When you have a web site where Money is changing hands, customer trust has upmost importance. The moment you loose trust you loose your customers. You will need to invest on your security strategy in a multi layered fashion. Here is a short list (not a comprehensive one) of items you should keep in mind:
· SSL certificate: You will need too have a SSL web site certificate that you can get from a well trusted authority. As expected the most important thing you will want to look at is their assurances and operations. Asking for a web certificate with highest key length is not enough, its about what policiees are in place. The questions you would need to ask is when your private key gets comprimized, how fast is their CRL updated?, what measures are taken to prevent comprimise of their intermediate and what standards their are applying to their operations.
· Securing the environment: You would definetely want to have a secure network, securely configured host and applications. There are plenty of documentation on how to secure your routers, firewalls, locking down your servers and IIS configuration. If you would like to have more informataion please provide feedback and I will provide more information on this one. Get yourself ready for using IPv6. If you are planning for a web site or if you already have one running on older system, consider moving to Windows Server 2008 R2.
· Secure Operations: Securing the environment is only the first half of the story. You need to keep it that way. This means you need to monitor your servers, keep them up to date and upgrade them when necessary. Fully secured web server with no recent updates is sitting ducks ready to be used by criminals.
· Secure your web application: Its sometimes overlooked to get security review for your web application in place. No matter how good developers you have, you will need to get a security review from a security experts. This is also true on updating your web applications.
· Intrusion prevention and detection: Even if you did everything to secure your environment you will need to watch for activities on your web site. You need early warning signs if there is something unusual happening. This would need delicate tuning as these devices can create a lot of noise which can easily become overwhelming.
There are different standards that you would need to adhere to and you should also check them out. For example if you want to process credit cards you would need to look at PCI DSS. However there is one more important part that needs your attention which is DNS. DNS protocol has been around for a long time. When it was first introduced security was not a concern. However as Internet grew, attacks based on DNS has increased considerably. The worst part is that as DNS is distributed service you need to trust other entities to provide security for DNS service. When a client asks for a dns name, DNS server will ask several dns servers before returning and answer to the client. If anyone of these servers are comprimized, client is redirected to a different web server which may look just like the original web site but actually is planned to get your username and password or credit card numbers. The best way to solve this problem is a standard that has recently popularized namely DNSSEC (DNS System Security Extensions).
DNSSEC is specified in RFCs 4033-4035. It adds new operations to DNS server and client and 4 new DNS records (DNSKEY,RRSIG,NSEC and DS). DNSSec digitally signs all records in a DNSzone. A client will obtain the public key and validate that the responses are authentic. So when a client asks a question to DNS servers the answer is digitally signed. Each time you hop from DNS server to DNS server you know that the answer is genuine as long as signature is valid. DNSSec is a feature of Windows Server 2008 R2 and Windows 7. If you want to learn more about DNSSec on Windows you can find more information here. Even clients that do not understand DNSSEC can stil use the DNS servers in question, albeit without reaping the benefits of validation.
One of the most important blockers for wide DNSSEC implementation was top level DNS zones not being signed. As of the time of this writing most of the top level zones have been digitally signed. One of the most important zones is .com and is expected to be signed early next year. This will be a key milestone to make DNSSec mainstream.
When you are planning your DNS Infrastrcuture, you should keep in mind the following about DNSSEC:
· Dynamic update is not supported. You should use DNSSec on your external DNS entries and not on your internal DNS where clients are using dynamic DNS.
· DNSSec is not a lightweight protocol. You will need extra bandwidth and strong servers to handle DNSSec traffic.
· Clients will need to understand DSSec messages, which will happen with new operating systems. Do not expect that all clients trying to access your web site is secured the moment you implement DNSSec on your servers.
DNSSec will help secure Internet but it will need effort from all implementing parties. It would be necessary to start planning as soon not to be left behind.
As always, feedbacks are welcome.
Internet is using myriad of network protocols, the most important one being IP or Internet Protocol. This is the layer in which network decides how to send a packet to a given destination. Currently we are using IPv4 which has been with us for quite some time now and as you can tell it is showing its age. There are a couple of pain points in IPv4 that can be solved by Ipv6:
· Address Space: IPv4 was designed to have 4 billion address spaces. Back in 1980s this was a huge number given the fact that there were only a couple of addresses being used. However the number of public IP addresses has grown to the limit. In fact Network Address Translation (NAT) and Classless Inter Domain Routing (CIDR) were technologies used to alleviate the address depletion problem. Number Resource Organization (NRO) has announced that almost %95 of addresses have been used. This means that last IP address blocks will probably be distributed in one year. If you want to provide an application on the Internet, you will probably need to use an IPv6 endpoint. Ipv6 will have 128 bit addresses which will be much larger in address space and is currently being used in Asia. We may well abandon use of NAT altogether when IPv6 is in use which will greatly simplify network topologies and firewall configurations.
· Security: When IPv4 was first designed, there was no security technologies needed. However as Internet grow security became an issue and different protocols were created to solve the problems. IPSec was one of the security protocols that have been widely used. The good news is that IPv6 was designed with IPSec from ground up. So as long as devices or servers are supporting IPv6, secure connection can be established easily between them.
· Configuration: IPv4 addresses need to be configured either manually or with DHCP service running on the network. Using DHCP can be a problem if there is more than one on the same network. IPv6 has address auto configuration properties so that nodes can configure their own IP address and default gateway without DHCP.
· Flow Priority: Prioritized real time delivery of data is a part of Ipv4 but has some limitations like lack of packet prioritization with encrypted packets. IPv6 fully supports these capabilities and has enhanced handling of flow priority.
Now that we have some understanding of what Ipv6 can bring to your organization let’s talk about how to get prepared for it. Internet backbone is already in the process of upgrade to Ipv6 and most of the work is done. The major part of the work needs to be done inside the organization. IPv4 has been used for so long that we expect every node (device and applications) to work seamlessly. However not every node will support use of Ipv6. You will first need to identify parts of your network that is not capable of using Ipv6. Then you will need to plan on replacing those nodes taking into account your device and application lifecycles. Most of the network devices are already Ipv6 ready. What I have been seeing is that applications are still in the process of upgrading to work with Ipv6. If you want to learn more about developing applications that work with IPv6 you can attend Microsoft PDC10 October 28-29 online or find the event closest to your home! See the map here.
You do not need wait until all of your devices are capable of supporting IPv6. There are transitioning technologies that will help you interoperate IPv4 with Ipv6 technologies. When you first start you will probably have a small subnet working IPv6 and use these technologies to communicate with the rest of your internal network and Internet. Gradually you will expand your Ipv6 networks up to your network edge firewall.
Ipv6 is the future and there is clearly no escape from it. The more you postpone your planning the more you will fall behind in adapting to the new networking capabilities of IPv6. I will urge all of the readers to think about what can be done to embrace IPv6 in their environment and create awareness for the upcoming changes.
I would love to hear feedback on what you are thinking of the blogs you have been reading so far. Please provide ratings and suggestions so that I can provide better and relevant information to you.
There is lots of thinking going on around how the cloud will change our lives. Some of the things done by IT professional today will be handled by the cloud in the coming years. So what can IT professionals do now so that they can be relevant to the business in the future? There are specific areas where local expertise will still matter. Here is a list:
· Business knowledge: Organizations moving to the cloud would have more time focusing on business related issues. Successful IT pro will be more business oriented and less deep technical in nature. For example instead of focusing on how/when they will be moving mailboxes between sites, they will need to focus on compliance and policy related issues regarding messaging. Once these are set, they will be able to map the required settings for the messaging system either on premises or in the cloud.
· Security: When organizations start moving some of their services to the cloud, there will be a period where some of the services will be provided by the cloud provider and some will be provided in house. It will be very important to provide secure communications between the services and clients. So edge security and network security will be a premium in skills requirements inside organizations. For example organizations would want different security measures accessing their own applications in the cloud versus any other parts of the World Wide Web. Compliance will mandate different security measures and network security will be a very important focus of IT departments.
· Identity Management: When organizations shift on the Infrastructure Optimization model (more information on this is here) identity lifecycle management will be more important. They will need to define more policies around how identities are managed and secured. IT professionals will need to map how identities will use different resources according to given policies and plan their authorization. For example policy will mandate new-hire needs to have an e-mail account. IT pro’s will need to plan which security groups the new-hire should be a part of and what e-mail alias will be used for him/her. Then the actual provisioning can be done through on premise identity management solutions such as Forefront Identity Manager or cloud services.
Organizations will be keeping some of their services in house for various reasons and those areas will still be areas where IT professionals will be needed. These will be vary among the different industries but IT professionals will still be an important part of the organizations for the foreseeable future.