View Single Post
Old 11th September 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by barti View Post
But for a dedicated server with apache/nginx even inside a jail it is not so big deal.
If by this you mean that you will not bother to limit what an attacker can do in the event your server is compromised, then you have misunderstood me.
Quote:
So, a firewall and jail does not really protecting you from the internet jungle... You only feel protected.
No; you may get some protection. Limited protection. But not invulnerability.
  1. With server side applications you cannot eliminate all risk of compromise.
  2. The various isolation technologies we've discussed so far in this thread may be able to limit what an attacker can access or can do in the event of a compromise.
  3. Some of these isolation technologies might make it more difficult for an attacker to use the compromise as a vector to other services or other systems.
Along with a carefully constructed architecture and infrastructure, there are many best practices which can be deployed to further mitigate risk.

Software tools, such as:
  • Network monitors and intrusion detection systems
  • Application analysis and testing tools
Operational governance, such as:
  • Backups at frequent cadence to removable media enforcing an "air gap" from network attached systems.
  • A tested and functional disaster recovery plan.
Reply With Quote