Securing a server

[YeOldeOke]

I've been involved in the computing world since time immemorial but it was never really my main interest. So I know quite a lot about it but haven't kept up in the last couple of decades. Security was never really part of my field/s of expertise anyway.

I have developed an extremely valuable application which was originally intended only for my own and my daughter's use, but lately this idea has morphed into making it available to a low number - maybe 1000 - subscribers. They will use the application via an UI, it will not be directly accessible to them or be downloaded by them.

I am thinking of hosting this on either my own or a rented dedicated server from a high end service. The problem is I know next to nothing on how to secure it from being stolen. That I cannot have.

Admin access to the server will be limited to me and my daughter, so some of the hacking techniques of acquiring passwords etc by phishing via employees will not be a factor.

Is this a viable proposition at all? How secure can a server be made? I need some advice.

 

[Veroland]

If it is a Windows server the only way to really secure it is by unplugging it from the network

Anyway, why not look at something like Amazon AWS to host the server?

 

[Necropolis]

They will use the application via an UI

Are you talking a web base UI or a physical application that is installed on each client machine?

If it is just web based - put a HW firewall in front of the server - and limit access to the server on the port that the application is being served from.

Then make sure that all the software on the server is up-to-date and ensure that your application has been hardened as necessary.

 

[initroot]

Are you talking a web base UI or a physical application that is installed on each client machine?

If it is just web based - put a HW firewall in front of the server - and limit access to the server on the port that the application is being served from.

Then make sure that all the software on the server is up-to-date and ensure that your application has been hardened as necessary.

You can add some SSL to that as well.
How about your actual web app? Is that secure?

 

[Necropolis]

You can add some SSL to that as well.

Yes indeed - forgot about that

 

[Necuno]

 

[YeOldeOke]

Responses much appreciated.

If it is a Windows server the only way to really secure it is by unplugging it from the network

Anyway, why not look at something like Amazon AWS to host the server?

I have MS experience on servers, networks and workstations since MS's inception. Let's just be kind and say I'm no MS fan.

Thanks for the AWS pointer. Something to consider for sure, but I would want to add my own layers of security as well.

 

[YeOldeOke]

Are you talking a web base UI or a physical application that is installed on each client machine?

If it is just web based - put a HW firewall in front of the server - and limit access to the server on the port that the application is being served from.

Then make sure that all the software on the server is up-to-date and ensure that your application has been hardened as necessary.

My first impulse was a web-based UI with the app in the backend, or maybe the UI downloaded to the user's machine. Combining what little marketing I have to do with the engine on one website. But it may be better to divorce the marketing website from the app altogether, hosting it on another server and granting access via a VPN? The subscription base will be small and stable enough to manage manually with ease.

The app is currently scribbled out in C+. I need to rewrite it in something that may be more secure.

I say scribbled. I mean it's a mess in legacy issues after 15 years of development, not that it was done quickly.

 

[YeOldeOke]

You can add some SSL to that as well.
How about your actual web app? Is that secure?

I still have to mine for info on app security. I imagine that it is impossible to make the app totally secure, which is why I am paranoid about server security.

I have not yet made the decision to go this route. I need info on how viable it is security-wise before I start. There will be a steep learning curve if I go ahead.

 

[initroot]

I still have to mine for info on app security. I imagine that it is impossible to make the app totally secure, which is why I am paranoid about server security.

I have not yet made the decision to go this route. I need info on how viable it is security-wise before I start. There will be a steep learning curve if I go ahead.

Take a look at OWASP.
My 2c you can secure the server as much as you want, if your app has vulnerabilities its basically allowing a backdoor into your server either way.

 

[YeOldeOke]

Take a look at OWASP.
My 2c you can secure the server as much as you want, if your app has vulnerabilities its basically allowing a backdoor into your server either way.

Thanks I will. If the client has no direct interaction with the app, ie the UI communicates with the app (is that possible) is this still true?

 

[RoganDawes]

My suggestion is to limit access to a VPN, since as you say, the population of users is limited and stable. An alternative is to use SSL client certificates distributed to your clients. These can either be managed by you, using a private CA, or you can pay a real CA for them. SSL Client certificates make it easy to get through firewalls, etc. The idea is to limit who can even connect to your server in the first place. That eliminates an entire class of potential attackers (i.e. the rest of the internet).

Then, develop your front end as securely as possible. Use the OWASP ASVS, and Testing Guide to make sure that you have considered all the ways in which people commonly attack your servers.

Build Intrusion Detection into your app! i.e. make use of canary values that, if modified, result in the (temporary?) revocation of the user's SSL certificate. Input validation failures could have similar consequences. In this way, anyone who is futzing around gets disconnected, and has to "please explain" in order to get their access back, if you decide to allow it.

Get it tested, if it is that valuable. Employ a professional company to see if they can find any vulnerabilities in the app/environment, before you expose it. Disclaimer: I work for SensePost, a company that does exactly this sort of testing. There are others, too.

 

[YeOldeOke]

My suggestion is to limit access to a VPN, since as you say, the population of users is limited and stable. An alternative is to use SSL client certificates distributed to your clients. These can either be managed by you, using a private CA, or you can pay a real CA for them. SSL Client certificates make it easy to get through firewalls, etc. The idea is to limit who can even connect to your server in the first place. That eliminates an entire class of potential attackers (i.e. the rest of the internet).

Then, develop your front end as securely as possible. Use the OWASP ASVS, and Testing Guide to make sure that you have considered all the ways in which people commonly attack your servers.

Build Intrusion Detection into your app! i.e. make use of canary values that, if modified, result in the (temporary?) revocation of the user's SSL certificate. Input validation failures could have similar consequences. In this way, anyone who is futzing around gets disconnected, and has to "please explain" in order to get their access back, if you decide to allow it.

Get it tested, if it is that valuable. Employ a professional company to see if they can find any vulnerabilities in the app/environment, before you expose it. Disclaimer: I work for SensePost, a company that does exactly this sort of testing. There are others, too.

Thanks for your input. Yes, on both the app security and server security I will have to get advisers, though I will not let anyone work directly on either.

But it seems it will be possible to build enough security overall to reduce vulnerability to an acceptable level, if a low-profile web presence/marketing is taken into account. (?)

 

[RoganDawes]

Thanks for your input. Yes, on both the app security and server security I will have to get advisers, though I will not let anyone work directly on either.

But it seems it will be possible to build enough security overall to reduce vulnerability to an acceptable level, if a low-profile web presence/marketing is taken into account. (?)

Without being too nosy, depending on the architecture of the final solution, you may be able to get away with a "mocked" version of your secret sauce that can be tested in a QA environment, while you deploy your actual backend in your prod environment, after fixing any vulnerabilities found during testing.

e.g. Web Server accessing a backend using web services. Provide a mock version implementing the same interfaces as your secret sauce in QA.

 

[initroot]

Thanks I will. If the client has no direct interaction with the app, ie the UI communicates with the app (is that possible) is this still true?

Not sure I understand? The client must be entering some data via the UI? Your UI still has to communicate, it is in fact only an UI. The data will still be transferred vice versa towards your server for manipulation.
Hackers would manipulate the data depending on the vulnerabilities in your app and it's interface.