(Nettalk) Webserver security?

[AtoB]

Hi all,

I'm running the latest and greatest Nettalk for an api server (not a webserver, so only json in and out). Site runs secure (port 443 only) and tests as safe in for example ssllabs.com. I've read the nettalk docs on security and apart from Denial of Service attacks I can't see any vulnerabilities. SQL injection is covered (all clarion statements).

Now network folks want to install a fysical firewall (fortigate) and software called MalwareBytes to filter out "bad requests" and limit the requests only to certain ip-addresses (which is max. 25 in this case, but some don't have guaranteed fixed addresses).

Personally I think they are introducing a lot of costs for the client (fortigate) and quite a lot of hassle to keep the ip-addresses up to date (I know that I'm the one getting the first support calls when an ip-number has changed and traffic blocks ...)

But I've no real good arguments against these features. Problem is they don't trust the unknown Nettalk server ...

Does anybody have any insights on this matter or some source of info I can delve into to get me in a more knowledgeable state with regard to webservers and security.

Will a fortigate firewall for example be able to counter DoS attacks (and so be a valuable addition)?

TIA

[seanh]

I know that in the past, Bruce said something about submitting the nettalk server some 3rd party testing mob.
Apparently Nettalk passes with flying colours.  But I can't remember much more than that.

Yes the physical box should help protect against DOS attacks.  Whether it's any better than what NT can do I have no idea.

[Matthew51]

To my knowledge no one has published a security report. It would only be of limited use as it doesn't prove that you didn't introduce vulnerabilities. The best option is to have an internet security firm test your server.

Their are also free services that will have a bot check your server, though these aren't as good. https://www.immuniweb.com/websec/ is one of the better ones.

You can also look over https://listings.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf. It's a checklist created by the credit card industry for web servers handling highly sensitive information. If you can check all, or even most of those boxes you're in a very good position.

Matthew

[bshields]

Hi AtoB,

I use Fortigates to protect my infrastructure (which includes NetTalk servers).

They will protect against DOS and DDOS (assuming the network people know what they are doing and you pay for that part of the Fortinet).

They will also protect against a huge number of hack attempts (the vast majority a nettalk server is already protected against).

You must already have some sort of firewall, that is forwarding port 443 to your NetTalk (you cannot trust Windows!), if not, you need some type of firewall.

Assuming you have an existing firewall... these Network folks are wrong. They don't understand the stack that is NetTalk (nor would you expect them to). As long as you are only forwarding port 443 traffic to the NetTalk server you are safe.

The bigger Fortigates are also very very expensive.

Regards
Bill

[Bruce]

>> Now network folks want to install a physical firewall (fortigate) and software called MalwareBytes to filter out "bad requests"

Anyone who has watched their (public) web server for more than a few minutes will see that it's constantly being bombarded with requests that are clearly malicious. None of them do anything (because they're targeted at specific vulnerabilities in specific server software) but they happen all the time. If someone wants to filter those out, there's no harm in that.

>> and limit the requests only to certain ip-addresses (which is max. 25 in this case, but some don't have guaranteed fixed addresses).

This is a feature that sounds good on paper, but may end up being useless later on. But there's no real harm in turning it on, and then later deciding to turn it off if necessary.

>> Personally I think they are introducing a lot of costs for the client (fortigate)

That's the client's issue, not yours. The client has contracted with these Network folks, and can either take their advice or ignore it. It's not your money, so you don't need to worry. If the client asks you about it respond honestly. ("The server is secure, but there are no guarantees in life".)

>> and quite a lot of hassle to keep the ip-addresses up to date

presumably the Network folks will maintain this list, and they'll either decide it's too much hassle, or they won't.

>> (I know that I'm the one getting the first support calls when an ip-number has changed and traffic blocks ...)

Sure, and you just politely redirect the call to the network folks. If the client can't connect it's their problem anyway.

In my opinion you should stick to "your lane". The network folks are in charge of the network. Let them do their job. You want them onside. If they want your opinion, or the client wants your opinion, then they will ask you. If they want to know more about the server then there are ways to do that. But fighting network folk just means they aren't inclined to help you, and if something (anything, anywhere) breaks, suddenly it's your job to fix it.

So my advice; don't fight this - just smile.

Cheers
Bruce

[AtoB]

Hi all,

thanks for your input and insights.

Today I dived into the security stuff a little deeper and concluded that I really know next to nothing about this and I probably need to keep it this way :-)

My client asked me for advice because they know even less than I do and they think they will be spending too much (I feel the same). But I'd better stay out of this.

Apart from DOS/DDOS attacks, I think the nettalk server is "pretty" safe on it's own and told the client this, if they want to feel more secure they can add wathever hardware/software they want or investigate further.

Thanks again!