[英]PHP - Security what is best way?
保护使用PHP
从外部攻击开发的Intranet网站的最佳方法是什么?
That's a stunningly thought-provoking question, and I'm surprised that you haven't received better answers. 这是一个惊人的发人深省的问题,我很惊讶你没有得到更好的答案。
Everything you would do for an external-facing application, and then some. 你要为面向外部的应用程序做的一切,然后是一些。
If I'm understanding you correctly, then you are asking a question which very few developers are asking themselves. 如果我理解正确,那么你是问这极少数的开发商都在问自己一个问题。 Most companies have poor defence in depth, and once an attacker is in, he's in. Clearly you want to take it up a level.
大多数公司的防守都很差,一旦攻击者进入,他就进入了。显然你想把它提升到一个水平。
So, what kind of attack are we thinking about? 那么,我们在考虑什么样的攻击?
If I'm the attacker and I'm attacking your intranet application, then I must have got access to your network somehow. 如果我是攻击者并且我正在攻击您的Intranet应用程序,那么我必须以某种方式访问您的网络。 This may not be as difficult as it sounds - I might try spearphishing (targetting email to individuals in your organisation, containing either malware attachements or links to sites which install malware) to get a trojan installed on an internal machine.
这可能不像听起来那么困难 - 我可能会尝试使用鱼叉式网页钓鱼(将电子邮件定位到您组织中的个人,包含恶意软件附件或指向安装恶意软件的网站的链接)以在内部计算机上安装木马。
Once I've done this (and got control of an internal PC), I'll try all the same attacks I would try against any internet application. 一旦我完成了这个(并控制了内部PC),我会尝试所有相同的攻击,我会尝试对任何互联网应用程序。
However, that's not the end of the story. 然而,这不是故事的结局。 I've got more options: if I've got one of your user's PCs, then I might well be able to use a keylogger to gather usernames and passwords, as well as watching all your email for names and phone numbers.
我有更多选择:如果我有一个用户的PC,那么我可以使用键盘记录器来收集用户名和密码,以及查看所有电子邮件中的姓名和电话号码。
Armed with these, I may be able to log into your application directly. 有了这些,我可以直接登录您的应用程序。 I may even learn an admin username/password.
我甚至可以学习管理员用户名/密码。 Even if I don't, a list of names and phone numbers along with a feel for company lingo gives me a decent shot at socially engineering my way into wider access within your company.
即使我没有,一个名单和电话号码列表以及对公司术语的感觉给了我一个体面的机会,让我在公司内部进行更广泛的访问。
The common answers to securing a web app: 保护Web应用程序的常见答案:
If it is on an internal network, why is it even possible to get to the app from the outside? 如果它在内部网络上,为什么甚至可以从外部访问应用程序? Firewall rules should be in place at the very least.
防火墙规则至少应该到位。
The best way? 最好的方法? Disable direct external access!
禁用直接外部访问!
If employees need to use it (like an extranet-style site), you should make them VPN in. Through VPN you have a lot more authentication options and most of them are a great deal more secure than leaving your intranet server accessible from the internet. 如果员工需要使用它(比如外联网风格的站点),你应该让他们进入VPN。通过VPN,你有更多的身份验证选项,其中大多数都比从Internet上访问内部网服务器更安全。
Another option, and this only works if the data is public-safe, is scheduling your intranet server to push the data to another server that is externally accessible. 另一个选项,这仅在数据是公共安全的情况下才有效,即安排内部网服务器将数据推送到外部可访问的另一台服务器。 I say push because you really don't want this server to have access to your network.
我说推,因为你真的不希望这台服务器有权访问你的网络。 Let your network server do the work.
让您的网络服务器完成工作。
The best way to secure it? 保护它的最佳方法是什么? Don't connect it to a network.
请勿将其连接到网络。 Make your users physically enter a guarded room with a single console, running Mosaic.
让您的用户通过单一控制台进入受保护的房间,运行Mosaic。
Oh, you want it to be easy to use? 哦,你想要它易于使用?
If you forget these simple rules, you could find your application starring on the front pages of newspapers everywhere, just like Yahoo mail. 如果你忘记了这些简单的规则,你可以发现你的应用程序在所有报纸的头版上主演,就像雅虎邮件一样。
I would echo @Oli and favour the VPN method if possible. 如果可能的话,我会回复@Oli并支持VPN方法。 However, if for any reason you need more arbitrary access than this, you should use SSL to secure any authentication.
但是,如果由于任何原因您需要比此更多的任意访问,则应使用SSL来保护任何身份验证。 And in addition to password authentication / IP address authentication it would be well worth looking at using SSL with client side certificates.
除了密码验证/ IP地址验证之外,将SSL与客户端证书一起使用也是非常值得的。
You could only allow access from internal IPs from the php app itself. 您只能允许从php应用程序本身访问内部IP。 Also dont ignore the usual security and best practices.
也不要忽视通常的安全性和最佳实践。 Input validation and output encoding(whitelisting only), user accounts with hashed passwords etc.
输入验证和输出编码(仅限白名单),带有散列密码的用户帐户等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.