Security for your company and your company's computing infrastructure is more important than ever in this age of the Internet and e-business. While it's probably true that you have to be on the Web, and you have to have an e-commerce capability, or else you'll get eaten up in the competition, the Web opens up previously unimagined vulnerabilities. How do you cope?
One way is to get hold of a consultant who knows a lot about Web security and pay him a ton of money to analyze your situation. But a book entitled Maximum Internet Security: A Hackers Guide, by Anonymous (published by Que) suggests that may not be the best thing to do in all situations.
You can read this book in its entirety at http://www.informIT.com.
Before you haul off and spend thousands (or even tens of thousands) of dollars on a security consult, there are some things that you should consider.
Here are a couple test questions:
Suppose you establish a sacrificial machine, a Macintosh running WebStar and no other TCP/IP servers. The machine is isolated from your network, it has no valuable data on it, and basically, it has no inroad to your internal network. Your network does not run TCP/IP, and none of the publicly accessible nodes perform IP forwarding in any case. Would you pay a security consultant to scan that Web server box? (Instead of either having your system administrator scan it or not scan it at all.) If so, why?
You want to co-locate a box at an ISP. You normally work with Microsoft Windows NT (and so does your internal system administrator). Nevertheless, the ISP is trying to convince you to use a SPARC 20 and is willing to sell you one (or lease you one) for fair market value. Do you do it? If so, why?
The correct answer to both of these questions is "probably not." Here are the reasons why:
Scenario 1: What would the consultant be scanning for? Because the machine is running no other services but HTTP over WebStar, most modern scanners would render a laundry list of "connection refused" and "server not reachable" messages. In other words, the scan would be a complete waste of time and money because no services exist on the machine. Scanners like those discussed in Chapter 9, "Scanners," are used only to attack full-fledged TCP/IP implementations, where services (including NFS and other protocols) are either available and misconfigured or available and not configured at all. The question is, would you or your internal system administrator know this? If not, you might get taken.
Scenario 2: Why would you agree to place your Web server in the hands of a company on which you will remain totally dependent? If neither you nor your staff knows UNIX, insist on an NT box. If the provider balks, find another. Commonly, the ISP staff might forward the explanation that they feel UNIX is more secure and they therefore cannot tolerate an NT box on their Ethernet. If you agree to their terms, you will either be dependent upon them for all maintenance and programming or you will have to pay good money to train your system administrator in UNIX.
To read more from this book, click over to informIT.com at
http://www.informit.com/product/1575212684/.
David Gabel is Executive Technology Editor at Techtarget.com.
