The world of computer security is a fascinating aspect and 2007 is not going to be any different, but it will be more interesting with the release of Microsoft Vista.
Large companies are looking to tighten the noose around those bad hackers, consumers are demanding more security and more privacy for there home computers, and who wouldn’t, credit card fraud and identity theft has not decreased it has only increased.
Hackers who like to hack into bank accounts are going to have a harder time doing that. Some online banking companies are asking there customers to take a further step in the login process when logging into there bank accounts. For example, some banks are asking there customers to enter their user ID on one page and then enter their password on the next page; this makes it more difficult for hackers. But don’t ever feel like you are safe, keep your guard up and don’t fall for any phony emails that ask you to go to a fake look a like bank website and enter your user name and password. If you do get one of those fake emails call your bank first, and ask them if they sent you the email, and you can also forward the email to the banks technical support team.
Thanks to companies like Webroot there are programs that can help you keep your computer secure and free of spy ware and ad ware, with their Spy Sweeper software which I highly recommend. Webroot also offers a great firewall that your computer should not be without. Go to AME Computers Spyware and Malware page for more information on these great products.
Another good move toward security and spam is that there are some ISP’s that are offering free spam filters, this helps cut down on the amount of junk mail reaching your inbox. The newer version of Outlook has built in junk mail filter, but what’s the point in having a filter if you have to go and filter through the spam filter that Outlook provides.
The flip side to all of this is the cost to consumers. Spyware and viruses can cost companies, and the average consumer thousands of dollars a year. Companies implementing new security hardware pass on those expenses to there customers, so it is not good for the consumer or the business. Microsoft Vista operating system has some built in features to help keep you safe; however there still may be a need for third party software to protect against spyware and viruses.
It’s a never ending battle between the good guys like Webroot and Lava Soft and the bad guys like the hackers and spammers. Do your part and fight the good fight.
Showing posts with label hacker. Show all posts
Showing posts with label hacker. Show all posts
Wednesday, December 31, 2008
Sunday, December 28, 2008
Web Servers and Firewall Zones
Web and FTP Servers
Every network that has an internet connection is at risk of being compromised. Whilst there are several steps that you can take to secure your LAN, the only real solution is to close your LAN to incoming traffic, and restrict outgoing traffic.
However some services such as web or FTP servers require incoming connections. If you require these services you will need to consider whether it is essential that these servers are part of the LAN, or whether they can be placed in a physically separate network known as a DMZ (or demilitarised zone if you prefer its proper name). Ideally all servers in the DMZ will be stand alone servers, with unique logons and passwords for each server. If you require a backup server for machines within the DMZ then you should acquire a dedicated machine and keep the backup solution separate from the LAN backup solution.
The DMZ will come directly off the firewall, which means that there are two routes in and out of the DMZ, traffic to and from the internet, and traffic to and from the LAN. Traffic between the DMZ and your LAN would be treated totally separately to traffic between your DMZ and the Internet. Incoming traffic from the internet would be routed directly to your DMZ.
Therefore if any hacker where to compromise a machine within the DMZ, then the only network they would have access to would be the DMZ. The hacker would have little or no access to the LAN. It would also be the case that any virus infection or other security compromise within the LAN would not be able to migrate to the DMZ.
In order for the DMZ to be effective, you will have to keep the traffic between the LAN and the DMZ to a minimum. In the majority of cases, the only traffic required between the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also need some sort of remote management protocol such as terminal services or VNC.
Database servers
If your web servers require access to a database server, then you will need to consider where to place your database. The most secure place to locate a database server is to create yet another physically separate network called the secure zone, and to place the database server there.
The Secure zone is also a physically separate network connected directly to the firewall. The Secure zone is by definition the most secure place on the network. The only access to or from the secure zone would be the database connection from the DMZ (and LAN if required).
Exceptions to the rule
The dilemma faced by network engineers is where to put the email server. It requires SMTP connection to the internet, yet it also requires domain access from the LAN. If you where to place this server in the DMZ, the domain traffic would compromise the integrity of the DMZ, making it simply an extension of the LAN. Therefore in our opinion, the only place you can put an email server is on the LAN and allow SMTP traffic into this server. However we would recommend against allowing any form of HTTP access into this server. If your users require access to their mail from outside the network, it would be far more secure to look at some form of VPN solution. (with the firewall handling the VPN connections. LAN based VPN servers allow the VPN traffic onto the network before it is authenticated, which is never a good thing.)
Every network that has an internet connection is at risk of being compromised. Whilst there are several steps that you can take to secure your LAN, the only real solution is to close your LAN to incoming traffic, and restrict outgoing traffic.
However some services such as web or FTP servers require incoming connections. If you require these services you will need to consider whether it is essential that these servers are part of the LAN, or whether they can be placed in a physically separate network known as a DMZ (or demilitarised zone if you prefer its proper name). Ideally all servers in the DMZ will be stand alone servers, with unique logons and passwords for each server. If you require a backup server for machines within the DMZ then you should acquire a dedicated machine and keep the backup solution separate from the LAN backup solution.
The DMZ will come directly off the firewall, which means that there are two routes in and out of the DMZ, traffic to and from the internet, and traffic to and from the LAN. Traffic between the DMZ and your LAN would be treated totally separately to traffic between your DMZ and the Internet. Incoming traffic from the internet would be routed directly to your DMZ.
Therefore if any hacker where to compromise a machine within the DMZ, then the only network they would have access to would be the DMZ. The hacker would have little or no access to the LAN. It would also be the case that any virus infection or other security compromise within the LAN would not be able to migrate to the DMZ.
In order for the DMZ to be effective, you will have to keep the traffic between the LAN and the DMZ to a minimum. In the majority of cases, the only traffic required between the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also need some sort of remote management protocol such as terminal services or VNC.
Database servers
If your web servers require access to a database server, then you will need to consider where to place your database. The most secure place to locate a database server is to create yet another physically separate network called the secure zone, and to place the database server there.
The Secure zone is also a physically separate network connected directly to the firewall. The Secure zone is by definition the most secure place on the network. The only access to or from the secure zone would be the database connection from the DMZ (and LAN if required).
Exceptions to the rule
The dilemma faced by network engineers is where to put the email server. It requires SMTP connection to the internet, yet it also requires domain access from the LAN. If you where to place this server in the DMZ, the domain traffic would compromise the integrity of the DMZ, making it simply an extension of the LAN. Therefore in our opinion, the only place you can put an email server is on the LAN and allow SMTP traffic into this server. However we would recommend against allowing any form of HTTP access into this server. If your users require access to their mail from outside the network, it would be far more secure to look at some form of VPN solution. (with the firewall handling the VPN connections. LAN based VPN servers allow the VPN traffic onto the network before it is authenticated, which is never a good thing.)
Subscribe to:
Posts (Atom)
