aspose file tools*
The moose likes Security and the fly likes Server Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Server Security" Watch "Server Security" New topic
Author

Server Security

Peyton McCullough
Ranch Hand

Joined: Feb 07, 2004
Posts: 31
This isn't exactly a Java-specific question, but I was wondering about the security of servers. Say I have a server -- just a plain server that sends back to the client what it recieves ( a dummy server, so to speak, for example purposes ). What measurements would I take to make it more secure? What are the most common measures implemented? What are the most important measures implemented? I have been wondering about this for a while, but have never really found an(y) answer(s).
Thanks,
Peyton
[ April 20, 2004: Message edited by: Peyton McCullough ]
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

Data must be secure (must not be tampered) and must be confidential(third party must not be able to read it).


Groovy
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
It depends on how important your data is, and whether your data can be public.
For example, if your system is simply a Web site that provide info to any users, you almost need not doing anything, as all data is public. What you need to do is, to make sure that the info from your website has not been changed by others during transmission. This can be archived by data integrity. One way is to use SSL to send the data, and the other way is to make sure that your server is not being hacked.
If your system only provides data to registered users, in addition to integrity, you may also need anthentication. You need to verify whether an user is login.
If your system provides different level of data to registered users, say VIP can get the real time stock quote, while others cannot, you need authorization. You need to check whether the user has the rights to view those data.
There are more cases, but the above is the most general cases.
Nick


SCJP 1.2, OCP 9i DBA, SCWCD 1.3, SCJP 1.4 (SAI), SCJD 1.4, SCWCD 1.4 (Beta), ICED (IBM 287, IBM 484, IBM 486), SCMAD 1.0 (Beta), SCBCD 1.3, ICSD (IBM 288), ICDBA (IBM 700, IBM 701), SCDJWS, ICSD (IBM 348), OCP 10g DBA (Beta), SCJP 5.0 (Beta), SCJA 1.0 (Beta), MCP(70-270), SCBCD 5.0 (Beta), SCJP 6.0, SCEA for JEE5 (in progress)
Peyton McCullough
Ranch Hand

Joined: Feb 07, 2004
Posts: 31
Well, I've got the data part down. That's pretty straightforward. A project I am doing now feautres semi-public data ( which is retrieved via the server from a database, but the user is required to create an account ), but at the same time protects encrypted passwords and things. Though the databae is protected via a username and password ( and host access control ), so I shouldn't be too concerned there.
What about things like floods? How could I protect against them?
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982

What about things like floods? How could I protect against them?

For DOS and DDOS attacks, you may consider to add a Firewall to block those abnormal requests. For DOS, you can set some rules such that within a period, say 1 min, if there are more than 20 requests on the same resource, you may regard it as a DOS attack.
However, DDOS is difficult to block becos the requests come from different IPs. But at least, you need to know your site is under attacks, maybe you can notice this from the site loading in a certain period.
Nick
 
Don't get me started about those stupid light bulbs.
 
subject: Server Security