250 Chapter 4 • Designing and Implementing Security Policies of a successful penetration. If the intruder is able to reach a host’s oper- ating system, he may still be thwarted by host-based intrusion detection, host-based access controls, and application level security. By a successive failure at every step, or tier, of the implementation, an intruder may violate the company’s acceptable use policy and thereby succeed in the targeted attack. But that assumes that every tier is imple- mented perfectly and contains no unknown security vulnerabilities, which is not possible.Thus security at any tier depends on the success of security at every tier, in succession. Perimeter security primarily concerns itself with lower protocol layers where policy can be enforced by limiting traffic flows at those layers. Host and applications security represents the upper protocol layers, where session controls and application security can be used for enforcement. Network security mechanisms fill in any gaps between the two and perform logging and auditing enforcement functions. Let’s look at a specific policy, one that defines the kind of traffic allowed on the internal network.This security policy specifies that cer- tain kinds of traffic will be restricted, it specifies what traffic the enforce- ment mechanism should restrict, where (in general terms) it needs to restrict it, and who is expected to implement the enforcement mecha- nism. In the case of data networking, the how for enforcing this policy might be a firewall,VPN, or remote access solution. For internal net- work security, how might be router access lists, domain-based access con- trols, and network traffic monitors. For host and application security, how might be NT domain security,TCP wrappers to log port connections, and host-based intrusion detection.The social aspect is even covered by educating users and training recovery staff for handling incidents. Every tier implements the same policy, just in a different way. We talked about policy managers earlier, and now is a good time to revisit the idea in terms of our diagram. A policy manager can integrate with the technical solutions deployed at every tier, depending on the vendor and the solution. By changing or creating one policy, administra- tors can produce configuration changes across multiple tiers or multiple systems within a single tier. Pushing multiple changes at once reduces the possibility that something is missed if manual changes were to occur one at a time. www.syngress.com 134_ecomm_04 6/19/01 11:59 AM Page 250 Designing and Implementing Security Policies • Chapter 4 251 How Do I Inform My Clients of My Security Policies? As a customer of a bank, you expect the bank to keep your money safe. As a customer of a hotel, you expect your possessions to still be in your room when you return at the end of the day.As a customer of an e-commerce transaction, you expect your credit card and personal information to be kept as private as you consider it. So does every other e-commerce cus- tomer. Many people still won’t do business on the Internet now, in 2001, until they can be assured that their data is safe. Businesses have traditionally looked at security as a necessary evil, something that stands in the way of the desired goal. Brick and mortar shops don’t usually invest in security infrastructure because their cus- tomers demand it, the purchase is to protect their own assets.When they www.syngress.com When You Can’t Afford Enforcement Technologies There’s a difference between have no policy and having one that is not enforced with technology. It’s very possible your e-business won’t be able to afford everything it takes to enforce the ideal security policy. Some things aren’t negotiable, of course, such as using a firewall or doing tape backups. But some things may be beyond the financial ability of the company just now, such as client authentication. If your company’s management examines the risk and decides it’s worth taking, insurance may be a more cost effec- tive option than enforcing particularly expensive policy provisions. The goal of security policy is to use it as a tool for assuring secu- rity at your site. Assurance can be met by implementing security directly or by insuring against the risk of not enforcing it. Many security companies today are beginning to offer insurance against intrusions for this reason. Damage & Defense… 134_ecomm_04 6/19/01 11:59 AM Page 251 252 Chapter 4 • Designing and Implementing Security Policies do, they certainly don’t use it as a selling feature:“Buy your sofa here, we’ll keep you from getting mugged on the way out!”Talking about security implies a lack of it, which turns people away because they’re probably not thinking of physical safety as they shop. But homebuilders can sell homes by touting built-in alarm features in gated communities because they are selling peace of mind—so when online theft is front- page news, why wouldn’t a Web site sell more products by calming buyers’ fears over loss of credit card data? Building Customer Confidence through Disclosure Electronic selling is still selling, just the same. Customers still respond favorably to a kind face, an honest explanation of the product, a fair price, and a convenient location in which to buy the product. E-com- merce lends itself wonderfully to everything except the first thing cus- tomers expect to see when they walk in the door. Somehow, your site has to put a face on itself, one that’s worthy of remembering. Disclosure of security policy is a way to build customer confidence by putting a kinder, gentler face on at least a portion of your site. A good example of security disclosure in this regard is Amazon.com (www.amazon.com).They have devoted several Web pages to addressing customer fears over making a purchase.They state in very certain terms in their “Safe Shopping Guarantee” that the customer experience is safe. Their privacy statement describes exactly what information the site will gather about the customer, what will be done with the information, and what the customer stands to risk from third parties. Amazon.com takes a definite risk by posting information about the security of e-commerce transactions. If it turns out not to be true, they’ll get hit with lawsuits. They must be pretty confident about their security implementation to make a guarantee like that, and customers know it. Usually, too much of a good thing isn’t good, so Amazon has a small link at the bottom of their main page that takes you to a bigger infor- mation store about privacy, acceptable use, and information safety.You have to be concerned enough to look for it, but it’s there to reassure you www.syngress.com 134_ecomm_04 6/19/01 11:59 AM Page 252 Designing and Implementing Security Policies • Chapter 4 253 when you find it. Disclosing security information shouldn’t be “in your face” to be effective. Overdoing it might actually have the opposite effect and entice an intruder to find out what all the boasting about security at your site is really about. On the other hand, subtlety has the effect of a whisper in the ear,“We know you’re concerned, but you don’t have to be, and here’s why.” In an industry where you can’t see the face of your customer, you have to anticipate what must be going through her mind and provide the answer to the questions before they are even asked. Security as a Selling Point Smart shoppers are becoming security-savvy about e-commerce in the same way they became savvy about carbon copies of credit card slips in the 1970s. Convincing them to do business with your site means you don’t just take a stab at securing your Web site, but you must do it extremely well—and then tell everyone about how well you do it. Raise the bar for the competition and sell more products than they do because you can do it more securely. Advertise your success at securing customer transactions on your own site, and use it as a tool to create an image of your company as empathetic with what the customer needs and wants. When faced with two equal methods of doing business, customers will choose the one they are most comfortable with, not because of what is done or how it works, but because of who stands behind it. People generally like the convenience of doing business on the Internet, but they are still very unsure about it, and rightfully so. It’s hard to put a face on e-business, and most sites don’t have it quite right. Time and again, customers choose to do business with companies that are successful in projecting an image of being the helping hand that guides them, the one that’s in their corner, the one that can meet their need and be trusted. In the end, the successful e-commerce ventures will be the ones that sell this same image to their customers as hard and fast as the physical products those customers are buying.That’s how today’s successful brick-and-mortar companies became that way. www.syngress.com 134_ecomm_04 6/19/01 11:59 AM Page 253 254 Chapter 4 • Designing and Implementing Security Policies Summary Security policies are important to an e-commerce site because it takes so many different people working together and making decisions indepen- dently to produce the site. People who make decisions about purchasing hardware may never even get to talk to a site developer, if the project is large and distributed across several locations. Security policies ensure that people are always working toward the same goals and are implementing technical solutions that will achieve the expected results for the site. A security policy needs to address a fairly well-defined list of topics, although the specifics need to be tailored to your own business by con- sidering its culture, business requirements, inventory of probable risks, and so on. At a minimum, your policy should clearly define the term “confidential data,” identify acceptable uses of your site’s hardware and software, describe minimum privacy standards, and provide for effective enforcement. Ideally, your policies should work together to provide an assurance to your customers and your business that information confi- dentiality, integrity, and availability are maintained. Building and enforcing a security policy is an effective tool for ensuring that your site is profitable.Your security policy can help reduce expenses from downtime, of course, but it can also be a means for increasing sales. Customers who are edgy about doing business on the Internet need some assurance that they aren’t going to regret trying something new. Disclosing information about what they can expect regarding protection of their information can build customer confidence in having chosen a good company to do business with. In the end, your site’s success will depend on building a helpful, friendly image that cus- tomers will remember—using security as a marketing tool can help move your site one more step in that direction. www.syngress.com 134_ecomm_04 6/19/01 11:59 AM Page 254 Designing and Implementing Security Policies • Chapter 4 255 Solutions Fast Track Why Are Security Policies Important to an E-Commerce Site? ; Failing to implement cost-effective security solutions affects the profitability of your site from several perspectives. Insufficient security can lead to expenses from downtime, lawsuit, or data loss; security that is too extreme can inhibit productivity, con- strict customer interaction, or require too much in the way of administration costs. Profitability lies somewhere in the middle, and that somewhere is different for every e-commerce venture. ; Security policies should exist to help others make good deci- sions, not to get in the way of productivity. Cost effective secu- rity doesn’t spend more to protect an asset than it’s worth to the business, although its value to a particular business may be more or less than the actual market or street value. Security improve- ments generally have an inverse relationship with productivity, but both end up costing money if taken to the extreme. ; As you develop the policy, try to be brief.The longer the policy, the less likely that users will read it.The policies need to be clear, doable in your environment, and enforceable. Generally, if the policy specifies the “what” without specifying the “how,” supporting departments are granted greater leeway to develop innovative solutions to problems and still stick to the overall security goals. Defining words in simple terms before they are used prevents differing interpretations later on. What Elements Should My Security Policy Address? ; A comprehensive security policy is actually made up of several individual policies, each of which targets unique lateral aspects www.syngress.com 134_ecomm_04 6/19/01 11:59 AM Page 255 256 Chapter 4 • Designing and Implementing Security Policies of the site’s business processes.The individual policies work together to provide three basic assurances for the site: confiden- tiality, integrity, and availability of data. ; To be certain that your site is not handing out confidential information to impersonators, you should authenticate cus- tomers as well as assuring your site’s identity to them. A site SSL certificate doesn’t tell the server anything about the client’s identity, which could be impersonating your real customer.The security policy defines client authentication requirements for your site. ; Most external theft of data from Web sites occurs because the data is not properly encrypted or stored after the Web server has received it. Security policy should be clear about requirements for encryption at every stage of processing, from client browser to Web server, to application server, to database.The policy needs to require session management that prevents others from viewing pages that are part of another users session. ; Protecting information while it is stored on your site means protecting the servers themselves by defining specifically what a secure server, or bastion host, should look like. A bastion host is a computer system with special modifications that fortify its ability to withstand a targeted attack.The security policy speci- fies the steps to take to produce a bastion host from an initially installed operating system. ; Quality assurance policies specify enforcement mechanisms that include change control, auditing, reporting, and intrusion detec- tion. Availability of service policies specify uptime requirements, acceptable use guidelines, and disaster recovery procedures. Are Any Prewritten Security Policies Available on the Net? ; The companies that are most successful at implementing security policies are those that avoid the “do it and forget it” mentality www.syngress.com 134_ecomm_04 6/19/01 11:59 AM Page 256 Designing and Implementing Security Policies • Chapter 4 257 and somehow convince all the employees that security belongs to each of them, that it is an ongoing function of doing business, and that success of the company depends on it. Beyond that, the content of the security policies will vary as greatly as businesses themselves do. ; If you are determined to do the work in-house, start with an outline of items that must be covered somewhere in the policy and begin fleshing it out after obtaining the necessary input from others.The Internet is a good resource for locating tem- plates to begin the process. If you don’t have time to write one yourself, you can hire a security company to do the legwork for you. If a security consultant tries to sell you a canned policy without spending considerable time investigating your business culture, management goals, and unique business aspects, run away fast, because you’d be wasting your money. How Do I Use My Security Policy to Implement Technical Solutions? ; The task of enforcing the policy begins by implementing tech- nical solutions to perform that enforcement at every tier of security within the company. Perimeter security primarily con- cerns itself with lower protocol layers where policy can be enforced by limiting traffic flows at those layers. Host and appli- cations security represents the upper protocol layers, where ses- sion controls and application security can be used for enforcement. Network security mechanisms fill in any gaps between the two and perform logging and auditing enforce- ment functions. ; If a policy requires a certain network transport, enforcement mechanisms include a firewall at the perimeter, access lists on network routers internally, and session-based controls on the host or application. www.syngress.com 134_ecomm_04 6/19/01 11:59 AM Page 257 258 Chapter 4 • Designing and Implementing Security Policies How Do I Inform My Clients of My Security Policies? ; Electronic selling is still selling, just the same. E-commerce lends itself wonderfully to everything about selling except the first thing customers expect to see when they walk in the door. Disclosure of security policy is a way to build customer confi- dence by putting a kinder, gentler face on at least a portion of your site. ; Disclose the components of your site’s security policy that will assure customers of the safety of their transactions, but don’t do it with great fanfare. A small link that takes customers to a page detailing what they want to know meets the need without over doing it. ; Customers choose to do business with companies that are suc- cessful in projecting an image of being the helping hand that guides them, the one that’s in their corner, the one that can meet their need and be trusted. In the end, the successful e- commerce ventures will be the ones that sell this same image to their customers as hard and fast as the physical products or ser- vices those customers are buying. www.syngress.com 134_ecomm_04 6/19/01 11:59 AM Page 258 Designing and Implementing Security Policies • Chapter 4 259 Q: My customers need to download files about their account activity that are too large to transfer efficiently over http. I’d like to use FTP to save money, because there’s an FTP server on our DMZ already. Would this pose a problem from a security standpoint? A: If the data is confidential, then yes it would. FTP transfers cross the Internet in cleartext.When users access your FTP server, their pass- words are also sent across the Internet in the clear and are easily intercepted.Another issue is that FTP servers have been plagued with vulnerabilities over time and so are a frequent target for intruders. A better solution would be to transfer files across an SSH session using SCP or SFTP.At least the data would be encrypted, and the session could use a stronger public/private key authentication mechanism than is provided with regular FTP. Q: Our system administrators want to install a tape backup system that will use a dedicated network to back up servers in our DMZ.The external servers will be multi-homed, with one interface on this ded- icated backup network.We thought we’d save money by using the same server to back up internal hosts, too. Is this a good idea? A: No.The backup network would introduce a way to circumvent the firewall if one of the external servers were compromised. Q: What is a reverse proxy, and why would I need one? A: A reverse proxy makes connections to internal systems on behalf of external clients. It’s the opposite of a normal proxy, which makes www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 134_ecomm_04 6/19/01 11:59 AM Page 259 [...]... product that exactly fits your site s needs Tools & Traps… Some of the Most Common Firewalls and Their Sites Here is a list of some of the most common firewall products and their respective sites Use such sites as these to compare the features of available firewall products to decide which best fits your needs Remember to compare based upon your security requirements, throughput speeds your site requires, and,... Keep www.syngress.com 134 _ecomm_ 05 6/19/01 12:00 PM Page 271 Implementing a Secure E-Commerce Web Site • Chapter 5 this in mind as you design your network segments and the processes that drive your site In large installations, you may find that these segments vary in placement, number, and/or implementation, but this serves to generally illustrate the ideas behind the process .Your actual implementation... respect Your site may have additional components, or redundant sets of these types of devices, but these are the basic commonalities across the board In this chapter, we use these components to detail the basic understanding of e-commerce site layouts and security measures www.syngress.com 263 134 _ecomm_ 05 264 6/19/01 12:00 PM Page 264 Chapter 5 • Implementing a Secure E-Commerce Web Site As your site grows... server to talk to the Financial Server through an SSH Tunnel allow 10.2.0.10/32 any 10.3.0. 15/ 32 22 #Allow SMTP and Pop3 into the DMZ for Mail allow any any 10.1.0. 15/ 32 25 allow any any 10.1.0. 15/ 32 110 www.syngress.com 277 134 _ecomm_ 05 278 6/19/01 12:00 PM Page 278 Chapter 5 • Implementing a Secure E-Commerce Web Site #Deny all else "Clean Up Rule" deny any any any any Obviously, this is a very basic... rules and the impact your settings have made upon the overall security of your site Follow the processes laid out in Chapters 1 and 7 to perform these tests www.syngress.com 134 _ecomm_ 05 6/19/01 12:00 PM Page 279 Implementing a Secure E-Commerce Web Site • Chapter 5 Don’t sweat it if you missed something or made a mistake.That is why you are testing before moving into production.Take your time, assess,... have your systems placed, use your conversation diagram to create your firewall rule set Refer to your manual for specific instructions for your firewall Generally, start with a basic principle that everything that is not specifically allowed is denied and then add in the conversations that you believe need to be allowed.You will probably miss some that may be required for your site to operate, but your. .. the order matters Most firewalls read from the top down and the first matching www.syngress.com 134 _ecomm_ 05 6/19/01 12:00 PM Page 277 Implementing a Secure E-Commerce Web Site • Chapter 5 rule is how the packet is handled Read your firewall manual or contact your vendor for specific information about how your firewall processes its rule set #Pseudo-Code Ruleset for E-Commerce Network Firewall #Format is... e-commerce site. This system’s job is to serve up the Web pages or content that the consumers using your site request s Load balancers These specialized devices are used to regulate the traffic flow to the Web servers, ensuring that the work load is balanced between the multiple systems that perform the work of your site s Database servers These systems are used to store the information your site depends... affecting your site and describe exactly how implementing the policy you want would alleviate the expense Focus on just repairing that one risk first and try to build credibility with your success If nothing you do will work, document your concerns and don’t lose sleep over it Some people just have to learn things the hard way www.syngress.com 134 _ecomm_ 05 6/19/01 12:00 PM Page 261 Chapter 5 Implementing... initiating conversations.This rough diagram will become the template for creating your firewall rules It will also be used to tune your IDSs and log monitoring tools to better manage and control your level of risk www.syngress.com 134 _ecomm_ 05 6/19/01 12:00 PM Page 283 Implementing a Secure E-Commerce Web Site • Chapter 5 Creating Security Zones through Requirement Grouping After you have created the . e-commerce site layouts and security measures. Implementing a Secure E-Commerce Web Site • Chapter 5 263 134 _ecomm_ 05 6/19/01 12:00 PM Page 263 264 Chapter 5 • Implementing a Secure E-Commerce Web Site www.syngress.com As. unique lateral aspects www.syngress.com 134 _ecomm_ 04 6/19/01 11 :59 AM Page 255 256 Chapter 4 • Designing and Implementing Security Policies of the site s business processes.The individual policies. Outsource My Site? ; Summary ; Solutions Fast Track ; Frequently Asked Questions Chapter 5 261 134 _ecomm_ 05 6/19/01 12:00 PM Page 261 262 Chapter 5 • Implementing a Secure E-Commerce Web Site Introduction By