I speak from a position of total ignorance on VPNs. I've never used one. :o) A friend of mine has a web application running on an Internet facing server - web front end, DB backend, username/password login, that sort of stuff. He's hoping (with justifyable optimism in my opinion) to build it into a high value service. Therefore he needs it to be secure, which at the moment it isn't - well, not beyond the basic username/password login screen. I was considering his options. The obvious one is to build a decent firewall to put in front of it and to harden the server as much as possible. But then it occurred to me that since he's going to have only a handful (a few hundred, maybe) of well paying customers, perhaps there are alternatives. May some sort of VPN is one? I'm sort of thinking of a system where a customer uses some sort of software to create a completely secure link to the application server. The idea being to prevent interceptable data flying about the Internet, and to prevent having an obvious "front door" which an attacker might start hammering on. Um, does any of this make sense? Are there any alternatives I should be looking at for him? Or is this just a case of using good old secure HTTP and being done with it?
Hi,
I was considering his options. The obvious one is to build a decent firewall to put in front of it and to harden the server as much as possible. But then
Um, does any of this make sense? Are there any alternatives I should be looking at for him? Or is this just a case of using good old secure HTTP and being done with it?
If you use VPN, you would like to create a LAN with private IPs behind a VPN Gateway. The server is in this LAN - this setup makes sense only if you're not able to secure the machine. Disadvantages are the need for client software and all the trouble with supporting the clients, anyway you have to secure the gateway. Performance/costs are worse compared to a https setup. I would suggest to use a hardend server with only https running, and for more security the usage of a own CA, in combination with a configuration that checks client certificates. In such a setup you will need username, password and certificate to access the web service. Ciao, Dieter
participants (2)
-
Derek Fountain
-
Dieter Kirchner