Exact Synergy

Security whitepaper for E-Synergy ASP project

Exact e-Synergy and security:

The Exact e-Synergy program is an Internet based front-office application which is installed on a Web server (Internet Information Server 5/6 alias IIS). Data is stored in a SQL 2000 database which resides on a separate Database server (MS SQL 2000). A number of strict security policies on various levels should be taken to protect both the application software and data against malicious acts. Total system security includes various types of safety measures, each with their own characteristics and demands for maintenance. The necessary security policies are not limited to the Exact e-Synergy application alone; the integrity of all elements of the entire system must be assured.

Data traffic is vulnerable along the entire path between the source and the destination. This means that all traffic paths, the data source, the data destination and data storage have to be protected. The Internet Service Provider (‘ISP’) which connects the Client to the Internet is not required to make any modifications to enable use of the e-Synergy program.

Network level:

The most basic and most important measurement is to prevent undesired traffic being able to access the intranet. This can be done by using a firewall separating the internal network from the potentially ‘dangerous’ internet. The firewall is configured to only allow traffic that needs access to the intranet or even better to the Demilitarized Zone (DMZ). The DMZ is a part of the network that is neither part of the intranet nor of the internet. For e-Synergy port 80 (HTTP) or 443 (HTTPS) need to be opened on the firewall.

Data traffic:

Normally an unencrypted protocol version for data traffic is used; HTTP. In order to enhance security the encrypted version of this protocol is used; HTTPS. This encrypted version of the protocol makes sure all traffic between the Client PC and the Web server (IIS) is encrypted. HTTPS uses the Public Key Encryption method as provided by Verisign and other certified key issuers.

The Exact e-Synergy application that is installed on the Web server (IIS) contains no data. The actual data is stored to and retrieved from the MS SQL Server via a direct SQL client connection (ODBC). When the network is configured to use a DMZ, only the Web server (IIS) is allowed to access this SQL server, again by the use of a firewall.

Data source and data storage integrity:

The IIS server contains the Exact e-Synergy program as the Internet based application; only web access is permitted (HTTP(S) port 80,443). Primary access verification takes place using Microsoft NT domain security. This domain contains users which have been created within the Exact e-Synergy program to ensure that correct access verification can take place. Anonymous web site users can be restricted to access only specific information by using the Exact e-Synergy security level ‘public’ (security level 0).

Each individual database can only be accessed by users who have been specified within that database.

The SQL server is protected against unauthorized access by use of a firewall. Only direct access from the Web server (IIS) to the SQL database server using SQL client traffic protocol is allowed (TCP/IP port 1433).

Server maintenance:

Since the Web server is the only server that can be accessed directly via the Internet this server is extra vulnerable for malicious attacks. Several measurements should be taken to optimize security:

• Minimize the functionalities activated on the Web server, IIS comes with several ‘handy’ features that increase vulnerability. Only install the minimum features necessary for running Exact e-Synergy;
• Install hot fixes and patches provided by Microsoft on a regularly basis .

Exact e-Synergy application security:

The information within the Exact e-Synergy database is secured with an application security control system. All users are granted a security level in the Resource maintenance system of e-Synergy. Each user can only access information with a security level equal to- or lower than its own level.

In addition to the security level, any user can also be a member of one or more functional roles which grants this user extra rights in a specific part of the Exact e-Synergy program.