Design for e-commerce system security at Server level
Server level components to take into consideration when designing e-commerce system security
The best option for securing database servers is to run them on a completely different system. You can then use a different network protocol, such as IPX/SPX or even NetBEUI, to establish communication between the Web server and the database. This arrangement allows full connectivity with the Web server but no direct connectivity from the Internet.
Application servers and Java servlets can create security issues, mainly because they require extensive customization and because many are built from scratch. As your site implements middleware servers, take the time to learn about the workings of such servers so that you can change any defaults or address possible security problems on an individual basis.
The key to securing the Web server is to segment the operating system, the Web server program, and the server's files on their own hard drive or partition. If a breach occurs, such segmentation will help limit a hacker's activity to specific hard drives, or even parts of hard drives, that are not essential to the rest of the system.
Securing the file transfer protocol (FTP) server is similar to securing the Web server. The FTP server should be separated from the files it downloads by using partitions. Whenever possible, FTP user accounts and access options must be separated from those used to access the Web. The FTP server should not allow access to sensitive files.
FTP Server Security
In an e-commerce setting, focus on securing your server resources as shown in the Mouseover below.
Simple Mail Transfer Protocol (SMTP): The Internet standard protocol to transfer electronic mail messages from one computer to another. It specifies how two mail systems interact, as well as the format of control messages they exchange to transfer mail.
Servers often offer security features, such as reverse domain name system (DNS) lookup, to help ensure that the email sender is actually who he or she claims to be. Advanced SMTP servers can scan email transparently by placing the email messages in a temporary holding area. Advanced virus scanners can search email attachments for malicious code. Such programs and servers scan the files, and then forward the email as appropriate.
Whenever possible, use such authentication and access control measures.
In the next lesson, you will learn about application security.