Net Classroom and Faculty Access for Web Security

Technical Paper NetClassroom and Faculty Access for the Web™ Security ™ NetClassroom™ and Faculty Access for the Web™ Security Contents Are Web Applications Secure? .........1 Technical Overview...........................1 In Conclusion ...................................2 Are Web Applications Secure? Yes, as long as they reside on Web servers configured with security in mind. Even in a school filled with computer-savvy students and faculty, Web applications can be made secure using a combination of hidden URLs, multiple firewalls, SSL, Windows® authentication, and software authentication. If you’re not familiar with some of these concepts, we recommend engaging a reputable technical consultant to assist in implementing a secure Web site for your school. Still not sure what you’re getting into? Just ask Chris Cruz and Matt Montagne of the University School of Milwaukee, who implemented many of these security measures for their Faculty Access for the Web and NetClassroom Web sites. They use SSL, firewalls, blind URLs, and constant monitoring of their Web servers to ensure secure Web solutions for their teachers and students. The school’s faculty is “very happy with the secure access to the system,” and the Web sites have increased grade-entry efficiency and allowed parents a fast, convenient way to check their children’s grades online. Technical Overview This overview succinctly describes a Web site configuration that can protect Faculty Access for the Web, NetClassroom, and any other Web application containing sensitive information. If you place a Web server hosting a Web application in a DMZ (demilitarized zone), it is separated from the outside world and the internal network by two firewalls. This configuration creates a buffer zone between the internal network and the World Wide Web. Internet / Web App Users Firewall #1 Web Server In DMZ Database Server Firewall #2 Firewall #1, separating the Internet and the Web server, only allows traffic on TCP/IP port 80 or 443 to pass, depending on whether or not SSL (Secure Socket Layer) encryption is enabled on the Web server (SSL/HTTPS traffic uses port 443; HTTP traffic uses port 80). When a Web application user types in the address of the Web application (for example, https://www.Websitename. abc/faWeb), the external firewall allows traffic on port 443 to reach the Web server. If there is 1 not a link to this URL anywhere on the Web site, this URL will only be known to the users of Web application, which means that unauthorized users will not be able to access the login page. When users reach the Web application URL on the Web server, the server can then ask them for their network user names and passwords. When users successfully enter their network credentials, only then will they reach the Web application’s login screen where another user name and password must be entered. Once this information is entered successfully, the Web application communicates with the database server on the other side of Firewall #2. This firewall only allows traffic to pass through the port that the database is using, which can be specified by your IT department or database administrator. about Blackbaud Blackbaud is the leading global provider of software and related services designed specifically for nonprofit organizations. More than 12,500 organizations use Blackbaud products and consulting services for fundraising, financial management, business intelligence and school administration. Blackbaud solutions include The Raiser’s Edge , The ® In this scenario, multiple security measures combine to create a secure Web application — two authentication checkpoints, two firewalls, and encrypted SSL communication keep unauthorized users from accessing your network and Web application. In addition, other security measures not unique to Web applications can increase security as well. In regards to the two passwords noted above, you can enhance the passwords’ effectiveness by having users change their passwords every forty-five days and by using Microsoft’s password guidelines. An alternative, but potentially less secure method, is to have one firewall as in the diagram below: Financial Edge™, The Education Edge™, The Information Edge™, The Patron Edge™, WealthPoint and ProspectPoint , as well ™ ™ Internet / Web App Users Firewall #1 Web Server as a wide range of consulting and educational services. Founded in 1981, Blackbaud is headquartered in Charleston, South Carolina, and has operations in Toronto, Ontario; Glasgow, Scotland; and Sydney, Australia. Database Server For more information about Blackbaud solutions, contact a Blackbaud account representative. In the United States and Canada call toll-free 800.443.9441. In Europe call +44 (0) 141 575 0000. Visit us on the web at www.blackbaud.com. In Conclusion The security methods listed in this document can be used to create a secure environment for Faculty Access for the Web™ and NetClassroom™. Even in a school environment, these procedures can keep prying eyes away from confidential information. The University School of Milwaukee is just one of many schools that have employed such measures, and your organization can, too. For more information regarding network and Web site security, refer to the Microsoft® Web site and other sites on the Web; just use Google™ or Yahoo® to search for “network security best practices” or “Web site security,” and you will find a wealth of helpful information. For more information on setup and installation, see Blackbaud’s Administration Guide for Faculty Access for the Web and NetClassroom from your account representative. © October 2004, Blackbaud, Inc. This white paper is for informational purposes only. Blackbaud makes no warranties, expressed or implied, in this summary. The information contained in this document represents the current view of Blackbaud, Inc. on the items discussed as of the date of this publication. Blackbaud provides these guidelines for network security as a convenience for its customers. We do not configure security settings due to the number of variables that are unique to each school. We recommend that a qualified network administrator or consultant implement these security measures. 2