Securing a Private Intranet?

Posted by Cliff on Friday September 26, 2003 @01:34PM from the safety-for-not-so-safe-web-apps dept.

crustythecrab asks: "My company wants to take a web-based data management system I wrote which runs on a closed network not connected to the internet and put it out on the net so everyone can access it remotely. The number one issue of course is security, and I've been asked to write a paper on how to make the system 'secure' in order to convince management that it will be safe to proceed. But the question runs through my mind: How secure is 'secure'? I'm running all UNIX, no Windows of anything on the server side, and I'll certainly recommend a VPN, but since nothing is 100% secure, I was wondering what the current state of the art in 'Intranet' security is. Are there any novel new concepts out there. Or do you just put up a VPN and hope for the best?"

2 of 41 comments (clear)

Min score:

Reason:

Sort:

It might be too late... by twoflower · 2003-09-26 13:39 · Score: 4, Insightful

Unfortunately, security isn't something you can bolt on to an application after it's developed; it has to be part of the design process. For a great example of some of the things that you should already have done, read the file SECURITY included in the qmail distribution.

--

--
Twoflower
Risk-based approaches by crmartin · 2003-09-26 14:13 · Score: 4, Insightful

Here's what you do:

(1) figure out how valuable the data really is: what would it cost you if it were disclosed.

(2) figure out who you really want to have access to the data, and under what rules. (This is called a "security policy").

(3) Figure out a way to enforce (2) without exceeding (1).