently buy up traces of leaked personal data from these breaches.) The fact is if you built the system you should always get another pair of eyes/keyboard-mouse combo on it.

If you run a big enough operation and you are running your own servers, penetration testing and vulnerability scanners are very handy. You want to audit your system because you don't want someone you don't know to "audit" it for you. There are lots of free tools, but if you have a budget you can also pay for tools or specialists. If you're really worried, subscribe via RSS to vulnerability feeds (Full Disclosure on nmap.org, MITRE, and the like). Even if you don't understand how it's done, just knowing that it's possible will get you at least a head start. I'm of the belief that you should always build production systems with security in mind as a basic assumption because data is one of the most valuable commodities out there and almost any data or metadata can have value that you'd rather hold onto.

If your're building something behind a LAMP stack, at least Apache is mature enough so that there are enough modules available to deter the lower leveled attackers. Make sure your permissions are set correctly, don't put sensitive but ultimately extraneous stuff online, etc. Read up on hardening guides, chmod, .htaccess if you plan on using those, these are just starts. Network security is an important field that's overlooked frequently but there's a ton of material out there that if data security is important you have to be familiar with at least the concepts and ideas.

Oh, and I always at least do a quick nmap to see if I missed something obvious. If you're not running your own server or running a dedicated server, ask for permission first.
ASKER CERTIFIED SOLUTION
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The answer is yes, they can potentially get access to anything on the server.
Web servers should either be on a DMZ, isolated from your internal resources or domains, OR published via a second layer behind the firewall, itself in a DMZ. The old Microsoft way of doing this was Forefront TMG, which acted as a reverse proxy server so that clients on the internet had no direct access to the server. it wa a great product, so obviously they stopped selling it.
use something like a Kemp load balancer with the firewall pack, so the connection comes through your firewall, hits the Kemp, is firewall evaluated again and proxied to the internal device. That way, the client never sees the internal network structure at all.
@Gareth, a reverse proxy server doesn't necessarily handle any security issues related to what the author has built. A firewall or fancy security appliance might help reduce general attacks and exploits that it has in its database, but if the author has an AJAX controller that doesn't use authentication (and is therefore a potential attack vector), for example, then a firewall and/or reverse proxy won't do anything to stop that.

Don't get me wrong, reverse proxies are great for load balancing, among other things, but it doesn't seem to really apply here.
Hi gr8gonzo
What made the Forefront excellent was the inclusion of malware scanning and IPS, rather than just the reverse proxy.  I agree it isn't a complete solution, but nothing generally is. An additional layer of obscurity is always helpful.  Hardening web servers/sites is a tricky process, particularly where you are publishing applications, I often try to deter clients from it. in my experience the driver for creating the site "so we can work from anywhere" leads to the obvious corollary that anyone can see your data from anywhere. Do you really want to work on your vacation/honeymoon/doctors visit/etc.? A little more separation of work from "real" life would be better for most of us. Sorry, rant over.