[OWASP-LEADERS] Big welcome to Carric / Server Setup

David Raphael david.raphael at ceterum.net
Sat Nov 9 00:13:39 EST 2002


Allow me to clarify ;)

The aforementioned ports (80 & 443) should be fine for the Public Facing 
interface.

I am still working on my documents (I hope for them to be finished tonight)
I will include some of the Portal Architecture.  

I will give a quick preview of what I have in mind:

There will be at least 2 IP interfaces on the Web Server(s).  One will be 
public facing.  The other will be traffic to the Middle Tier (Currently 
Tomcat).  This will be internal traffic.  Additionally this interface 
can face the DB/LDAP.  I assume that the AS will be Homed with the DB/LDAP
for now.  

But please don't read too far into this snippet.  Once I release the doc
let the carnage begin...

Regarding SSH:  Again, I am comfortable with a Terminal Server...This way,
we can log in and turn on SSH as needed (IE to transfer Files).  And when
we don't need throughput, we will access the Terminal server to access the
Web Tier.  

Alternatively,  maybe it is adequate to use ACLs for SSH.  I dunno.  

Cheers,
David Raphael

PS:  I am unfamiliar with IDS, but is there any we can implement?


> -----Original Message-----
> From: owasp-leaders-admin at lists.sourceforge.net
> [mailto:owasp-leaders-admin at lists.sourceforge.net]On Behalf Of Mark
> Curphey
> Sent: Friday, November 08, 2002 10:30 PM
> To: David Raphael
> Cc: ingo at ingostruck.de; owasp-leaders at lists.sourceforge.net
> Subject: RE: [OWASP-LEADERS] Big welcome to Carric / Server Setup
> 
> 
> I will get valid SSL certs for the portal so user auth at an absolute
> min and password changes etc are over SSL.
> 
> I was assuming we would have a three tier portal. Web Server (with
> coyote connector or similar), app server (Tomcat 4.x) and database
> (Hypersonic) / directory (LDAP). Is that right David ? I really don't
> want to collapse the app and web tiers on the same box for obvious
> security reasons.
> 
> If thats accurate I will need to find one more box. That should be
> pretty easy as it will only be static images, jsps and the 
> connector...
> 
> Then we also need to figure out the packet filtering reqs. 
> 
> Carric, I guess maybe Sanswire can drop everything bar 80 and 
> 443 to the
> web tier directly from the ingress router ? If they can maybe we can
> setup SSH from static IP's such as Davids, yours etc ?
> 
> 
> n Fri, 2002-11-08 at 20:08, David Raphael wrote:
> > Hello Everyone,
> > 
> > Welcome Carric! Its great to hear more people are interested in the
> > cause!
> > 
> > To business:
> > 
> > Are we comfortable with Apache 2 being the most secure?  I am not a
> > Linux security specialist, but I don't believe that Apache 2 has had
> > the same exposure as 1.3.xx ...What does everybody think?  
> > 
> > I like the idea of no Port other than 80 being open.  A 
> terminal server
> > might be a good alternative for remote administration!  
> Maybe we could 
> > get a hold of a little cyclades or something.  Please give 
> you comments.
> > Use dial-in only access.  Or if it is on some kind of 
> Private LAN with 
> > alternative access.
> > 
> > What does anyone think about this?
> > 
> > -Dave
> > 
> > 
> > > -----Original Message-----
> > > From: owasp-leaders-admin at lists.sourceforge.net
> > > [mailto:owasp-leaders-admin at lists.sourceforge.net]On 
> Behalf Of Ingo
> > > Struck
> > > Sent: Thursday, November 07, 2002 6:29 AM
> > > To: owasp-leaders at lists.sourceforge.net
> > > Cc: mark at curphey.com
> > > Subject: [OWASP-LEADERS] Big welcome to Carric / Server Setup
> > > 
> > > 
> > > Hi Carric,
> > > 
> > > I assume that Mark put you on this list, so welcome at the 
> > > OWASP staff.
> > > It is really great that you volunteered for some admin work 
> > > and that you
> > > could provide a hosting location for our production servers.
> > > Thanks a lot!
> > > 
> > > Some weeks ago I already sent a personal wishlist for the 
> > > production server
> > > setup, so I simply repost it here:
> > > 
> > > === snip ===
> > > 
> > > Here you go with a detailed wishlist for the server configuration:
> > > (I am currently not sure, whether the BSD or a linux box will be
> > >  used for vulnxml - that makes no difference for me)
> > > 
> > > 1. The file system setup *must* provide separate partitions for
> > >     /var and /tmp
> > > 2. The file system setup *should* provide separate partitions for
> > >     /opt , /usr and /home
> > > 3. All apache stuff goes to /opt/apache, i.e.:
> > >    /opt/apache/httpd      httpd (preferably 2.0.43, 1.3.27 
> > > will do as well)
> > >    /opt/apache/tomcat    tomcat (4.1.12)
> > >    (I will provide the appropriate conf files for httpd 2.0 
> > > and for tomcat)
> > > 4. The vulnxml application goes to /opt/owasp/vulnxml
> > >     (I will provide this directory in a whole as tar.bz2)
> > > 5. absolutely no ftp, telnet, finger or other crap access
> > > 6. only port 80 open for remote access (best would be a 
> package filter
> > >    firewall), if *really* necessary port 22 for ssh
> > > 5. If it is somehow possible (i.e. you have got the servers 
> > > near to you)
> > >    NO SSH ACCESS AT ALL
> > > 
> > > Due to our project goals I expect our apps to be attacked 
> more than
> > > an average web app. Thats why I want the servers as leakproof as
> > > possible.
> > > 
> > > === snap ==
> > > 
> > > Kind regards
> > > 
> > > Ingo
> > >     
> > > 
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: See the NEW Palm 
> > > Tungsten T handheld. Power & Color in a compact size!
> > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> > > _______________________________________________
> > > Owasp-leaders mailing list
> > > Owasp-leaders at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> > > 
> > > 
> > 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: See the NEW Palm 
> Tungsten T handheld. Power & Color in a compact size!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> _______________________________________________
> Owasp-leaders mailing list
> Owasp-leaders at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> 
> 




More information about the OWASP-Leaders mailing list