Techniques for Securing the Network

The network is the entry point to an application. Therefore, the network security mechanisms are the first line of defense against potential threats from the outside. Network security involves protecting the protocols and the communication channels, as well as devices, such as the router, the firewall, and the switch.

Consider implementing the following best practices to enhance your network security:

Use a firewall.
This will allow only legitimate access to the network.

Ensure that the firewall provides packet forwarding and filtering.
These firewall features introduce an additional layer of protection. Forwarding packets prevents the outside world from direct contact with the computers inside the protected network. Filtering can block some types of requests, or requests that come from some domains or IP addresses. These techniques help to reduce the number of illegitimate requests that can be passed to the internal network.

Limit the number of accessible ports.

Limit the traffic direction on some ports.

Limit some network protocols, such as ping.

Web Servers

Consider implementing the following security best practices for all types of Web servers:

Remove any unused virtual directories.

Grant read, write, and execute permissions explicitly for each Web site and virtual directory.

Create a root directory for the Web server.
For Apache, this is known as chrooting.
For IIS, you can assign the root Web site to a specific directory. The user who runs IIS can be given read and write permissions for this directory. All other user permissions can be removed.

Ensure that access permissions for the physical files are set up properly.
Only some users require read and write permissions for these files.

Remove unwanted default mappings, such as for applications with the .htr, .idc, .stm, .printer, and .htw file extensions.

Enable secure sockets layer (SSL) on the Web server.
SSL is used to encrypt a user’s communication with the Web server. For more information, see the section about configuring the Web server in the Installation and Configuration Guide.

For Apache, also implement the following best practices:

Enable only the required modules.

Ensure that your Apache installation hides version information and other sensitive information.

Turn off directory browsing.

Configure the Web server to restrict access by IP address.

Ensure that error logging and access logging are enabled.
These types of logging are controlled by the ErrorLog and mod_log directives in the configuration file.

For IIS, also implement the following best practices:

Disable protocols, such as ftp, if they are not used.

Enable logging in the configuration tool.

Disable Remote Data Service if it is not required.

Remove sample applications, such as \\IISSamples, \IISHelp, and \MSADC.

Set access permissions for the winreg registry key.
Only administrators require access to this key.

	Use a firewall. This will allow only legitimate access to the network.
	Ensure that the firewall provides packet forwarding and filtering. These firewall features introduce an additional layer of protection. Forwarding packets prevents the outside world from direct contact with the computers inside the protected network. Filtering can block some types of requests, or requests that come from some domains or IP addresses. These techniques help to reduce the number of illegitimate requests that can be passed to the internal network.
	Limit the number of accessible ports.
	Limit the traffic direction on some ports.
	Limit some network protocols, such as ping.

	Remove any unused virtual directories.
	Grant read, write, and execute permissions explicitly for each Web site and virtual directory.
	Create a root directory for the Web server. For Apache, this is known as chrooting. For IIS, you can assign the root Web site to a specific directory. The user who runs IIS can be given read and write permissions for this directory. All other user permissions can be removed.
	Ensure that access permissions for the physical files are set up properly. Only some users require read and write permissions for these files.
	Remove unwanted default mappings, such as for applications with the .htr, .idc, .stm, .printer, and .htw file extensions.
	Enable secure sockets layer (SSL) on the Web server. SSL is used to encrypt a user’s communication with the Web server. For more information, see the section about configuring the Web server in the Installation and Configuration Guide.

	Enable only the required modules.
	Ensure that your Apache installation hides version information and other sensitive information.
	Turn off directory browsing.
	Configure the Web server to restrict access by IP address.
	Ensure that error logging and access logging are enabled. These types of logging are controlled by the ErrorLog and mod_log directives in the configuration file.

	Disable protocols, such as ftp, if they are not used.
	Enable logging in the configuration tool.
	Disable Remote Data Service if it is not required.
	Remove sample applications, such as \\IISSamples, \IISHelp, and \MSADC.
	Set access permissions for the winreg registry key. Only administrators require access to this key.