Understanding the client-server structure is required to fully understand IT system.
Figure 1. Client-Server Structure
We generally use desktops, laptops and mobile devices to access the web.
In IT terms, desktops, laptops and mobile devices that are used to access the web are called “clients.” The service providers are called “servers,” they save web contents such as websites and mobile applications, and show them when clients access. (In IT system, not all servers are web servers, but we take web servers for example since we are discussing web security here.) Simply put, the web is the network that connects clients and web servers.
From the security’s point of view, clients’ security is generally related to the safety of the individual’s system, whereas servers’ security is related to the safety of enterprises’ systems
Of course, there are concerns about internal security of companies, but we would like to talk about the server security, which is the core of the web security in enterprises.
To understand the server system structure of enterprises, let’s take a look at the IT system structure.
Figure 2. IT System Structure
An IT system consists of a network layer, a system layer, and an application layer. There are many IT system models, such as OSI 7 layers and TCP/IP layers. Still, those three layers including network, system, and application layers are the common denominators in both hierarchical classification as you can see from the figure above. The three layers interact with one another to make IT systems work.
Each layers have their own basic functionality. Network layer communicates to send and receive data System layer is the platform that various application can run on, just like operation systems such as Windows and Linux. On this system layer, application layer provides protocol (HTTP, FTP, etc.) and application services.
System structure of server basically follows this system structure, as well. Therefore, when these three layers, network, system and application layers, are all secured, we can say that the server is secured.
In an IT System, network and system security is actually implemented as follows..
Knowledge basic network security
In order to secure network, access control of unsafe IP or port is required, and traffic coming through allowed IP or port must be checked if harmful traffic is contained. For this reason, most companies install firewalls and intrusion detection/prevention systems (IDS/IPS). However, the firewall cannot block attacks from allowed IPs and ports. Furthermore, detection of harmfulness by IDS/IPS in the network layer has its limits since IDS/IPS system does not understand application layer. Therefore, they cannot defend attacks that aim at application vulnerability.
System security is mostly related to OS. The manufacturers, who are in charge of developing and providing OS such as Windows, Linux, and Unix, are preparing for known web threats through security updates and patches. Security managers of enterprises have to maintain system security all the time, through not only security updates and patches, but also periodical scanning for malicious code in the system. For this purpose, companies usually install anti-virus solutions.
You might be wondering why there is no explanation about the application security.
From the description about network and system security, now you know that most companies understand network and system security, and they try to secure them. However, when it comes to application security, the situation is not the same. Compared to network layer or system layer, the application layer is much diversified. Also, there are many different type of applications, so most of the security managers have difficulties in securing web applications. It is the same for building web security.
But ironically, the application security is the most important one in the web security.