Having a frame of reference for how to think about security helps you cut through information overload. While working on our patterns & practices Improving Web Application Security: Threats and Countermeasures book, one of our favorite mantras was “Secure your network, host and application!” We learned this by talking to our infrastructure group at Microsoft. The main security problem was the issues that fall through the cracks. The holistic approach is to secure the network, host and application. The host included runtime services and components, platform services and components, and the operating system.
Physical View
This is a physical view of securing your network, host and application:
Notice that we have categories under network, host and application. We used these categories to organize our threats, attacks, vulnerabilities, and countermeasures.
Securing Your Network
The three core elements of a secure network are the router, firewall, and switch.
Element | Description |
---|---|
Router | Routers are your outermost network ring. They direct packets to the ports and protocols that you have prepared your applications to work with. Insecure TCP/IP protocols are blocked at this ring. |
Firewall | The firewall blocks those protocols and ports that the application does not use. Additionally, firewalls enforce secure network traffic by providing application-specific filtering to block malicious communications. |
Switch | Switches are used to separate network segments. They are frequently overlooked or over trusted. |
Securing Your Host
We organized host security as follows:
Element | Description |
---|---|
Accounts | Accounts grant authenticated access to your computer, and these accounts must be audited. Configure accounts with least privilege to help prevent elevation of privilege. Remove any accounts that you do not need. Slow down brute force and dictionary attacks with strong password policies, and then audit and alert for logon failures. |
Auditing and Logging | The firewall blocks those protocols and ports that the application does not use. Additionally, firewalls enforce secure network traffic by providing application-specific filtering to block malicious communications. |
Files and Directories | Secure all files and directories with restricted NTFS permissions that only allow access to necessary Windows services and user accounts. Use Windows auditing to allow you to detect when suspicious or unauthorized activity occurs. |
Patches and Updates | Patching and updating your server software is a critical first step. If you do not patch and update your server, you provide opportunities for attackers and malicious code. |
Protocols | Avoid using protocols that are inherently insecure. If you cannot avoid using these protocols, take the appropriate measures to provide secure authentication and communication. |
Registry | Many security-related settings are stored in the registry and as a result, you must secure the registry. You can do this by applying restricted Windows ACLs and by blocking remote registry administration. |
Services | If the service is necessary, secure it and maintain it. Consider monitoring any service to ensure availability. If your service software is not secure, but you need the service, try to find a secure alternative. |
These categories proved to be highly effective. We used these to create and organize checklists for security Web servers, application servers, and database servers. They were also helpful for matching up existing checklists. For example, we could ask questions like, what does this security checklist for IIS say to do about accounts? Which services does it mention and what does it tell you to do with them? … etc.
Securing Your Application
We organized application security as follows:
Element | Description |
---|---|
Auditing and Logging | Who did what and when? Auditing and logging refer to how your application records security-related events. |
Authentication | Who are you? Authentication is the process that an entity uses to identify another entity, typically through credentials such as a user name and password. |
Authorization | What can you do? Authorization is the process that an application uses to control access to resources and operations. |
Configuration Management | Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues. |
Cryptography | How are you protecting secret information (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity. |
Exception Management | When a method call in your application fails, what does your application do? How much does it reveal about the failure condition? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully? |
Input and Data Validation | How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. |
Parameter Manipulation | Form fields, query string arguments, and cookie values are frequently used as parameters for your application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters. |
Sensitive Data | Sensitive data is information that must be protected either in memory, over the wire, or in persistent stores. Your application must have a process for handling sensitive data. |
Session Management | A session refers to a series of related interactions between a user and your Web application. Session management refers to how your application handles and protects these interactions. |
We used these categories to organize our application threats, attack, vulnerabilities and countermeasures. We then structured our guidelines using these categories. This was the early foundation for our Security Frame.
My Related Posts