Merely operating a live website can be a security liability for the rest of your network. Any site can be a target for any reason: spam relays, data theft, malicious emails, ransomware, etc. In many instances, you may never know if malicious actors compromised your Web server (and who knows what else) until it’s too late. As a website owner, it’s your duty to protect not only your own side but your users and clients as well. In this post, we provide an overview of a few Web security concepts and how to best implement them.
How you choose to structure your internal and external networks in relation to each other will affect your overall security. Some firms opt to house their Web servers in the same network as their internal servers. You can imagine that this creates a security liability given their close proximity. If the Web server is compromised, chances are the internal servers can be compromised as well. NIST (National Institute of Standards and Technology) refers to this as an inadvisable network layout. It’s best to keep them reasonably separated.
In the same vein, it is not recommended that a Web server be placed ahead of a firewall or a router that conducts IP filtering. In this configuration, the network is largely unable to protect the Web server, leaving it exposed as a single point of failure.
It’s quite common for organizations to outsource Web hosting responsibilities to a third party. There are several advantages to doing so. The Web server (a hacking target) would not be located on an organization’s proprietary network and thus would be segmented from attacks. For example, a DoS (denial of service) attack on the hosted server would obviously not touch the home production network of the original organization. Additionally, the nature of the host networks allows for dedicated optimization of server security. If you choose to outsource, use only established and trusted hosting services.
The firewall concept is nothing new and several types of them exist. At their most basic, they are routers that perform IP filtering. Stateful firewalls filter based on TCP, UDP and IP. The most advanced ones can understand and filter content. If you choose to rely on a firewall, ensure that it is configured accordingly:
- Controls all traffic between Internet and Web Server
- Allows only required inbound traffic to the Web Server (HTTP/HTTPS)
- Blocks inbound traffic that has an internal IP address (this catches spoofing attacks)
- Filters content
- Notifies network administrators of anomalies and suspicious activity
Read NIST’s comprehensive list here.
Even firewalls need updating. Don’t forget to keep your software patched and current. The same goes for firmware if you have a router-based firewall.
How you choose to structure your network layout matters. From a segmentation perspective, it’s better to keep your internal and external servers in different networks to prevent contamination during an attack. Along that same line, consider hosting your Web server with a third party. Doing so can offer optimized security management and will keep your internal and external servers segmented. Lastly, ensure that your firewall is patched, updated and configured according to NIST recommendations.