This document discusses various topics related to web server and website security including demilitarized zones (DMZs), firewalls, intrusion detection systems, secure web protocols like SSL and HTTPS, common gateway interfaces (CGIs), web form validation, SQL injection, and cross-site scripting (XSS) prevention. It explains that a DMZ is a network area between an internal and external network that allows limited connections, firewalls filter incoming network traffic using methods like packet filtering and stateful inspection, and an IDS monitors network traffic for malicious activity. It also describes secure web protocols that encrypt data transmission and how to properly validate web forms and user input to prevent vulnerabilities like SQL injection and XSS attacks.

1. Web Server and Web Site Security

2. Web Server and Web Site SecurityWeb Server Security

3. Web Server and Web Site SecurityDemilitarised Zones

4. Web Server and Web Site SecurityA DMZ is a network area that sits between an internal network and an external network (generally the Internet).

5. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network – hosts in the DMZ may not connect to the internal network.Web Server and Web Site Security

6. Web Server and Web Site SecurityDMZ and Web ServersWeb servers may need to communicate with an internal database to provide some specialised services.

7. Since the database server is not publically accessible and may contain sensitive information, it should not be in the DMZ.Web Server and Web Site SecurityDMZ and Web ServersGenerally, it is not a good idea to allow the web server to communicate directly with the internal database server.

8. Instead, an application server can be used to act as a medium for communication between the web server and the database server.Web Server and Web Site SecurityFirewalls

9. Web Server and Web Site SecurityA firewall is a piece of hardware/software which functions in a networked environment to protect against communications forbidden by security policies.

10. Firewalls filter information coming from the Internet into your private network or computer system. If incoming packets of information is flagged by the firewall’ filters, it’s not allowed through.

11. Firewalls use one or more of three methods to control traffic flowing in and out of a network.Web Server and Web Site SecurityPacket filteringA type of service filtering to permit or deny network traffic based on the data source, destination, service or protocol of the data packets.Web Server and Web Site SecurityProxy ServiceInformation from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.Web Server and Web Site SecurityStateful InspectionCompares certain key parts of the packet to a database of trusted information.

12. Information travelling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics.

13. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.Web Server and Web Site SecurityWhat a firewall protects you from?Remote Login

14. Application Backdoors

15. Operating System Bugs

16. Denial of Service

17. E-mail Bombs

18. Viruses

19. Spam

20. Redirect Bombs

21. Source RoutingWeb Server and Web Site SecurityIntrusion Detection System

22. Web Server and Web Site SecurityAn Intrusion Detection Systems monitors any network traffic and logs/notifies against any possibly malicious activity.

23. An IDS is composed of several components:

24. Sensors which generate security events,

25. A console to monitor events and alerts and control the sensors

26. A central engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received.Web Server and Web Site SecurityWeb Security Protocols

27. Web Server and Web Site SecuritySecure Sockets LayerSecure Sockets Layer (SSL) preserves user and content integrity as well as confidentiality so that communications from a client and the Web server, containing sensitive data such as passwords or credit card information, are protected.

28. SSL is based on the public key security protocol that protects communications by encrypting data before being transmitted.Web Server and Web Site SecuritySecure HTTPIf you have used the Web, you have probably noticed that URLS for most Web pages begin with the HTTP prefix, which indicates that the request will be handled by TCP/IP port 80 using the HTTP protocol.

29. When Web page URLs begin with the prefix HTTPS they are requiring that their data be transferred from server to client and vice versa using SSL encryption. Web Server and Web Site SecuritySecure HTTPHTTPS uses the TCP port number 443, rather than port 80.

30. Once an SSL connection has been established between a Web server and client, the client's browser indicates this by showing a padlock in the lower-right corner of the screen.Web Server and Web Site SecurityWeb Site Security

31. Web Server and Web Site SecurityCommon Gateway Interface

32. Web Server and Web Site SecurityWhat is a Common Gateway Interface?The Common Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server, commonly a Web Server.Web Server and Web Site Security"CGI Scripts are essential software programs. SCGI scripts link servers and software and servers and other resources such as databases. These scripts are themselves small servers and this can create problems in making information too available. The problem with CGI scripts is that each one creates opportunities for exploitable bugs. Therefore, it is essential that business organisations ensure the security of not only servers but also the CGI scripts that link their servers to other resources used in the business.“(2003, Lawrence, E., et al.)

33. Web Server and Web Site SecurityWeb Form Validation

34. Web Server and Web Site SecurityWhy we need to validate?

35. Web Server and Web Site SecurityWhen working with web forms, often you will have the data being placed into a database of some form.

36. You want to ensure that the correct data is going into the fields set in the tables.

37. You don't want alphanumeric characters going into fields that require numeric characters only.