Quote:
Originally Posted by barti
But for a dedicated server with apache/nginx even inside a jail it is not so big deal.
|
If by this you mean that you will not bother to limit what an attacker can do in the event your server is compromised, then you have misunderstood me.
Quote:
So, a firewall and jail does not really protecting you from the internet jungle... You only feel protected.
|
No; you may get some protection. Limited protection. But not invulnerability.
- With server side applications you cannot eliminate all risk of compromise.
- The various isolation technologies we've discussed so far in this thread may be able to limit what an attacker can access or can do in the event of a compromise.
- Some of these isolation technologies might make it more difficult for an attacker to use the compromise as a vector to other services or other systems.
Along with a carefully constructed architecture and infrastructure, there are many best practices which can be deployed to further mitigate risk.
Software tools, such as:
- Network monitors and intrusion detection systems
- Application analysis and testing tools
Operational governance, such as:
- Backups at frequent cadence to removable media enforcing an "air gap" from network attached systems.
- A tested and functional disaster recovery plan.