Security whitepaper for E-Synergy ASP project
Exact e-Synergy and security:
The Exact e-Synergy program is an Internet based front-office
application which is installed on a Web server (Internet Information Server 5/6
alias IIS). Data is stored in a SQL 2000 database which resides on a separate
Database server (MS SQL 2000). A number of strict security policies on various
levels should be taken to protect both the application software and data against
malicious acts. Total system security includes various types of safety measures,
each with their own characteristics and demands for maintenance. The necessary
security policies are not limited to the Exact e-Synergy application alone; the
integrity of all elements of the entire system must be assured.
Data traffic is vulnerable along the entire
path between the source and the destination. This means that all traffic paths,
the data source, the data destination and data storage have to be protected.
The Internet Service Provider (‘ISP’) which connects the Client to the Internet
is not required to make any modifications to enable use of the e-Synergy
The most basic and most important measurement
is to prevent undesired traffic being able to access the intranet. This can be
done by using a firewall separating the internal network from the potentially ‘dangerous’
internet. The firewall is configured to only allow traffic that needs access to
the intranet or even better to the Demilitarized Zone (DMZ). The DMZ is a part
of the network that is neither part of the intranet nor of the internet. For
e-Synergy port 80 (HTTP) or 443 (HTTPS) need to be opened on the firewall.
Normally an unencrypted protocol version for data traffic is
used; HTTP. In order to enhance security the encrypted version of this protocol
is used; HTTPS. This encrypted version of the protocol makes sure all traffic
between the Client PC and the Web server (IIS) is encrypted. HTTPS uses the
Public Key Encryption method as provided by Verisign and other certified key
The Exact e-Synergy application that is
installed on the Web server (IIS) contains no data. The actual data is stored to
and retrieved from the MS SQL Server via a direct SQL client connection (ODBC).
When the network is configured to use a DMZ, only the Web server (IIS) is
allowed to access this SQL server, again by the use of a firewall.
Data source and data storage integrity:
The IIS server contains the Exact e-Synergy program as the
Internet based application; only web access is permitted (HTTP(S) port 80,443). Primary
access verification takes place using Microsoft NT domain security. This
domain contains users which have been created within the Exact e-Synergy program
to ensure that correct access verification can take place. Anonymous web
site users can be restricted to access only specific information by using the
Exact e-Synergy security level ‘public’ (security level 0).
Each individual database can only be
accessed by users who have been specified within that database.
The SQL server is protected against
unauthorized access by use of a firewall. Only direct access from the Web server
(IIS) to the SQL database server using SQL client traffic protocol is allowed
(TCP/IP port 1433).
Since the Web server is the only server that
can be accessed directly via the Internet this server is extra vulnerable for malicious
attacks. Several measurements should be taken to optimize security:
Minimize the functionalities activated on the Web server,
IIS comes with several ‘handy’ features that increase vulnerability. Only
install the minimum features necessary for running Exact e-Synergy;
Install hot fixes and patches provided by Microsoft on a
regularly basis .
Exact e-Synergy application security:
The information within the Exact
e-Synergy database is secured with an application security control system. All
users are granted a security level in the Resource maintenance system of
e-Synergy. Each user can only access information with a security level equal to-
or lower than its own level.
In addition to the security level, any user can
also be a member of one or more functional roles which grants this user extra
rights in a specific part of the Exact e-Synergy program.
| Main Category:
||Support Product Know How
|| Document Type:
||Online help main
||On-line help files
|| Security level:
||All - 0
| Sub category:
|| Document ID: