Guidelines for "complete" security
Are there guidelines I can follow to ensure complete security of our Web server and applications? Are there specific guidelines for servers, firewalls, etc.?
There are, indeed guidelines you can follow to have good security.
However, you should realize that there is no such thing as complete security. Security is always a tradeoff and a spectrum, where more security means you can do less. At the "complete security" end, you've gotten complete security by unplugging your servers and disconnecting them from the network.
Having said that, I know that what you really mean is that you want as good security as possible. Nonetheless, there are also tradeoffs you need to think about. Do you want to allow outgoing traffic, but not incoming? Are there protocols you want to block completely (there probably are -- like NFS, Windows file sharing, print protocols)? Do you want to block streaming protocols? These are potential wastes of bandwidth, but do you want to stop it with the firewall or with a policy? No one can answer those questions but you.
There are a number of organizations that can help you with guidelines, and also provide other services. They include (in no particular order):
-- There is a lot of good security information here.
-- Also a lot of information here on basics, Linux, Microsoft and Sun. Click on "The Basics" for a good starting point.
Computer Security Institute
-- A good professional organization with a lot of good information.
-- Another good group with good information and classes.
Lance Spitzner's white papers
-- There are a lot of good papers on armoring Solaris, Linux, NT and Checkpoint firewalls here.
The Honeynet Project
-- A group working on various tricks and techniques of breaking systems. There are many good papers there, too.
The Shmoo Group
-- The Shmoo Group is another group of security experts. (Full disclosure: I'm a member of the group.) There are quick news stories, commentary and resources there.
This was first published in March 2001