Exploring F.A.I.R. – Setting the Stage – The System

by kriggins on February 23, 2009

in Uncategorized

In the last post of the series we took a look at the organization we are helping out with our assessment. We also were given their Loss Magnitude Table. That table gives us a good idea of their risk tolerance.

Today we are going to look at the architecture of the system that hosts Oblivia's tax code and tax rate tables.

As indicated before, Oblivia is does not have a very mature technology infrastructure. However, they have been given some good advice about the need for firewalls and to only allow needed ports and such. Below is a diagram of their public facing web infrastructure.

Oblivia Internet Facing Network Architecture

The system configurations are as follows:

Web Server:

  • Operating System: A Very Fine OS (fully patched)
  • HTTPD Software: A Very Fine Web Server (fully patched)
  • CMS: An internally developed application. A penetration test was recently performed and several XSS issues were uncovered along with one SQL injection problem  (import bits of information for later.)

Database Server:

  • Operating System: A Very Fine OS (fully patched)
  • Database Server: A Very Fine DB Server (fully patched)

As you can see, keeping systems appropriately patched has been another good bit of advice given and taken to heart. We will definitely be visiting some of the traffic allowed as we progress. 🙂

On final note, there is no remote access solution in place, but those responsible for the systems sometimes need to be able to work on them from remote locations, i.e. home. You can probable tell how they are doing from the ports allowed through the firewalls.

In our next post, we will again look at assets again. As always, fell free to chime in on the comments if you have something to say or I goofed again 🙂

-Kevin

PS - For those interested, the diagram above was created with Gliffy. It is a really nifty free on-line diagramming tool.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: