Websites can be dangerous. Even legitimate websites like garrison.com can be hacked by criminals or other malicious parties and used to host malware which could compromise your machine. This policy describes at a high level the measures we have used to reduce the risk of this.
Higher security approaches exist. We have chosen this approach based on a balance of security, convenience and cost.
- We use an Apache web server with PHP, hosted on an Ubuntu operating system
- The Ubuntu operating system is set to auto-update
- Logins to the Ubuntu operating system are protected by passwords and two-factor authentication
- The web server is running on two load-balanced Amazon EC2 instances
- The EC2 security policy is set to allow HTTP access only (TCP port 80) to the instances from the EC2 load balancer, together with SSH access from a single administrative IP address
- The EC2 load balancer is located behind an AWS Web Application Firewall using the WAF policy described at: http://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/template.html
- The AWS administrative accounts are protected by passwords and two-factor authentication