Occasionally you will hear this statement
“There is nothing to worry about the website is behind a firewall”
The firewall is important, but over reliance on a firewall is a poor idea. If there is no website and therefore no ports open on the firewall and the firewall or other device is correctly configured then it is probably very secure regarding attacks via the internet. Unfortunately there is not a lot for a user to see.
As soon as you deploy a website, with a myriad of different pages, different roles and an authentication mechanism you have a problem. There is effectively a hole punched in the firewall that leads to a lot of different functionality.
Maybe we will also let users upload files into our website. Now we are allowing users to upload files past the firewall and storing them on the system. Perhaps they will upload a pdf with a script in it or who knows what else.
That is the first problem when relying on the firewall to take care of business – it has to have a huge hole in it for your website to work.
Even assuming the firewall could prevent all malicious attacks over the internet what we are describing is called perimeter security. This approach relies on building a big wall and completely trusting everything and everybody behind the wall.
Using this approach we are trusting every contractor and employee who has access to the system. For instance, if we display on a screen a list of names, full credit card numbers and expiry dates – surely no call centre worker would take a photo of it. If we let a developer go for a very poor attitude surely they would not delete data or copy a database.
Secondly what other data is uploaded into the system from third party systems. Are these systems vulnerable to attack?
The above can be mitigated
- Make sure your website is secure – secure is relative term, what is considered secure for online banking is not the same as a free online fantasy football league. This is a large area that will be covered in other posts.
- Only store data you need to store – in the example above do you need to store the credit card number at all, or could you store the last four digits. What is the data for?
- Restrict access to the data source – restrict access to the machines that hold the data to ideally to support staff only.
- Restrict the ability to view data through your application – have different roles able to perform different functions. Also only display the data you need to. Does a call centre worker providing telephone support need to see the entire credit card number?
- Log and audit all access to data via applications
- Log and audit access of staff acessing the servers
- For larger systems with more sensitive data consider splitting the data across different applications with minimal interfaces between them
- Whitelist all input from users and third party systems
The above is often summarised as “trust no input”. The point to remember is that the input is not just the other side of the firewall.