Re: IIS / Web Services Security threats
- From: "Magdelin" <magdelinsuja@xxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Apr 2005 08:05:02 -0700
Hi Henk,
Thanks for your response. You will be surprised to know, due to a recent
virus attack on the perimeter network, the common ports have been closed too.
My company is pretty new to .NET or basically to web based applications. Only
Mainframe and desktop applications were developed in the past decade.
I also develop Java applications which runs on weblogic server. You will not
believe the weblogic designated ports are open in firewall. Since, the entire
world knows about port 80 and 443, I thought opening a specific port with IP
Sec configuration may make the network little secure. Although, I know you
can find out which ports are open by writing a small program.
Thanks once again,
Magdelin
"Henk Verhoeven" wrote:
> Magdelin,
>
> Are there any reasons why you do want to open alternate ports, usually this
> will freak out any security "expert".
>
> If you run it on the same ports that is open right now (I assume of course),
> like HTTP, HTTPS, FTP then you can use the same argument they use, that IIS
> is exposed and very bad people going to infiltrate.
>
> Use the existing ports, make sure your web services communication is secure,
> tokens, encryption or ssl and you should be fine.
>
> henk
>
>
> "Magdelin" <magdelinsuja@xxxxxxxxxxxxxxxxx> wrote in message
> news:CBAB91C3-58F6-490C-A080-98998478B626@xxxxxxxxxxxxxxxx
> > Hi,
> >
> > My security team thinks allowing communication between the two IIS
> > instances
> > leads to severe security risks. Basically, we want to put our presentation
> > tier on the perimeter network and the business tier inside the fire wall
> > or
> > internal network. The biz tier will be developed and deployed as web
> > services
> > on IIS.
> >
> > I know microsoft recommends this architecture but I am not able to
> > convince
> > my security team. They say IIS is vulnerable to viruses and worms even
> > though
> > the communication between the web and app servers are secure with a
> > firewall/SSL/IPSec. Even though we will open specific ports for accessing
> > the
> > web services, is it true that IIS is not a secure environment to access it
> > from the perimeter network.
> >
> > If my security team is true, I wonder what would be the alternative to
> > IIS.
> > If they are not, how should we protect our network while allowing web
> > service
> > to run on IIS.
> >
> > I have read all security related recommendations published by Micrososft
> > but
> > no luck with my security team yet. Esp. the entire document from patterns
> > &
> > pratices:
> > Improving Web Application Security - Threats and Countermeasures
> >
> > How are secure .NET enterprise applications developed and hosted in IIS?
> > Are
> > there any companies out there which uses this MS recommended architecture
> > and
> > yet have a secure network?
> >
> > Thanks,
> > Magdelin
>
>
>
.
- Follow-Ups:
- Re: IIS / Web Services Security threats
- From: Rafal Gwizdala
- Re: IIS / Web Services Security threats
- From: Henk Verhoeven
- Re: IIS / Web Services Security threats
- References:
- IIS / Web Services Security threats
- From: Magdelin
- Re: IIS / Web Services Security threats
- From: Henk Verhoeven
- IIS / Web Services Security threats
- Prev by Date: Re: IIS / Web Services Security threats
- Next by Date: Re: Debuggung Web Serives by Multiple Users
- Previous by thread: Re: IIS / Web Services Security threats
- Next by thread: Re: IIS / Web Services Security threats
- Index(es):
Relevant Pages
|
Loading
