RE: how to secure a commercial web site

["Jason Gregson" <Jason.Gregson () easyi com>]

Firstly let me apologise in advance if I have made this post to the wrong place. If so tell me what I did wrong and it 
wont happen again ;o)

Bilur,
Applying a SSL server does not make your site secure. All it does is allow the data from the client to the server 
encrypted. IE establishes a secure encrypted tunnel from you (IIS) to the client's browser. It does not however protect 
your server or infrastructure in any way. As already stated by Jeffrey, you will still need to do things like

(Microsoft Web Server- IIS)
IIS lockdown
URL scan
Remove unnecessary services
Lock down the registry to deny anonymous access
Install a good statefull firewall
Pen test the site. There are many tools for this. Nessus is a good free (Linux) example. 

If the clients are internal you can happily use a cert you generate yourself. If the clients looking at your website 
are anon people, it's best to get a Verisign or Thawte http://www.thawte.com/cert. It's all about perception. The cert 
is the same whether you buy one or make one (Provided you make the cert the same amount of encryption)

I hope this helps

Regards

Jason

-----Original Message-----
From: info () biledge com [mailto:info () biledge com]
Sent: 12 May 2004 12:02
To: Levenglick, Jeff; webappsec () securityfocus com
Subject: RE: how to secure a commercial web site


Jeffrey, if i get what i pay for, i would do it..but this is the problem, they are not
secure enough, i can see this with my half knowledge..it means even if i pay for a certificate,
the reality will remain same : the security is depending on the user's computer's security. 
and even if every user has its own private key, it wont be a solution. am i making a 'terrible'
mistake in my thinking ??
..
alternative (and weak) thought : if i prepare my web page as https and if i put it into a secure 
server, and if i create my own certificate; will i have a 'secure' system ?
 
thank you for your patience,
regards,
bilur

On 11 May 2004 at 9:51, Levenglick, Jeff wrote:

> James,
>
> I think he was only asking/looking at ssl. We would have a very
> long email if we were to talk about security. (Firewall,app level
> security, tokens, secure os ....ect)
>
> It is very common and cheap for people to want to just setup a quick
> web server for business. (ssl) Secure? Not really, but what really is?
> Expensive? Yes.. you get what you pay for. 
>
> Jeffrey 
>
> -----Original Message-----
> From: Brown, James F. [mailto:James.F.Brown () fmr com]
> Sent: Tuesday, May 11, 2004 09:26 AM
> To: Levenglick, Jeff; info () biledge com; webappsec () securityfocus com
> Subject: RE: how to secure a commercial web site
>
>
> There is a LOT more to security than having a certificate on your
> server. It's necessary, but not sufficient.
>
> ================================
> James F. Brown, CISM
> Sr. Director, Information Security
> Fidelity Investments
> james.f.brown AT fmr.com
> http://www.fidelity.com
>
>
> -----Original Message-----
> From: Levenglick, Jeff [mailto:JLevenglick () fhlbatl com] 
> Sent: Tuesday, May 11, 2004 8:58 AM
> To: info () biledge com; webappsec () securityfocus com
> Subject: RE: how to secure a commercial web site
>
>
> Bilur,
>
> You can buy your own cert server. (RSA Keon for example) 
> At that point, you can create your own certs. (expire them when you
> want..ect)
>
> Also..
>
> You then have two options.
>
> 1) Pay a fee and have your cert server 'trusted' via Verisign or other
> CA's
> or
> 2) Leave it 'private' and just provide your CA cert to the users so they
> will
> trust you. (if you don't it will still work. They will just see a
> message about
> trusting your site)
>
>
> Jeffrey 
> -----Original Message-----
> From: info () biledge com [mailto:info () biledge com]
> Sent: Tuesday, May 11, 2004 05:12 AM
> To: webappsec () securityfocus com
> Subject: how to secure a commercial web site
>
>
> hi,
> i am trying to secure -SSL certificated- a commercial web site without
> using verisign, global 
> sign, etc. it seems there is a monopoly an i want to be out of it. does
> anyone know a better 
> way to secure the web site or do i have to pay money, (even) for
> security ?   
> regards, bilur
>
>
> -----------------------------------------
> This e-mail message is private and may contain confidential or
> privileged information.
>
> -----------------------------------------
> This e-mail message is private and may contain confidential or privileged information.




________________________________________________________________________
This email was scanned for all viruses by our Security System on entering the Easy i network. For more information on 
this scanning, please contact the Easy i Enablement Division.
________________________________________________________________________