Project Part 2 Task 1: Secure File Storage Server

File Storage Server Security:

First World Bank Savings and Loan will need a file storage server that is both secure
and accessible by the Web server in the course of transactions to be conducted by the
Web application. The server also needs to be capable of being uploaded to by the bank
employees to keep customer information up to date. The proper way to do so would be
to place the file storage server behind the DMZ on the local LAN, with a proxy
connection to the Web server using a separate Network Interface Card from the one
used by the Web server to enable access from the Internet. Proper utilization of user
and group account controls allows bank employees to upload newer versions of the
statement .PDF files to the server and restricting customer access to read-only.
File Storage Server Selection:
The type of file storage server that I would recommend for First World Bank Savings
and Loan to use would be an On-Premise Architecture implementation of Red Hat
Storage Server, which can be run as a virtualized server on the primary server in the
LAN and uses logical volumes to access a scalable storage array that can grow as the
financial institutions needs grow as well. Red Hat Storage Server uses a variation of the
open source file system glusterFS and is highly compatible with the Fedoral RHEL
install that will be running as the primary servers OS as well. By implementing a
virtualized file server, First World Bank Savings and Loan can implement a file server
solution that is secure, accessible, scalable, and cost effective.

Project Part 2 Task 2: Secure Web and Database Servers
Web and Database Server Security:
First World Bank Savings and Loan will be deploying Apache for its Web server and
utilizing MySQL for its database server on the back end. In order to properly utilize
these resources they must be configured securely, or else vulnerabilities could be
exploited to allow access to confidential financial information.
The Apache server should have all unnecessary modules disabled after install, provide
Apache its own non-privileged account to run as, restrict access to root directory using
the httpd.conf, use group controls to restrict access to Apaches /bin and /conf
directories, disable directory browsing, and disable the server from supplying the
Apache version number. Given the number of SQL injection attacks available on the
Internet, it is only prudent that every step be taken to secure the MySQL database
server right from installation. Changing the root password, using the MySQL secure
installation script, setting the bind-address to the local loopback to prevent network
connections to the MySQL database, ensuring all users have passwords set, and
changing the name of the root account are just the tip of the security iceberg.
Secure Remote Administrative Access:
As mentioned above, disabling network access of the MySQL server is a best practice
in hardening the MySQL server, yet system administrators may need remote access to
modify settings on the server. To facilitate this system administrators should use Secure
Shell (SSH) to remote in to the server itself, and from there use the required sudo
privileges for the Apache Web server and the MySQL server to make changes. This
protects the Web and database servers from direct network connections making
unauthorized changes while still allowing administrators remote access privileges.

Project Part 2 Task 3: Provide Layered Security
Secure Remote Web Server Access
As mentioned previously when discussing remote access for administrators concerning
the MySQL server, administrators may need remote access to the Apache Web server
from the internet when attempting to troubleshoot issues from home. In order to
facilitate this without creating a security issue, telnet and ftp should be disabled and the
use of SSH be the only method of remote server access.
TCP Wrappers and SELinux
The use of TCP Wrappers in the hosts.allow and the hosts.deny files are easy and
secure ways to help guarantee that unwanted access does not occur while still allowing
those that need access the ability to do so. By setting up which ports can be accessed
on the web server in the hosts.allow file, the system administrator can make force
customers to access web pages securely through the use of https by allowing port 443
but not including port 80. This also is how secure remote access is enabled for
administrators, allowing traffic on port 22 for SSH but not including ports 21 and 23 for
unsecured telnet and ftp connections. Once all allowed ports have been configured,
simply setting the deny all entry in the hosts.deny file takes care of shutting down traffic
on all other ports. SELinux is a security tool that comes available with Linux version 2.6
and higher, and allows for mandatory access controls to be enabled or disabled easily
separate from user and group security policies by controlling what installed software can
and cannot do, adding another layer of security to the operating system.

Works Cited
"10 Tips to Secure Your Apache Web Server on UNIX / Linux." The Geek Stuff RSS.
http://www.thegeekstuff.com/2011/03/apache-hardening/ (accessed May 25,
2014).
"Before you continue...." How To Secure MySQL and MariaDB Databases in a Linux
VPS. https://www.digitalocean.com/community/articles/how-to-secure-mysql-
and-mariadb-databases-in-a-linux-vps (accessed May 25, 2014).
"Chapter 2. Red Hat Storage Architecture." Chapter 2. Red Hat Storage
Architecture. https://access.redhat.com/site/documentation/en-
US/Red_Hat_Storage/2.0/html/Administration_Guide/chap-
Administration_Guide-intro_arch.html (accessed May 25, 2014).
Jang, Michael H.. Security strategies in Linux platforms and applications. Sudbury, MA:
Jones & Bartlett Learning, 2011.