A Web server opens up your business to the outside world, so how do you keep out those parts of the world you don't like?

Web servers "tend to be easy targets because of where they are located on the network," says Wayne Weisse, sales manager for advanced technology solutions at Network Associates, yet they are important to companies, not least for branding reasons. Denial of service attacks result in unavailability; common hacking tools can be used to deface the site; and Web servers can be used as launch pads for attacks on internal systems via privilege escalation.

"There's still a lot of complacency," says Chris Thomas, senior consultant at Computer Associates' data protection group. People don't think they'll be a target, he says, but the bad guys are looking at random for vulnerabilities: "On the Internet, you're just an IP address." And that's the good news. In this article, we'll take a look at how to make sure your Web server stays secure.

Architecture
"A lot of this comes down to how you design a Web application and the security management within your organisation," says Neil Campbell, head of Dimension Data Australia's security practice.

Worms generally succeed because of poor patch management; hackers generally succeed because of poor application and architecture design, he says. "It's probably not something you did today, it's something you did 9-12 months ago."

The typical three-tier architecture is a good start, he says, and a reverse proxy helps by obfuscating any flaws in the Web server. Campbell also recommends an "inventive" approach to the protection of sensitive data. For example, if it really is necessary to store customers' credit card details (and such information should never be stored on the Web server itself), consider storing parts of each number in different databases, with each database using different encryption. "You don't want a single compromise to lead to a complete breakdown in security," he says.

Segregation of functions is an important starting point, according to Bill Mania, systems director at Hostway, one of the world's five largest hosting companies.

Web servers should just be Web servers, he says, because running other applications on them opens up the possibility of "inappropriate exchange" where a vulnerability in one program can put another at risk.

Andrew Gordon, managed services architect at Trend Micro extends this idea to warn that any scripts shouldn't run on the server itself. Any scripting should be diverted to the back-end database, which in turn should never run on the same machine as the Web server.

The more routes or connection types there are on a server, the greater the risk of compromise. "Have one front door and one back door," Gordon says.

A Web server may use a variety of services running on other systems, so a full inventory should be prepared. Access to these services can then be controlled appropriately, says Lee Hickin, senior technical consultant, RSA Security.

Looking at the problem from a hosting provider's perspective, Patrick Cusack, CTO of Hothouse Interactive, says "Don't overlook securing the back of your servers from the client's internal network." It isn't unusual for Web servers to connect to other systems for data feeds or transaction processing. "Don't assume they have put a firewall at their end," he says, as worms and other nasties can enter through that route. "It's happened to us," he warns.

“Operating systems are all crook. We hear the most about Microsoft’s shortcomings, but it’s not fair—they are just the biggest target.” --Patrick Cusack, CTO, Hothouse Interactive

Which platform?
The relative merits of operating systems and Web servers was the most controversial issue we canvassed.

"They're all crook," says Cusack. Microsoft's popularity means we hear the most about its shortcomings, but "it's not fair--they are just the biggest target," he explains, "There are thousands of Linux patches" and it takes more hands-on effort to keep a Linux system secure, says Cusack. Optus--one of his clients--has rigorous guidelines for productions systems, "and it's a lot of work locking down a Linux system." Six hundred patches are needed to get Linux up to the Optus standard operating environment, so building a server from scratch would take four days, he says. Solaris is similar, but it is effectively more secure because most people working on that operating system are fully competent, which cannot be said for other platforms, he asserts. So his advice is "stick with the devil you know," whatever platform that happens to be.

Ian Gillott, innovation team manager at Santos, concedes that many Microsoft servers aren't set up by experts, but enterprise operations pay for expertise and their servers are well set up. Santos' technicians are of the same high skill level for Microsoft or Solaris, he says.

Unix and Linux are the most secure platforms, according to Gordon. They have fewer well-known vulnerabilities and can handle higher loads, while Windows is subject to frequent patches and exploits that attack those flaws. Not surprisingly, Gordon recommends the use of antivirus software on Windows servers, but says perimeter defences are more important.

IIS isn't intrinsically more vulnerable than other Web servers, says Robert Pregnell, Symantec's senior regional product manager, but it is supplied with an operating system and may be installed without the user's knowledge. This known configuration combined with known vulnerabilities makes it an easy target.

All operating systems and Web servers have weaknesses, says Mark Gardner, general manager, strategies and solutions at SecureNet, but "they're all credible platforms" and "your best bet is diversity". Good management is more important than the platform you choose.

Successful, secure implementations of IIS or Apache are possible, says Campbell, but that requires planning and security management. "It's about the people that are planning it," he says. Gordon notes that finding good staff is easier these days, as one result of the dot bomb was a shakeout of low-quality staff who returned to their previous occupations.

"There will always be holes in operating systems," says Ali Alfarafi, director of software, Hewlett Packard. Ben English, security and product marketing manager at Microsoft, expresses a similar sentiment in a slightly different way: "[Security] is a huge industry problem, it isn't [just] a Microsoft problem."

But "there's no quick fix because of the inertia...in the user community," says Richard Turner, vice president Asia-Pacific, RSA Security. "Organisations are reluctant to upgrade equipment while it is working" even though they want secure products rather than security products.

Configuration
"The biggest vulnerability is a poorly configured Web server," says Turner.

So the first step is to "secure the build"--follow the guidelines to lock down the operating system and secure the Web server, for example by installing all patches and removing all unnecessary facilities. "Be tight" advises Gardner, turn off all services that aren't required. "Load the operating system with an eye to published vulnerabilities," says Cusack.

Also ensure the server process is given the minimum required permissions, says Thomas, and then any subsequent compromises will be less of a problem.

"Security is a passion-killer," says Gardner, warning that failing to resist pressure to roll out services before they are ready can lead to breaches.

"The biggest vulnerability is a poorly configured Web server." --Richard Turner, Vice President Asia-Pacific, RSA Security

Correct configuration--including patching--is "one of the most fundamental and cheapest things to do," regardless of platform or server software, says Thomas.

The good news is that at least some vendors are trying to reduce the risk of misconfiguration.

"There's a lot of activity going on at Microsoft to make sure it is secure out of the box," says English.

The company's "secure by default" effort aims to reduce Windows' attack surface by turning off all services by default, and running them with minimal privileges. A wizard is provided to help set up their servers in a secure manner, and English claims Windows 2003 has one-half to one-quarter of its predecessor's attack surface, depending on the use to which it is put.

While he concedes it was historically true that Windows required competent configuration for security, now "we're locking everything down by default."

Patching
Whether you are using open source or commercial software, you need to keep current, says Mania.

Patch management is "by far the biggest concern for our customers," according to English. Microsoft is formalising the process for enterprise customers by publishing a patch management guide based on ITIL, and providing smaller organisations with tools such as Microsoft Baseline Security Analyzer to scan for misconfigurations and patch status. One analyst firm suggests 95 percent of incidents are preventable by keeping up with patches, English says.

Patching is important, agrees Allan Bell, Asia-Pacific marketing director at Network Associates, but it's very hard to stay current without interrupting business. There are also quality assurance issues to be addressed.

Patch management is difficult, says Campbell. "It takes a lot of discipline to keep up." Organisations need to identify, test, and deploy relevant patches--"It's a very big ask to expect rapid testing and implementation." You must either accept that patches may cause other problems, or look for an alternative to prompt patching. Campbell favours the former course of action, but that requires a plan for backing out patches that prove troublesome in your environment as well as a good disaster recovery plan. Disk imaging products run at 600-700MB per minute at best, he says, so restoring the previous image to multiple servers will take time. Clustering or a redundant site makes the job easier by reducing the time your Web site is completely offline. The danger is that you might not notice the ill effects of a patch for some time, so re-imaging might not be an option unless you are scrupulous in keeping data off of the system volumes.

Turner says public Web sites should be patched quickly rather than waiting for thorough pre-production testing. What would you do if the manufacturer told you that the lock on your front door could be opened by anyone? You'd change it straight away, without checking that every key worked properly, he suggests.

"The level of expertise and knowledge required is cumulative," Gardner says. Knowledge of various types of attack remains in the hacker community, and SecureNet sees perhaps five attacks a day that attempt to exploit two-year-old vulnerabilities, launched just in case something has been overlooked when a server is upgraded or rebuilt. "We still see loosely managed systems," he says.

Patching is "really hard for an amateur," says Cusack, citing one customer who spent three days and nights trying to bring up a server. He kept leaving out a critical patch, and each time the server was put online it was immediately brought down by an attack.

An ongoing task is to continually monitor security lists and vendors' patches. "That's got to be someone's job," Cusack asserts.

Firewalls, IDS, IPS
Infrastructure management for security purposes is "not very well understood in the industry," says Alfarafi, but it includes tools to detect firewall breaches, the alteration of logs, and unusual application use--as occurs in denial of service (DoS) attacks--with reporting to an operator or an automated system that can block the activity. "We use some of this within HP," he says. For example, transactions can be (at least partially) secured by rejecting any that originate from an incorrect port.

These steps mean you will be alerted even if inside information is used for an attack. "Link that to identity management and you have a very powerful tool," he says.

With Web services and interactive Web sites, redirection to another server is normal behaviour (eg, to a payment processing gateway), so protection mechanisms such as firewalls must understand protocols and applications to allow selectivity, says Scott Ferguson, regional director of Check Point. You need to look at traffic at network and application layers to distinguish attempted attacks from legitimate traffic, he says.

"Application filtering at layer 7 is probably one of the most important security features." --Eric Krieger, Regional Sales Manager, Secure Computing

For example, DoS attacks often hit unused ports. In case those ports haven't been disabled as part of the server configuration in every case, they can be disallowed by the firewall if it is application-aware, he says.

Gordon's advice is to lock down unused ports, regardless of platform. Ports 80 and 443 are usually all you need open, he says.

Microsoft's ISA (Internet Security and Acceleration) locks down ports and allows application-level filtering, says English. This allows it to inspect requests on port 80 for malformed addresses containing buffer overruns or other exploits. One of ISA's advantages is that integrates with Active Directory, so when users are deleted, they are automatically removed from all systems including ISA, blocking them completely.

This is one reason why Santos uses ISA to provide secure access to its intranet for travelling staff, especially when they are in Middle East or African countries where dialup access is unavailable for legal or infrastructure reasons and Internet cafes are the only option.

Active Directory was an important reason for the previously all-Unix company switching to Microsoft, says Gillott. "It's a complete package for us" that makes administration easier and reduces the risk of overlooking any particular configuration issue. The company made the switch following a third-party security screening process, he says.

"We knew port 80 was always going to be an issue," says Eric Krieger, regional sales manager at Secure Computing. The majority of traffic has moved to port 80, he says, adding that SSL encryption makes content invisible to most firewalls, and e-mail-borne attacks may pass stateful inspection.

The company's Sidewinder product is a proxy-based firewall that can support multiple servers. "From a security perspective, a Web server is about moving data into a firewall-evading tunnel," Krieger says. "Application filtering at layer 7 is probably one of the most important security features."

Sidewinder keeps port 80 open but checks content at the application level. Around 90 percent of Sidewinder sales are as an appliance on Dell hardware. An annual maintenance fee covers upgrades and updates, "but we've never, ever released a security patch," stresses Krieger.

"There is some disillusionment with intrusion detection systems," say Campbell, largely because of organisations' inability to deal with the data they collect, hence the move to intrusion protection systems which examine traffic for attack signatures and drop offending packets. "Signature-based approaches are quite mature," he says.

The use of a host-based intrusion prevention system (IPS) gives you "virtual patching", says Campbell. It can give immediate response to new vulnerabilities, stretching the time between patch cycles. "It gives you a better chance to patch and test," he says. However, Gordon warns that vigilance is still essential "[unless] you keep up to date, if you don't...patch [the server]."

A layered approach provides protection in depth, says Weisse. McAfee Entercept forms the last line of defence behind the firewall and other measures by creating a "shield" around the operating system kernel that can detect buffer overflows and doubtful system requests. Blaster and other attacks were blocked in this way without signature updates and even on servers that had not been patched, he claims, so this type of technology reduces the urgency of patching.

Since it runs at such a low level, Entercept protects the server from attacks concealed from other technologies by encryption, as it monitors their attempted actions. This approach provides protection from "day zero" attacks--occurring before the software vendor has released a patch for the vulnerability and before new signatures are available for other security technologies.

Entercept also has the ability to lock down critical files, registry keys and settings so they can't be altered, even with root privileges, although it also stops intruders from gaining those privileges in the first place, says Weisse.

The normal behaviour of a Web server is pretty simple, observes Bell, so it is quite easy to spot any exceptions. McAfee's IntruShield (and similar programs from other vendors) generates baselines for specific hosts, then accurately detects anomalies for every protocol and only allows legitimate packets through. "You need both lines of defence" (ie, at the network and system levels), he says.

Each layer reduces the load on the next. Firewalls keep out a lot of the noise, making life easier for the IPS. But that won't usually detect an encrypted attack, though the host-based defences will. Since much of the unnecessary activity has already been blocked, the host-based software won't impose as much of a load on the system as it would if it was the sole defence, explains Weisse.

Weisse suggests a three-phase implementation of these tools, starting with learning and detection mode to provide a baseline. The next step is to secure selected parts of the system, such as key operating system files. Finally, "vault mode" means even users with administration rights are unable to change files and configurations unless authorised by Entercept.

Firewalls and intrusion detection/prevention aren't "fit and forget" devices, warns Gardner; subscribing to signature updates is an important part of maintaining security.

"Security appliances offer significant advantages over a firewall" says Pregnell, as they incorporate IDS, content filtering, and other technologies. However, the appliance is still a perimeter device and the Web server itself must also be protected. He suggests subscribing to a service that will give early warning of vulnerabilities, keeping up to date with patches, and the installation of a host-based IDS that can stop or block rogue software (though that is less important with a well-configured appliance). Used in concert, these measures will make the server as secure as possible.

"Forensic monitoring is where it really gets serious, and proactive recognition of new security issues is nirvana," says Cusack. He uses the Huntsman security system (from Australian vendor Tier-3), which can collect, analyse, respond to, and report malicious attacks. "It's fantastic," he says, "but a bit over the top for anyone not trying to deliver banking or telco-grade security."

Many companies do not install forensic software because they think "it costs too much," he says, but it is important to relate the cost to the value of the business it is protecting. One healthcare fund does 10 percent of its business online, he says, which is more than its two biggest branches combined. "Maybe five percent of Web sites" can justify the expenditure, he suggests, but many of his clients are in that space.

Authentication and Authorisation

If parts of an intranet are to be made available on an extranet or via the Internet, authentication and authorisation are required, says Ferguson. But if any part of a site is public, it is unrealistic to rely on authentication, so protection at the application layer becomes essential, he says.

While a protocol and application-aware firewall helps secure the perimeter, there's also a need for internal security measures to protect against the possibility of attacks from within, with specific knowledge of the applications in use.

Strong authentication should be used when people need to modify data on a Web site, says Turner, or when they access important data. The more valuable the data gets, the need grows for more granular control and (for some users) stronger controls. For example, some parts of a Web site may be open to the public (so no authentication is needed); others may be restricted to registered press, analysts, or resellers (with access controlled by usernames and passwords); while some material may be only for employees' eyes only (with access controlled by some kind of token).

Without assured authentication, you can't be certain a person is who they claim to be, observes Hickin.

Risk and policies
The more visible the organisation, the more chance of a directed attack, says Mania. Smaller companies are more likely to be random targets, but they are less likely to have the in-house resources to adequately protect their servers. Either way, a hosting company has the staff, technologies, and expertise available to do the job, he says.

The Internet is a great productivity tool, but has risks that must be mitigated, says Ferguson. Security is an enabling technology that lets you deploy any kind of network and deploy services such as Web sites and Web Services.

Organisations must weigh the possible consequences of attacks against the cost of securing against them, says Ferguson. He notes that public companies must declare any incident that affects their ability to trade, and asks whether a serious attack on their Web servers would fall into that category.

"Security is no longer the deployment of a piece of technology," it's about corporate policies, he says. Organisations must identify what needs to be protected, then set priorities according to their importance and the budget. Maybe a firewall won't protect the elements considered most critical, so it might not be the most appropriate first step.

The changing value of data over time is an important consideration, according to Turner. For example, if the value decays quickly, you probably don't want to spend too much to protect it, in which case Web access control software can provide appropriate granularity with appropriate passwords.

He also points out the need for the enforceability of security policies from an employment perspective, so staff are in no doubt of their importance.

-Security is no longer the deployment of a piece of technology, it's about corporate policies." --Scott Ferguson, Regional Director, Check Point

Organisations need an overall security policy, says Ferguson. It should be an extension of existing policies, "applying the same level of business philosophy to the IT infrastructure." In the US, he says, the role of chief security officer is emerging to address all aspects of security (including IT) and reporting to the CEO. In Australia, there are "only a couple" of examples, a bank and an airline: "security is a core competency of those businesses," says Ferguson. "IT is now the biggest capital expenditure" (in the US, around 55 percent of capital expenditure goes to IT), so "it's appropriate to get the right level of management attention," he says.

"Australian companies understand risk quite well," says Campbell. The UK and Europe are the most advanced, he says, with Australia a close second. For example, "government in Australia is mandating compliance with international security standards for government departments." He draws a parallel with the privacy acts, which first required government departments to comply with privacy standards, and around a decade later brought the private sector into the net. "I don't think you'll see a ten-year gap" before companies and other non-government organisations meet similar standards, he suggests.

In some other regions, Dimension Data finds it's hard to get companies to see the value in security auditing, as there is less awareness of the need for holistic security management. Most failures are the result of an organisation's approach to security, not because it failed to install a particular technology.

Outsourcing
If you cannot devote adequate resources to your Web server (or you don't have adequate internal resources), you can contract out instead, suggests Mania. This also provides economies of scale, so redundancy, disaster recovery facilities, and so on may become affordable.

Campbell agrees, saying that even if smaller organisations can afford skilled staff, they are unlikely to be able to retain them.

"Security can be an active role, and must be acknowledged as an important part of connecting to the public network," whether the role is filled in-house or by a hosting provider, Mania says, but in the latter case you need to satisfy yourself that they know what they are doing. Such firms should be able to describe their policies and practices, and why they have been adopted. For example, exchanging information with a customer should never be via unencrypted e-mail, and sound policies should be in place for managing changes to the status or configuration of servers, or for creating user accounts and changing passwords. "Most of the compromises are of a social nature," he warns.

Outsourcing does not mean you avoid responsibility for security. "You must take the promises of bundled security and proactive network forensics from your ISP with a grain of salt," counsels Cusack, "you've really got to watch you own backyard."

Hosting companies may operate many sites on one server without partitioning, warns Gordon, in which case any bad code on one site could compromise other customers' sites.

However, managed security services are justified when you can't justify employing a good administrator. "It complements managed networking from any networking provider," says Cusack.

Some consultants including large accounting firms have security practices that can advise on the selection of an outsourcing provider, but it's important to check customer references, Mania advises. Campbell agrees, warning that due diligence is essential when looking for a security provider: you must satisfy yourself that the company will be able to do a good job for you, he says.

-You must take the promises of bundled security and proactive network forensics from your ISP with a grain of salt. You've really got to watch you own backyard." " --Patrick Cusack, CTO, Hothouse Interactive

When picking a security provider, organisations look first for strong brands and experience, and only then does cost come into the equation. Large companies are particularly attracted to firms they regard as having assured longevity.

Gardner says that while full service hosting is "an emerging trend," most large organisations are separating security from the rest of their outsourcing contracts. This is particularly true of banks and government departments, which are aware of the need to partition security and operations.

Audits
Third-party security audits are worthwhile whether you insource or outsource, says Campbell. When security duties are performed in-house, such an audit will keep the board and shareholders happy, or it will provide a check that the outsourcer is meeting your quality expectations. Gordon agrees, pointing out how easy it is for even an expert to miss a fine detail, even when a system of internal checks is in place. External audits show you made a best effort and were complying with best practice at the time of the audit, even if something does go wrong down the track.

Automated audits should be performed weekly, Campbell says, with two to four manual audits per year.

Products are available to perform automated audits as an alternative to outsourced services. For example, TruSecure's Risk Commander provides actionable insight into security effectiveness through measuring and visualising risk reduction and proving compliance with policies, standards and regulatory requirements, company officials claim.

Similarly, CA's eTrust Vulnerability Manager provides information to identify vulnerable machines, what to do to fix (or workaround), and what priority (need to balance that with the importance of the system). Companies don't have the resources to keep track of all this themselves, and some announcements are not fully validated, but CA checks all versions of software to see which are really affected, says Thomas.

The system is sold as an appliance that is updated online from CA's servers. An inventory service identifies exactly what software is running at the site in order to identify systems affected by new vulnerabilities.

While hosting may be seen as a way of avoiding security headaches, it does not remove the need for a rigorous approach to security, Campbell says, because in most cases here will still be a need for connections to corporate data stores and business logic. Again, due diligence and regular testing is necessary to ensure the hosting provider is doing the right thing, he says.

Alerting services "are really good," says Pregnell, especially when they are tailored to your particular combination of software.

Even a few hours notice of a threat may give you enough time to update the policy settings in the appliance (or IDS or content filter) to protect your systems until you can install the corresponding patch.

Managed security services, such as those offered by Symantec offer a range of monitoring and management services including the installation of patches, management of security devices and software, and disaster recovery. Since 20,000 devices around the world feed into Symantec's detection system, the company is able to quickly uncover and identify new exploits by correlating unusual activity with vulnerabilities, Pregnell says. Takeup of such services by Australian organisations

-Vigilance is the only thing that will save you in the long term." --Andrew Gordon, Managed Services Architect, Trend Micro

has grown in the last 12 to 18 months, he says.

His colleague, Gavin Lowth (manager, MSS operations, APAC) says customers range from SMEs to large organisations and state government departments. Attractions include round the clock monitoring and response, charges fixed for up to three years, and support for all major security vendors' products.

"Vigilance is the only thing that will save you in the long term," says Gordon.

Recovery
Attacks sometimes succeed despite attempts to secure a Web server, so you need a disaster recovery plan.

As mentioned above, volume-imaging tools are one way of restoring a compromised server. One example is PowerQuest's V2i Protector, which takes scheduled point-in-time images, storing them on server-attached, network-attached or Fibre Channel SAN devices. This allows recovery to a point in time before the attack occurred.

"Our software provides a valuable safety net for situations in which viruses or worms slip past the anti-virus software," says regional director Greg Wyman.

One satisfied user is Brent Issaia, IT manager at Superfine Printing. "Our Web Servers not only perform marketing duties for customers to see who we are and what we do, but they also interact with our internal MIS structure to provide immediate management and sales reports," he explains. "We create incremental backup images during the day on all systems with no impact on the day-to-day use."

According to Issaia, V2i saved the company hours, perhaps days of work after a major failure, and the server was running again within 10 minutes after the repair. "If it only saves you once then it pays for itself," he says.

Executive summary

• A good architecture helps to maintain security. Isolate different functions on different boxes.
• Use firewalls to protect your servers from the Internet and from your LAN/WAN.
• Configure servers with the minimum of services and privileges necessary for their purpose.
• Keep up to date with patches. Vulnerability notification services can help.
• It probably doesn't matter which of the major platforms you choose. Good configuration and management are more important.
• Intrusion prevention systems provide an additional (and final, in the case of host-based IPSes) line of defence.
• Authentication and authorisation systems will reduce the risk of illicit changes to your server and Web pages, without interfering with the work of authorised users.
• Beware of damage caused by infected machines being connected to your network. Antivirus software and appropriately configured firewalls will help.
• Security is about policies and business decisions, not technology. Senior executive involvement is needed.
• Outsourced security services can be appropriate for many organisations, but take due care in selecting a provider.
• Have a recovery plan in case your security measures fail.

	Web security easy as ABC The ABC has a very large Web site consisting of around one million static pages, plus plenty of streaming content. It attracts around 15 million visitors per week, and "is the third arm of the ABC's broadcasts," says Tony Silva, manager, information and support services. "It's a part of our core business," he adds. "We have to ensure our data is protected from any attack." The ABC uses two firewalls, plus another between the servers and its internal network. The primary Web servers are Apache on Linux; other systems such as forums and guest books run on Microsoft products. Security concerns were part of the product selection process. For support reasons, "we didn't want to have something that wasn't widely used," explains Silva. "We have a number of layers in place to protect us," he says, including maintenance contracts with software vendors (such as Microsoft Premium Support) to provide alerts of new vulnerabilities. "We don't apply every patch that comes out, we vet them in terms of our business risk," says Silva. According to the perceived risk, patches are either applied immediately or tested first. Patching usually begins with the gateway systems to help protect the overall network. So far the broadcaster has not had problems with patches, but it runs a test lab to see if there are any concerns before installing. The Sidewinder firewalls from Secure Computing provide stateful packet filtering and application layer filtering, and are set up to protect systems by providing mail relaying and other services. "We were really looking for an integrated solution, redundancy, and capacity for growth," says Silva. "The Sidewinders gave us that consolidation." Certain types of attachment are automatically stripped from e-mails, and antivirus updates are automatically applied. "Obviously we have internal security policies," he explains. If your brand or corporate image is important, get outside help, Silva advises. "We have regular audits of our security." Getting an outside perspective is important, he suggests, "some advice could save you a lot of money...and credibility." When the firewalls were purchased, part of the deal was the provision of an expert from the vendor's US head office to help with installation. However, the ABC is not considering the use of managed security or hosting services. Part of the problem is that Web site operators face a continuously changing and evolving environment. "You've got to keep monitoring and checking," he says, because there's always someone out there that you need to be protected from. "Once you've put something in, don't sit back."

Subscribe now to Australian Technology & Business magazine.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.