Settings At The Server
We''ve covered switching protocols and closing ports on firewalls, but there''s still more to do at the server level:
- Make certain that your Merchant Server and any payment system processor are running on separate servers that are insulated from both the Internet and from other domains within your organization. Remove all unnecessary server software that''s not specifically for operational purposes. This may include language compilers, Perl libraries, administrative utilities, and factory-supplied log-ins and passwords.
- Firewalls should disallow FTP, telnet or requests on any open ports.
- Don''t operate software such as, FTP, telnet or e-mail systems on any merchant server or Web server hardware.
- When ever remote operations (telnet, xterm, etc.) are needed, make sure the Secured Socket Handler (SSH) and Secure Copy (SCP) are used.
- Make sure HTTPD and merchant server software is protected against hostile browsers.
Protect Yourself From Yourself
We''ve taken care of keeping intruders out from the Internet, but now what can we do to protect production systems from internal users attempting access using unauthorized means? Another firewall, of course! Add as many internal firewalls and ACLs to prevent such attacks from your intranet.
Now armed with this information, you should be able to see how many of the threats covered earlier are eliminated, or at least severely reduced. Is the design practical? Sure! Is the implementation expensive? You bet! A bigger question though, is can you afford to neglect it? You may only have one opportunity to get it right.
