--- Stephen Craton <webmaster@xxxxxxxxxxx> wrote: > I'm in the process of hooking up my own personal web server for > use by certain clients to view the progress on work I'm doing > for them. However, I'm on a shared network that is behind a > firewall and some computers on the network need to stay secure > as possible. I've heard that if you gain access to one computer, > the whole thing is vulnerable. That has some truth to it. My advice would be to establish a DMZ (demilitarized zone). One way to do this would require the user of an extra firewall. I assume that your current setup is a single firewall between you and the Internet. When you relax your firewall rules to allow HTTP traffic, your entire local network becomes a DMZ. Some users on the local network might be running Windows with IIS and not even realize it, and relaxed firewall rules can expose this weakness. If you want to only open up additional ports for your server, you would place an additional firewall between it and the local network, so HTTP traffic can reach you, but the second firewall prevents it from reaching the local network. > I've going to be running Apache with PHP on my Windows box that > has antivirus all set up and whatnot. My question comes in terms > of port security. Since I'll be having the port open for Apache, > I want to make sure nothing naughty gets through the port. Apache should not be your concern. Windows is your security weakness, but your firewall can help protect you. If you only want to be serving HTTP (I'm assuming no SSL), only allow outside connections to be initiated on port 80 and nowhere else. With this setup, you are relying on the security of Apache for the most part (the OS does handle TCP/IP and such). It is also very important that you do not actually use this computer for other purposes, such as browsing the Web (e.g., if it's your personal workstation). If you do, you are likely to get infected with something, and then the firewall doesn't help you. > How should I configure Apache and PHP in order to keep it as > secure as possible but still functional? This reminds me of another concern, which is your code. Even in the theoretical case that your environment is 100% secure (a fiction that we can only strive to achieve), weaknesses in your applications can still exist. > I have considered using Linux, but until I can get myself a > separate computer box to dedicate to the server, I'm stuck with > using my personal computer as the server as well and all my > programs/games need Windows. You cannot provide reasonable security with this approach, in my opinion. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming December 2004 http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
