Re: Maximum Online Transaction Amount....
From: Johannes Ullrich (jullrich@euclidian.com)Date: 08/28/02
- Previous message: Kevin McKinstry: "Re: Firewall DMZ"
- In reply to: James McGee: "Re: Maximum Online Transaction Amount...."
- Next in thread: Stephane Nasdrovisky: "Re: Maximum Online Transaction Amount...."
- Next in thread: Craig Humphrey: "RE: Maximum Online Transaction Amount...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Aug 2002 20:07:39 -0400 From: "Johannes Ullrich" <jullrich@euclidian.com> To: "James McGee" <james__mcgee@hotmail.com>
> Site is not open to the general public, but varying levels of users.
> Although access is over the public Internet...
Well, if the number of users is limited (and you are not afraid of
doing some tech support to get them started), client certificates
are probably a good idea, in particular if the site is accessed
using a regular web browser. You can setup your own CA and cost is
minimal (use self signed keys).
In addition, you may want to check into some of the one-time
password systems like cryptocard. You can use them to authenticate
individual transactions (unless they do a lot of small transactions.
It can be a pain if you have to do it a lot). Count on about $50
or so per user and year to get the tokens. If you have to safe money
badly, you can use s/key and print transaction number lists and
hand them to people.
So the basic concept would be:
1) user visits secure web site, presents client certificate, and
hopefully verifies your server certificate. Site verifies that
client cert is valid.
2) user enters username/password.
user has now access to their account, can check up on
past transactions and such.
3) user enters a transaction and is presented with a cryptocard
'challenge'. User types this challenge into their token and
enters the token response.
....
Anyway... This system will probably cost you $5k-10k in hardware
and software. Some sweat to get it all plugged in and running.
Read up on how to build your own CA with Apache and openssl. Also
check with some vendors of one-time password generators (I know
Cryptocard, but there are others, e.g. RSA...)
Other steps you may want to consider:
- limit the users to given browsers, refuse access from older
browsers and such that may have security holes.
Of course, all of this only makes sense if you have the basics
covered: firewall, ids, patch schedule for the server, locked down
server configuration.... You don't want to build a super secure
web-app and keep wu-ftp installed, open and unpatched ;-).
There are too many little things to put it all into one email. Make
sure you are including everyone. Developers of the application,
network admins, users....
-- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org
- Previous message: Kevin McKinstry: "Re: Firewall DMZ"
- In reply to: James McGee: "Re: Maximum Online Transaction Amount...."
- Next in thread: Stephane Nasdrovisky: "Re: Maximum Online Transaction Amount...."
- Next in thread: Craig Humphrey: "RE: Maximum Online Transaction Amount...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
