Q

Guidelines for "complete" security

Are there guidelines I can follow to ensure complete security of our Web server and applications? Are there specific guidelines for servers, firewalls, etc.?


There are, indeed guidelines you can follow to have good security.

However, you should realize that there is no such thing as complete security. Security is always a tradeoff and a spectrum, where more security means you can do less. At the "complete security" end, you've gotten complete security by unplugging your servers and disconnecting them from the network.

Having said that, I know that what you really mean is that you want as good security as possible. Nonetheless, there are also tradeoffs you need to think about. Do you want to allow outgoing traffic, but not incoming? Are there protocols you want to block completely (there probably are -- like NFS, Windows file sharing, print protocols)? Do you want to block streaming protocols? These are potential wastes of bandwidth, but do you want to stop it with the firewall or with a policy? No one can answer those questions but you.

There are a number of organizations that can help you with guidelines, and also provide other services. They include (in no particular order):
CERT/CC -- There is a lot of good security information here.
Security Focus -- Also a lot of information here on basics, Linux, Microsoft and Sun. Click on "The Basics" for a good starting point.
Computer Security Institute -- A good professional organization with a lot of good information.
SANS Institute -- Another good group with good information and classes.
Lance Spitzner's white papers -- There are a lot of good papers on armoring Solaris, Linux, NT and Checkpoint firewalls here.
The Honeynet Project -- A group working on various tricks and techniques of breaking systems. There are many good papers there, too.
The Shmoo Group -- The Shmoo Group is another group of security experts. (Full disclosure: I'm a member of the group.) There are quick news stories, commentary and resources there.


This was last published in March 2001

Dig Deeper on Information Security Policies, Procedures and Guidelines

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close