Hi List,
I am deploying a vulnerable web application for students (about 100) in a university, that they can test online and am collecting all the traffic for research purposes.
I am deploying this machine on an ESX hosting other machines, and am concerned about the security issues involved.
Any recommendations/links/tips available will be great.
Thanks
Ihab
Hi,
If you deploy in production/ DMZ it could cause the host to be compromised depending on the vulnerabilities it exposes.
If its for the university students why does it need to be public ? It can be an intranet application, you can still analyze the traffic
If its behind the corporate firewall and proxy and has no access to production university data , though theres a risk I guess it should be fine . (firewall and proxy would defend against major attacks and the app can be still tested for web application vulnerabilities)
Thanks
Subin
Sent from my iPhone
On Mar 19, 2012, at 9:40 AM, Ihab Samara ihab24@hotmail.com wrote:
Hi List,
I am deploying a vulnerable web application for students (about 100) in a university, that they can test online and am collecting all the traffic for research purposes.
I am deploying this machine on an ESX hosting other machines, and am concerned about the security issues involved.
Any recommendations/links/tips available will be great.
Thanks
Ihab
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
VMware have an hardening guide make sure to apply that to the exi.
You also want to separate the machine from other machines using a firewall.
Checkpoint have a fantastic virtual firewalls.
Rules should seek to:
Lastly, you should capture all the logs from the machine onto an external
machine using syslog. Thus ensuring that you can detect attacks without
having to log onto the actual machine.
On Monday, March 19, 2012, Ihab Samara ihab24@hotmail.com wrote:
Hi List,
I am deploying a vulnerable web application for students (about 100) in a
university, that they can test online and am collecting all the traffic for
research purposes.
I am deploying this machine on an ESX hosting other machines, and am
concerned about the security issues involved.
Any recommendations/links/tips available will be great.
Thanks
Ihab