How to Secure Your Web-Enabled Business
Provided by Verio, StartupNation’s Web hosting service.
Stories about new viruses circulating through e-mail have become common. Reports of hackers stealing a company’s data or crashing its Web site are less common, but the danger of it happening is ubiquitous and real. As you prepare to Web-enable your business, it is vital that you take the necessary steps to secure your server and business data.
As discussed in previous articles, you have two primary options for hosting your Web site: you can either hire a Web hosting company, or you can host the site yourself on your own server.
If you hire a Web hosting company such as Verio, they will configure your server’s operating system, configure the basic services (Web, FTP, and e-mail), and manage the server’s security. Make sure the hosting company offers comprehensive virus protection, spam protection and e-mail filtering, power backups, and 24/7/365 network monitoring. If you plan on building an e-commerce site, check that the company also offers an SSL secure server. Working with a Web hosting company that offers these services will relieve you of 95% of the work involved in securing your business. The additional issues to be aware of involve collecting and managing customer data, which are discussed in our two articles “E-Commerce: What You Need to Know” and “Creating a Customer Database for Your Site.”
The remainder of this article discusses the most important security issues and procedures when hosting your own server.
When it comes to securing a Web site that you host yourself, it doesn’t matter what type of Internet connection you have (DSL, cable modem, T1, etc.). Also, don’t let the hype regarding Microsoft Windows vs. Linux/Unix security fool you. All operating systems have security issues. We tend to hear more about Windows security issues because there are many more Windows servers than Linux/Unix servers, making Windows a more frequent target for hackers and viruses.
Securing your own Web server requires basic and sometimes advanced knowledge of technologies like firewalls, NAT, anti-virus software, intrusion detection, and file-level security.
Firewalls: The First Line of Defense
First and foremost, your server must be behind a firewall. A firewall is a device (software or hardware) designed to prevent unwanted Internet traffic from gaining access to your server. Communication over the Internet takes placing using a protocol called TCP/IP. As you know from our article about domain names, every computer on the Internet (including servers) has an IP address. A single server may host a Web site, e-mail server, FTP server, and other services: each of these services requires a different type of data and communications. To ensure that e-mail data gets to the e-mail server, that Web page requests get to the Web server, and so on, a server communicates over multiple ports. Ports are separations within the IP address that direct data to the correct services on the server.
Firewalls allow data to reach certain ports and prevent data from reaching others. In general, you should set up your firewall to only allow access to the ports being used on your server. For instance, if your server only hosts a Web site, set your firewall to block all traffic except port 80, the port for Web services. By doing this you ensure that your server is shielded from all hack attempts except those that come from the Web service. This technique is akin to boarding up all the windows in your house and nailing all the doors closed but one. Burglars are less likely to attempt breaking in, and if they try, there’s only one door unlocked so it’s much easier to guard.
Network Address Translation (NAT): Second Line of Defense
A Network Address Translation (NAT) is similar in function to a firewall. A NAT device–which is most often your router–is the networking hardware that is directly connected to the Internet. All the computers and servers on your internal network have IP addresses (for example, 192.168.1.143 or 126.96.36.199) that have been reserved for private, internal networks. The NAT device is configured to redirect traffic from a public IP address to a specific server on your network. Most redirecting is done on a port-by-port basis. For instance, if the NAT device’s public IP is 188.8.131.52 and access to an internal Web server is needed, the NAT can be configured to direct port 80 traffic to your internal Web server and not allow any traffic on other ports.
In essence, a NAT gives the same results as a firewall, but it does it in a slightly different manner. Properly configuring your NAT device to direct traffic to the appropriate server and excluding all other traffic is key to securing your business.
Know Your Server’s Operating System
If you are hosting your own Web server, you must be familiar with your server’s operating system and know how to secure it via file level permissions and passwords. If you configure your own system, don’t assume that once you get that first Web page displayed that your work is complete. Always have a full understanding of your server’s operating system; go to the manufacturer’s Web site every day to check for updates and patches, and install them immediately.
Every computer on the Internet, including your Web server, is a potential victim of viruses. Thousands of malicious viruses circulate the Internet, and unscrupulous programmers release new viruses weekly. There are many types of viruses: some are designed to delete data on your computer, some attempt to find data on your server and send it back to the person that created the virus, and some viruses simply attempt to shutdown your server by overloading it with information.
Regardless of their ultimate purpose, most viruses attempt to turn the infected computer into a bot that automatically seeks out new computers to infect. Because of this, it sometimes takes only minutes for a new server on the Internet to be hit by an infection attempt. If the infection is successful, your server may quickly spread the virus to other computers on your private network, as well as other servers on the Internet. Whether your server runs Microsoft Windows, Unix, or Linux, you will need to secure it against viruses.
When purchasing anti-virus software, be sure it is designed for use on a server and not just a desktop computer. Look for software that also protects you from malware, e-mail spam, macro viruses, and can automatically update itself 24/7 to handle new threats. Make it part of your daily routine to go to the anti-virus software manufacturer’s Web site to check for new information and recommendations for fighting viruses.
Many Windows and Unix/Linux security holes are related to buffer overruns: a malicious program simply sends more data to your server than it can handle, and then executes a series of commands to gain control of the server. When looking for anti-virus software, make sure that it also protects you against buffer overruns (McAfee’s Active Anti-Virus, SMB Edition is one example). Properly installing and updating robust anti-virus software will save you many headaches.
Scripting Security Issues
If your Web site is built only with HTML, then you have no additional security risks. However, most business Web sites are database-driven or have active content driven by some form of a scripting engine: PHP, Perl, ASP (Active Server Pages), JSP (Java Server Pages), CFM (Cold Fusion Markup), .NET Framework, or others. Scripting allows you to build a vibrant Web site of rich, interactive content but also exposes the site to additional security risks.