> So far all of our applciations have run from our > intranet. I just made a little app that needs to > be open on the internet. When I talked to the > system engineer she said: > > "I will want to investigate security options such > as certificates or https. Once we configure a hole > in the firewall, we have exponentially raised the > risk that the data or systems will be compromised, > so I will want to take any appropriate preventative > measures." > > I'm wondering what others have done in similar > circumstances. Is there a set "good practices" way > to do this? And how much time would a good solution > take?
Generally, you might place publicly-accessible servers on a separate network from your internal servers; this separate network is often referred to as a "DMZ". Servers within that network are typically configured with more of an eye to security than servers on your internal network. If you want to make it so that third parties can't see the traffic between clients and servers - for example, if that traffic contains sensitive information - you might use HTTPS. If you want to limit who can connect to your server, you might use client certificates. As you can probably imagine, there are lots of "good practices" that you might adopt, but there isn't really a simple list of things to do - each individual case requires examination. For example, just using HTTPS doesn't necessarily increase security - it simply means that the traffic between client and server is encrypted. It may even decrease security, if it's used unnecessarily; your firewall won't be able to examine HTTPS traffic, so people can send malformed requests via HTTPS to attack your server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
