tags:

views:

72

answers:

2
+3  Q: 

Advice regarding website security

Hi,

We have just finished developing a new website for my company using the .NET MVC framework. The sql server supporting our application holds some critical data such as the profiles of other web users and we would like to make sure this data is never leaked due to a reputational risk to the company.

We have a number of ideas on things to do to secure our website but I would like to get the stackoverflow take on them. We will be using SSL for login screens and we prevent against basic attach methods such as sql injection, cross site scripting attacks.

However we are worried about the physical machine being taken over using some exploit. We will be running the webserver (Windows Server 2008 SP2 with IIS7) in a DMZ with only port 80 and 443 open to the internet. Currently the sql server sits on the webserver machine but we are considering if this is a security risk. Would hosting the sql server in a machine in a second DMZ help in security?

We also considered using an Ubuntu box running Apache with mod_proxy in one DMZ that will be "redirecting" the 80 or 443 requests to separate windows machine in a second DMZ that will do the web serving and sql server hosting.

Some other suggestions we are getting is to use a product such as WatchGuard that can apparently filter the http packets for standards compliance thus blocking dodgy packets from reaching the webserver.

What other things should we be looking to secure?

Thanks

A: 

1- Critical data must be encrypted in your tables.

2- Take care from all types of SQL Injections.

3- encrypt the connection string in web.config file

Wael Dalloul  2010-03-02 09:46:24
To clarify, We have already implemented the following and we are looking for additional things we should be looking at both from the application development point of view and from the deployment/infrastructure point of view:
Matthew  2010-03-02 12:23:06
1. Passwords stored in the database are hashed and salted so that even if the database is compromised this data is of no use.2. Cross-site scripting (XSS) and html injection is prevented by ensuring that all user entered data that is returned to the browser is HTML encoded3. Cross site request forgery is prevented by means of anti forgery validation tokens.4. Transmission of all sensitive data is secured by means of SSL.
Matthew  2010-03-02 12:23:56
+1  A: 

Allowing only 80 and 443 is a very good idea. DMZ stands for Demilitarized Zone, this is to define a machine on a NAT that is accessible by all traffic and this should be avoided. Allowing SQL Server and port 445 will get you hacked, after all you are running windows and its only a matter of time before yet another RPC vulnerability comes out.

The most important thing you must do is TEST YOUR SECURITY. Its not enough to say that you are preventing xss and sql injection. All secuirty systems must be proven that they can stop attacks.

How do you test your system? I like Acunetix but it is over priced, however there is a free xss tester. For SQL Injection and other vulnerabilities i recommend using Wapiti which is free. I recommend using OpenVAS which is the new open source version of Nessus which is now a commercial product. OpenVAS will tell you if your server is misconfigured or if you are running old software. You should do a full port scan of the system to test your firewall, this command will work nmap -sT -p 1-65535 domain.com, this can also be done form OpenVas.

After testing your system. Then install a Web Application Firewall, mod_secuirty is a good choice for Apache, you can use a reverse proxy to get mod_security to work with IIS. Aqtronix is an open source WAF built for IIS, but i haven't used it.

Rook  2010-03-02 16:17:18

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security