Summary

[Previous] [Next]

The moment a server is placed on the Internet, it's vulnerable to attack. Don't for one moment think that you can "sneak" a Web server onto the Internet without anyone noticing!

For an attack to take place, the attacker must have the motivation (she just got fired from a company, for example), a justification (destroying the company's Web site is nothing compared to the anguish she's suffered), and the opportunity. Having the opportunity is easy on the Internet—an attack can be launched at any time from virtually anywhere.

Attacking a site involves finding the site and scanning for open ports using a tool downloaded from the Internet. The tool determines information about the system and can sometimes search for vulnerabilities.

A common type of attack is the IP-level attack. Most of these are DoS attacks. Many low-level IP attacks exploit weaknesses in the TCP/IP protocol suite because TCP/IP was never designed to be a secure protocol. IPSec is designed to remedy most of these issues.

Be ready for attacks coming through the HTTP port. As administrators reduce the number of open ports on their firewalls, more application vendors are tunneling data through port 80. Also, be sure to filter all content coming from users. You should consider all user input as bad until you've inspected it using regular expressions. You should be able to represent any data as a regular expression.

Constantly monitor your site for vulnerabilities. Try to break into it, and use some of the tests described in this chapter. Monitor the Windows 2000, IIS, and SQL Server logs and parse them to look for suspicious activity. Use a scanner tool to scan your site for vulnerabilities. (Go to backoffice.microsoft.com/securitypartners for an up-to-date list.)

To catch a thief, you must think like a thief! All computers, clients, and servers are potential attack victims, so be sure to adequately secure all Internet-connected computers. Finally, the most important precaution you can take is to stay current with security issues by subscribing to security newsletters and lists.



Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net