Home > Store > Security > Network Security

larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

CERT Guide to System and Network Security Practices, The

Book

  • Your Price: $31.99
  • List Price: $39.99
  • Usually ships in 24 hours.
  • About
  • Description
  • Extras
  • Sample Content
  • Updates

Features

  • Copyright 2001
  • Dimensions: 7-3/8x9-1/4
  • Pages: 480
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-73723-X
  • ISBN-13: 978-0-201-73723-3

As the Internet and other information infrastructures have become larger, more complex, and more interdependent, unauthorized intrusions into computer systems and networks have become more frequent and more severe. It is increasingly critical that an organization secure the systems it connects to public networks. The CERT Coordination Center ®, the first computer security response group, was established to help systems administrators meet these challenges by publishing advisories and developing key security practices, implementations, and tech tips on a timely basis. The CERT ® Guide to System and Network Security makes these practices and implementations available for the first time in book form.

With a practical, stepwise approach, the book shows administrators how to protect systems and networks against malicious and inadvertent compromise. If you are installing, configuring, operating, or maintaining systems or networks--or managing any of those functions--you will find here easy-to-implement guidance to protect your information infrastructure. The practices are platform- and operating-system independent; however, several procedural and tool-based implementations are provided to illustrate the technology-specific guidance that is freely available from the CERT Web site (www.cert.org).

The book is divided into two main parts, the first dealing with hardening and securing your system--preventing problems in the first place. The second part covers intrusion detection and response, recognizing that even the most secure networks and systems cannot protect against every conceivable threat. The practices selected for the book are based on CERT's extensive data on security breaches and vulnerabilities, providing an authoritative view of the most common problems system and network administrators confront.

See how to:

  • Secure general-purpose network servers and user workstations
  • Configure public Web servers to operate securely including the use of authentication and encryption technologies
  • Configure, test, and deploy firewall systems
  • Detect, respond to, and recover from intrusions
  • Implement selected practices on systems running a Solaris 2.x operating system
  • Identify practice-related topics to address in your security policies

By implementing the security practices described in this book, you will be incorporating protection mechanisms for up to 80 percent of the security incidents reported to CERT.



020173723XB04192001

Online Sample Chapter

Detecting Signs of Intrusion

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
allench1.pdf

allench6.pdf

Table of Contents



Preface.


1. The Handbook of System and Network Security Practices.

I. SECURING COMPUTERS.

2. Securing Network Servers and User Workstations.

3. Securing Public Web Servers.

4. Deploying Firewalls.

II. INTRUSION DETECTION AND RESPONSE.

5. Setting Up Intrusion Detection and Response Practices.

6. Detecting Signs of Intrusion.

7. Responding to Intrusions.

Appendix A. Security Implementations.

Appendix B. Practice-Level Policy Considerations.

Index.

Preface

As the Internet and other international and national information infrastructures become larger, more complex, and more interdependent, the frequency and severity of unauthorized intrusions into systems connected to these networks are increasing. Therefore, to the extent possible and practical, it is critical to secure the networked systems of an organization that are connected to public networks.

The CERT© Guide to System and Network Security Practices is a practical, stepwise approach to protecting systems and networks against malicious and inadvertent compromise. The practices are primarily written for mid level system and network administrators--the people whose day-to-day activities include installation, configuration, operation, and maintenance of systems and networks. The practices offer easy-to-implement guidance that enables administrators to protect and securely operate the systems, networks, hardware, software, and data that comprise their information technology infrastructure. Managers of administrators are intended as a secondary audience; many practices cannot be implemented without active management involvement and sponsorship.

CERT security practices address critical and pervasive security problems. Practice topic selection is based on CERT's extensive data on security breaches (21,756 in 2000) and vulnerabilities (774 in 2000), that provide a field of vision not available to other security groups. Our practices fill the gap left by the usual point solutions (typically operating-system-specific) or general advice that lacks "how to" details. With CERT security practices, an administrator can act now to improve the security of networked systems.

By implementing these security practices, an administrator will incorporate solutions and protection mechanisms for 75-80 percent of the security incidents reported to CERT. Each practice is written as a series of technology-neutral "how to" instructions, so they can be applied to many operating systems and platforms. However, an administrator can only implement a solution using a specific host operating system. Therefore, we have included examples of technology-specific implementation details in a separate appendix as these tend to become outdated much sooner than the technology-neutral practices.

Throughout the book, emphasis is placed on planning as a precursor to implementing, wherever possible. Ideally, the following risk analysis activities need to occur before deciding what actions to take to improve security:

  • Identify and assign value to information and computing assets
  • Prioritize assets
  • Determine asset vulnerability to threats and the potential for damage
  • Prioritize the impact of threats
  • Select cost-effective safeguards including security measures

In our observation and as reflected in this book, system and network security is an ongoing, cyclical, iterative process of planning, hardening, preparing, detecting, responding, and improving, requiring diligence on the part of responsible administrators. Configuring and operating systems securely at one point in time do not necessarily mean that these same systems will be secure in the future. And no level of security can ensure 100% protection other than disconnecting from public networks and, even then, the threat of attack from insiders still exists.

To get the most out of this book, you should already know how to install and administer popular operating systems and applications, and be familiar with fundamental system security concepts such as establishing secure configurations, system and network monitoring, authentication, access control, and integrity checking.

The book is organized into two parts and two appendices:

Part I: Hardening and Securing the System. Preventing security problems in the first place is preferable to dealing with them after the fact. This part of the book covers the practices and policies that should be in place to secure a system's configuration. Guidelines for securing general purpose network servers and workstations are contained in Chapter 2, followed by chapters containing additional guidance on securing public web servers and deploying firewalls.
Part II: Intrusion Detection and Response. Even the most secure network perimeter and system configurations cannot protect against every conceivable security threat. Administrators must be able to anticipate, detect, respond to, and recover from intrusions, and understand how to improve security by implementing lessons learned from previous attacks. This part of the book covers practices required to do so.
Appendix A: Security Implementations. The Appendix contains examples of several procedural and tool-based implementations that provide technology-specific guidance for one or more practices (the applicable implementations are referenced in the practices they support). The implementations chosen for this book are specifically geared for Sun Solaris (UNIX) operating environments, given CERT experience. These implementation examples are intended to be illustrative in nature and do not necessarily reflect the most up-to-date operating system versions. The most current versions of over seventy UNIX and Windows NT implementations and tech tips are available on the CERT web site.
Appendix B: Policy Considerations. This Appendix contains all of the security policy considerations and guidance that are presented throughout the book. Having this material in one location may aid you in reviewing and selecting policy topics and generating policy language. You can also treat this Appendix, along with the checklists appearing at the end of each Chapter, as an overall summary of the entire book.

The most effective way to use this book is as a reference. We do not intend that you read it from cover to cover, but rather than you review the introductory sections of each Part and Chapter and then refer to those Chapters and practices that are of most interest.

The web site addresses (URLs) used in this book are accurate as of the publication date. In addition, we have created a CERT web site that contains all URLs referenced in the book. We plan to keep these URLs up to date, provide book errata, and add new references after book publication. At this book site (http://www.cert.org/security-improvement/practicesbk.html), you will find links to all references, information sources, tools, publications, articles, and reports for which a URL exists and is mentioned in the book. We also regularly refer to CERT advisories, incident notes, vulnerability notes, technical tips, and reports, all of which can be found at the CERT web site, http://www.cert.org. We sometimes use the phrase "the CERT web site" to refer to this URL.

The content in The CERT© Guide to System and Network Security Practices derives from Carnegie-Mellon University's Software Engineering Institute (SEI) and CERT Coordination Center. CERT/CC, established in 1988, is the oldest computer security response group in existence. The Center provides technical assistance and advice to sites on the Internet that have experienced a security compromise and establishes tools and techniques that enable typical users and administrators to effectively protect systems from damage caused by intruders. The Software Engineering Institute is a federally funded research and development center with a broad charter to improve the practice of software engineering.

The material that serves as the primary content for this Guide has been posted and updated on the CERT web site over a period of 5 years. It has been reviewed and used by external security experts in commercial, federal government, and university-level academic organizations and by SEI staff members. All materials are periodically reviewed (and tested, where appropriate) for accuracy and currency.



020173723XP04062001

Index

Acceptable use policy
elements of, 72-73
importance of, 72
policy considerations regarding, 404-405
user education in, 73
Access
controlling, 51, 55-58, 115
enforcement of privileges, 31
policy considerations regarding, 58-59
restricting, 146-147
Access controls, 90, 402, 406
levels of, 90-91
policy considerations regarding, 93
software, 92-93
Access log, 94
Accounts
managing, 52
types of, 51
ActiveX, 49
Address-based authentication, 107
adm/lastlog file (Solaris), 337
adm/log/asppp.log (Solaris), 336
adm/messages file (Solaris), 338
adm/sulog file (Solaris), 337
adm/utmp file (Solaris), 337
adm/utmpx file (Solaris), 337
adm/wtmp file (Solaris), 337
adm/wtmpx file (Solaris), 337
Administrator accounts, 51
Advisories, 15
subscription to, 17
Agent log, 95
Alerts, 159-160, 206
configuration of mechanism of, 263, 410
reviewing, 239
Snort, 393-394
types of, 159
Anomalies
disposal of, 264
documentation of, 262
investigation of, 262
policy considerations regarding, 264
response to, 263-264
Anomaly detection, 206
Anti-spoofing rules, 152-153
Anti-virus tools, 65
updating of, 66
Application proxies, 125, 126, 129-130
Architectural trade-off analysis, 136-137
Archiving
of distribution media, 222
of log files, 220
of operating systems, 222
of security-related patches, 222-223
of test results, 224
ARP (address resolution protocol), 242
ARPWATCH, 256
Asset information, protection of, 211
Assets, defined, 13
Attack, defined, 14
Attack signature detection, 205
Auditing, as part of intrusion detection and response, 212
AUSCERT, 16
Authentication, 105
address-based, 107
alternative systems of, 54-55
basic, 108
plan, 30-31
policy considerations regarding, 113, 406
reauthentication, 53
technologies for, 107-110
types of, 30
user, 51-55, 106, 115, 401-402
using hardware-based access controls, 51
Authentication servers, 24
Automatic replication mechanisms, 60
Availability of services, 24, 25
assuring, 136-137

Back doors, 277, 290, 295
Backups, 403
encryption in, 60
importance of, 147, 295
after intrusion, 274, 288
plan for, 59-61
policy considerations regarding, 62
procedures for, 31-32, 223-224
storage of files, 60
tools for, 61
types of, 32
before updating software, 41
utility of, 223
of Web content, 32, 114, 407
Banners
importance of, 36
setting up, 238-239
Basic authentication, 108
features of, 110
Basic border firewall, 132-133
with untrustworthy host, 133
Bibliography, 423-429
Biometric devices, as authentication tool, 30, 54
Boot disks, archiving, 222
Breach. See Intrusion
Buffer overflows, 101
Bugtraq, 16

CERIAS, 17, 181
CERT
publications of, 14-16
statistics on intrusions, xix, xx
CERT/CC, 17
Certificate authorities (CAs), 108
CGI (Common Gateway Interface) scripts, 85-86
security issues in, 97-98
CGI-BIN directory, 103
Chain of custody, 284
Character input, standardizing, 101-102
Characterization
components of, 207-209
development and maintenance of, 211-212
iterative nature of, 206
policy considerations regarding, 211, 414
of systems, 198-199
trust assumptions for, 207
updating, 263-264
CIAC, 17
CLF (Common Log Format), 95
COAST, 181
Cold backups, 32
Combined Log Format, 95-96
Common Vulnerabilities and Exposures, 17
Communication
information dissemination procedures, 279
after intrusion, 278-279, 297, 418-419
with other affected sites, 280-281
policy considerations regarding, 281-282
security of, 225-226, 280
Computer crime
incidence of, 1
perpetrators of, 2-3
Computer deployment plan, 28-36
policy considerations regarding, 35-36
security issues addressed in, 399-400
updating of, 35
Computer Incident Advisory Capability, 17
Computer security
checklist for, 74-78
and computer deployment plan, 28-36
configuration and, 27
importance of, 2-4
information sources regarding, 14-18
maintenance of, 27
and physical access, 70-71, 404
planning for, 27
policy considerations regarding, 35-36, 71
and servers, 36-39
table of practices for, 27
user awareness of, 27
Computer Security Institute, 17
Computers
configuration of, 21
identifying purpose of, 28
location of, 71
network connection of, 34
physical access to, 70-71
securing of, 19-20, 26-27
Confidentiality, 23
Configuration
files, 291
integrity of files, 348
for local hosts, 345-346
for log files, 345
for loghost, 346-347
for logsurfer, 353-354
testing, 347-348
Connection time-outs, 91
Connectivity
new, 172
replacement, 172
Containment
aspects of, 285
and backup systems, 288
decisionmaking regarding, 285-286
monitoring, 288
objectives of, 286
policy considerations regarding, 288-289, 420
quarantine procedures, 287-288
system shutdown, 286-287
crack, 53
Credit card information, security of, 112
cron/log file (Solaris), 340
Cryptographic checksumming, 46, 48, 63
advantages of, 59
in secure remote administration, 69
CSI, 17
CSIRT (computer security incident response team), 192
CVE, 17

Daemon dialers, 210
Data collection
identifying data for, 204-206
iterative nature of, 206
management of, 216-221, 414
policy considerations regarding, 221
prioritization of, 200
protection of, 220
table of practices for, 201-204
updating configurations, 264
Data storage, locations for, 343-347
Data traces, storage of, 262
Database services, 86
Databases
difficulty of monitoring of, 254
restoration of, 295
Default gateway, changing, 175
Denial-of-service (DoS) attacks, 3, 91
effects on log files, 348
mitigating the effects of, 91-92
types of, 348
DFNCERT, 17
DHCP (Dynamic Host Configuration Protocol), 173, 174
DHCP/BOOTP (dynamic host configuration protocol/boot protocol), 242
Digest authentication, 113
Digital watermarking, 113-114
Digital signatures, 109, 113
Directories
characterization of, 208-209
policy considerations regarding, 254
protection of, 93
unexpected changes in, 251-252, 253-254, 416
verification of, 252
Directory services, 86
Distribution media
archiving, 222
DMZ network, 133-134
DNS (Domain Name Service), 318
DNS spoofing, 107
Documentation of unusual behavior, 262
Drivers, device, 42
Dual firewall, 134-135
Dynamic packet filtering, 130-131
Dynamic rules, in logsurfer, 356-357

E-mail services, 85
ELF (Extended Log Format), 95-96
Encryption, 54, 105
of backup files, 60
of files, 58
importance of, 106
of log files, 220
policy considerations regarding, 113, 406
technologies for, 107-110
Error log, 95
analysis of, 97
Escape characters, 101
Ethernet, 34
Evidence
chain of custody of, 284
protection of, 195-196, 235, 283-284
External programs. See Plug-ins, Scripts

File directory listings, protecting, 93
File systems
characterization of, 208-209
compromised, 287
encryption of, 58
policy considerations regarding, 254
unexpected changes in, 251-252, 253-254, 416-417
verification of, 252
Filtering, as part of intrusion detection and response, 212
Firewall systems
architecture of, 124-125
checklist for, 178-181
designing, 124-127, 407
documenting environment for, 127
enabling private traffic in, 174-178
evolution of, 131-132
implementation of, 173-177
inside and outside, 149-150
installation of, 171-172, 408, 411
policy considerations regarding, 138, 178
preparing for use, 170-171
testing of, 160-171, 410-411
transition to, 173-174, 411
Firewalls, 83-84
architectural considerations of, 136-137
defined, 121
deployment of, 123
dual, 134-135
functions of, 127-132
hardware requirements for, 139-140
improvement after intrusion, 292
indications for use of, 138
installing and configuring, 144-147
logging and alert mechanisms, 410
need for, 122-123
ongoing monitoring of, 171
online resources regarding, 181
operating system for, 145-146
policy considerations regarding, 147
procurement for, 141-142
security of, 138
site of application of, 124
software requirements for, 140
table of practices for, 123
testing components for, 141
topology of, 132-135
training for use of, 142-254
vendor support for, 143-144
FIRST (Forum of Incident Response and Security Teams), 17, 224-225
FTP (File Transfer Protocol), 29
disabling of, 45

German Computer Emergency Response Team, 17
Group identities, establishing, 90
Guest accounts, 51

Handshake protocol, 108

Hardening, 9-10
Hardware
auditing of, 255
for firewall, 139-140
inventorying, 210-211
policy considerations regarding, 256
security of offline, 35
unauthorized, 70, 255-256, 417
Host machine, 42, 400
configuration files for, 345-346
cryptographic checksumming of, 46
functions of, 43-44
limiting access to, 44
and network security, 43
policy considerations regarding, 46
remote services, 45
software for, 45-46
Hot backups, 32
HTTP (HyperText Transfer Protocol), 29

ICMP (Internet Control Message Protocol), 84, 153-154
ICSA, 17
IETF, 17
Implementations, 16
Improvement actions, 12
Incident, defined, 14
Incident notes, 16
Incident report
components of, 260
evaluation of, 260
investigation of, 260-261
policy considerations regarding, 261
sources of, 258-259
triage of, 259
Information dissemination, 279
policy considerations regarding, 281-282
Information security policy
characteristics of, 398
topics covered by, 399
Information security risk analysis and assessment, defined, 13-14
Inside firewall systems, 149-150
Inspecting, as part of intrusion detection and response, 212
Installation
of firewall, 144-147
of firewall system, 171-172
of operating system, 32-33
of software, 145-146
Integrity checking, 42
of configuration files, 348
as part of intrusion detection and response, 212
using Tripwire, 312-313
Integrity of information, 24, 25
Internet, threats from, 412
Internet Engineering Task Force (IETF), 17
Intrusion
CERT statistics on, xix, xx
communication after, 278-279
consequences of, 232, 278
containment of, 285-289
curtailment of, 286, 420-421
damage assessment, 277
dangers of, 271
defense against, 289-293
defined, 14
via hardware, 255-256
identification of, 276-277
investigation of, 260-261
lessons of, 296-298
plan for dealing with, 65-66
preventing recurrence after, 285-298, 421
reviewing reports of, 258-261, 417-418
sniffers, 248-249
sources from network, 241-242
sources within system, 246-248
unauthorized access to physical resources, 257-258
Intrusion detection, 11-12, 163, 186
action after, 261-264
analysis approaches to, 205-206
approach to, 187-188
checklist for, 265-268
data collection for, 198-204
documentation of procedures for, 192-194
improvement of, 292-293
keeping current, 197-198
logging and, 157
monitoring in, 189, 415-416
need for, 186-187, 232
policies and procedures for, 188-198, 411-414
real-time, 205
roles and responsibilities for, 195
scale of, 233
security of software used for, 234-237
strategies for, 31
table of practices for, 188, 233-234
threat assessment, 190-191
tools for, 212-216
user training for, 196-197
Intrusion response
approach to, 187-188, 271-272
authority for, 191-192, 413
checklist for, 228-230, 298-301
collecting and protecting information during, 282-285, 419-420
communication in, 225-226, 278-282, 418-419
contact information for, 224-225
containment, 285-289, 420
documentation of, 283
documentation of procedures for, 194-195
elimination of intruder access, 289-293, 420-421
information needed for, 273-274, 418
initiation of, 263
law enforcement and, 284-285
legal review of procedures, 195-196
logs and, 275-276
need for, 186-187, 271
policies and procedures for, 188-198, 411-414
policy considerations regarding, 227, 278, 285, 293
postmortem review of, 297-298
resource kit for, 226
resources for, 192, 414
roles and responsibilities for, 195
sequence of actions for, 191, 413
system quarantine, 275
table of practices for, 188, 270
test systems for, 226
tools for, 221-227, 415
user training for, 196-197
IP forwarding, disabling, 86
IP routing
addresses for, 148
configuration for, 148-150, 408
policy considerations regarding, 149
IP spoofing, 45, 86
IPSEC, 34
Isolated subnets
policy considerations regarding, 88-89, 405
server on, 83
supporting services on, 85-86

Java, 49

Kerberos, 54
Keys, 70
as authentication tool, 30

l0phtCrack, 53
LANs (local area networks), 34
LDAP (Lightweight Directory Access Protocol), 86
Legal considerations
chain of custody, 284
protection of evidence, 195-196, 235, 283-284
log/sysidconfig.log (Solaris), 339
Log files
analysis of, 97
archive and backup of, 220
configuration of, 345
difficulty of monitoring of, 254
disk space required by, 348-349
encryption and disposal of, 220
examination after intrusion, 275-276
format of, 95-96
management of, 219
permissions of, 344
protection of, 217-218, 342-343, 345
remote access to, 69
rotation of, 219, 345, 365
Snort, 394-395
storage locations of, 344
types of, 94-96
under Solaris, 336-341
Log messages, 343-344
analyzing, 349-366
identification of, 349
in logsurfer, 355-356, 357-358
logger(1), 347, 349
Logging
configuration of, 157, 264, 410
designing environment for, 158
enabling, 96-97, 217
information for, 94-96
for intrusion detection, 198-200, 204-205
management of, 216-221, 414
options for, 158-159
policy considerations regarding, 160, 221
reasons for, 157
support tools for, 160
testing of, 169-170
user notification of, 238-239
Loghost
configuration file for, 346-347
hostname for, 345
Login, 54
logsurfer, 304
actions in, 355
compared to swatch, 350
configuring, 352
configuration file structure of, 353-354
contexts in, 355-356
downloading and verifying, 351
effort estimates for installation of, 350
e-mail addresses used by, 362-363
initial configuration of, 358
installation of, 351-352
limitations of, 353
log message handling in, 357-358
prerequisites for, 350
quotes in, 354
restarting after rotation of log files, 365
rules syntax in, 356-357
sample rules for, 358-362
setup of, 362-366
startup file for, 363-365
Tripwire configuration for, 365-366
user IDs in, 362
Love Letter Worm, 3

Malicious code, 102
Mark messages, 347
MD5 algorithm, 113
Meta characters, 101
Model configuration
case-by-case changes to, 63
checksumming for, 63
creation and testing of, 62
replication of, 63
Modems
documentation of, 34
network connection with, 34
unauthorized, 255
Monitoring
of data streams, 189, 205-206
of firewall, 171
after intrusion, 288
in intrusion detection and response, 212
of network activities, 237-243, 415-416
policy considerations regarding, 242-243
of process activity, 246-247
of system activities, 243-251, 416
of user behavior, 247-248
Multiple-layer architecture, 124-125, 126, 167

Network clients
functions of, 48-49
security issues with, 49-50
policy considerations regarding, 50
software updates for, 50
Network error reports, 239-240
Network interface, 34
promiscuous vs. nonpromiscuous, 249
Network mapping and scanning, 250
Network performance
reviewing, 240
Network services
clients for, 401
identifying, 29
software for, 29
Network Time Protocol (NTP), 126, 219
Network traffic
characterization of, 207
monitoring and inspection of, 163, 237-243, 415-416
reviewing of, 241-242
Network traffic generators, 163
Network traffic logs, 256
Nonpromiscuous mode, 249
Notification, as part of intrusion detection and response, 206, 212
npasswd, 53

One-time passwords, 54
Operating system
archiving of, 222
installation of, 32-33
object, device, and file access controls for, 56-59, 402
requirements for using firewalls, 145-146
restoration of, 223, 290
updating of, 39-41, 400
OSPF (Open Shortest Path First), 173, 174
Outside firewall systems, 149

Packet filtering, 125, 126, 127-128
configuration of, 150
dynamic, 131
policy considerations regarding, 408-410
Packet filtering rules, 150-151
design of, 151-154
documentation of, 154-155
installation of, 155
logging options for, 158-159
policy considerations in, 155-157
Packet forwarding, disabling of, 147
Password security, 204
Passwords, 30
one-time, 54
policies regarding, 52-53, 55
security of, 290
writing policy regarding, 402
Patches
archiving of, 222-223
authentication of, 40
vulnerability, 251
PGP (Pretty Good Privacy), 211
described, 113
Physical resources
audit of, 258
tampering of, 258
policy considerations regarding, 258
unauthorized access to, 257-258, 417
Plug-ins
security issues with, 98
use with Web server, 100-105
Port 53, 84
Port 80, 84
Port 443, 84
Portscanners, 163
Preparation, 10-11
Privileges
documentation of, 30
enforcement of, 31
Probing, as part of intrusion detection and response, 212
Process accounting, 369
Process activity, monitoring, 246-247
Processes, characterization of, 208
Production environment, 168
testing in, 166-169
Promiscuous mode, 249
Protocol violations, 241
Proxy servers, 129-130, 131
Public key cryptography, 108
Public servers, 24

Quotes, use in logsurfer, 354

R-commands, 33
Reauthentication, 53
Reconnaissance, detection of, 241
Record protocol, 108
Recovery
procedures for, 31-32
strategy for, 162
testing of, 61
Redundancy, importance of, 136, 191, 412
Referrer log, 95
Regression-testing, 170
Reinstallation
of system, 290
tools for, 223
Reliability, importance of, 136
Remnant files, 227, 280
Remote administration, 67
authentication and credentialing of administrators, 67-68
cryptographic checksums in, 69
log files and, 69
policy considerations regarding, 69, 403-404
security of confidential information, 68
transferring information for, 68-69
Remote services, insecurity of, 45
Responding, 12
Restoration
of application files, 291
of availability of services, 295
of operating system, 290
policy considerations regarding, 296
of system to normal operation, 293-296
of user data, 295-296
Restricted information
access requirements for, 106
encryption of, 58
protection of, 92
RIP (Routing Information Protocol), 173, 174
Risk analysis and assessment, defined, 13-14
Rootkit tool set, 235
Routers, 127-128
Routing table, updating, 176-177

SANS Institute, 17
Scanning, as part of intrusion detection and response, 212
Script
defined, 98
use with Web server, 100-105
Securing Web servers
authentication and encryption, 105-114, 115-116
backup of site content, 32, 114, 407
checklist for, 117-120
cost-benefit tradeoffs in, 98
importance of, 79, 81-82
isolation, 83-89, 405
logging, 94-97
object, device, and file access controls, 89-94, 406
protection levels, 90-91
restricting information access, 92
restricting user access, 114
software access controls, 92-93
table of practices for, 82
Security, 137, 138
of communication, 225-226
day-to-day administration and, 34-35
login issues, 54
password, 204
sites for fixes and patches, 17
Security Focus, 16
Security policies, 5-6
adoption of, 7
enforcement of, 6
Security Portal, 17
Sensitive information
access requirements for, 106
encryption of, 58
protection of, 92
Separation of duties, 43, 68
Servers
applications of, 21
backup procedures for, 60
functionality requirements, 36, 37-38
host machine of, 42-46, 400
importance of security of, 21-23, 400
operating costs of, 38-39
policy considerations regarding selection of, 39
product features of, 38
security requirements, 37
selection of, 400
up-to-date software on, 41-42
vulnerability of, 25
Web, 79-120, 405
Service-level agreement, 144
Servlets, defined, 98
SET (Secure Electronic Transaction), 105
benefits of, 112
capabilities of, 109
features of, 110
use of, 110
S/HTTP (Secure Hypertext Transport Protocol), 105
features of, 109, 110
Single-layer architecture, 124, 125, 166
Smart hubs, 88
SMTP (Simple Mail Transfer Protocol), 85
Sniffers, 248-249
SSH to combat, 318-319
Snort, 305
alerts in, 393-395
building of, 388
described, 386
downloading and verification of, 387-388
effort estimates for installation of, 386
installation of, 389
integration with other tools, 395
log file directory of, 389
prerequisites for, 387
rules in, 390
sample rules for, 390-391, 392-393
testing correct operation of, 389
testing of, 389
Tripwire configuration of, 396
writing of rules for, 391-392
Software
drivers, 42
for firewall, 140
functionality of, 99
installation of, 145-146
integrity checking of, 105
patches for, 146
policy considerations regarding, 100, 105
problems with, 101-102
regulating access on Web server, 103-104, 406
scanning of, 101
security of, 234-237
security implications of, 97-100, 406
sources of, 99
sterile technique for, 236-237, 415
testing of, 101
updating of, 39-41
use with Web server, 100-105
Solaris servers, special procedures regarding, 33
Source routing, disabling, 86
spar, 304
automated use of, 371
building of, 368
configuration of, 369
described, 366
downloading and verification of, 367
effort estimates for installation of, 366
installation of, 368-369
integration with other tools, 371
prerequisites for, 366-367
testing correct operation of, 368
testing of, 369
Tripwire configuration for, 371-372
use of, 370-371
SQL (Structured Query Language), 86
SSH (secure shell), 304
building of, 321-322
configuration of, 326-330
configuration settings for, 321-322
downloading of, 320
effort estimates for installation of, 319
host keys for, 323-324
information resources about, 335
installation of, 322-325
password authentication for, 333
prerequisites for, 319-320
sshd daemon for, 324-325, 325-326
Tripwire configuration for, 334-335
unpacking of, 321
user access to remote hosts, 332-333, 334
user accounts for, 330-333
user keys for, 330-332
uses of, 318-319
verification of download, 320-321
ssh_config file, 327
options for, 327-329
sshd daemon
starting, 324, 325
stopping, 325, 326
using telnet to connect to, 326
sshd_config file, 327
options for, 329-330
SSL (Secure Socket Layer), 105
certification and, 111-112
composition of, 108
future of, 109
supporting use of, 111-112
Stateful inspection, 130
Strings, 354
Summaries, 16
swatch, 349, 358
compared to logsurfer, 350
syslog files (Solaris), 339
syslogd
actions associated with, 342
caveats regarding, 349
facilities of, 341
function of, 341
priorities of, 342
and UDP network service, 348
System administrators, 4-5
accounts for, 51
System behavior, characterization of, 207
System configuration files, 291
System error reports, 245
System files, write protection of, 237
System hardware, inventory of, 210-211
System information, recording of, 274
System monitoring, 243
baseline values for, 244
error reports and, 245
performance statistics and, 245
policy considerations regarding, 250-251, 416
system alerts and, 244-245
user notification for, 244
System performance
characterization of, 207-208
maximizing, 138
reviewing statistics of, 245

Tampering, detection of, 257
TCP connections, 84
security concerns regarding, 45
tcpdump, 304-305
building of, 374
configuration of, 375
described, 372
downloading and verification of, 373
effort estimates for installation of, 372
examples of use of, 383-384, 384-385
installation of, 375
integration with other tools, 385
options in, 376-387
prerequisites for, 373
primitives in, 379-383
qualifiers in, 379
recommended use of, 376-383
testing correct operation of, 374-375
testing of, 375
Tripwire configuration of, 385
use of, 376-385
Tech tips, 16
Testing of firewall
aspects of, 161
of log files, 169-170
monitoring and, 171
planning for, 161-162
policy considerations regarding, 171
in production environment, 166-169
regression, 170
steps in, 160
in test environment, 164-165
tools for, 163-164
vulnerability scanning, 170
Threat, defined, 13
Time stamps, 347
Tokens, as authentication tool, 30, 54
Transaction auditing, 254
Transfer log, 94
analysis of, 97
Transparent proxies, 131
Trespassing, detection of, 257
Triage, 259
Tripwire, 41, 208-209, 304
configuration files of, 310
contents of database, 305
described, 305-306
downloading and verification of, 306, 307
effort estimates for installation of, 306
generation of database, 311-312
history of, 317-318
installation of, 308, 310
integrity checking using, 312-313
for Linux, 318
open source versions of, 318
paths for files, 309
preparation for, 311
prerequisites for, 307
sample reports of, 313-318
system settings of, 308
testing of, 310-311
unpacking of, 308
verbose mode of, 313
Trojan horses, 274, 277, 287, 290
coping with, 64-65
defined, 64
TruSecure, 17

UDP (User Datagram Protocol), 84, 135
security concerns regarding, 45
and syslogd, 348
Updates
archiving of, 41-42
automated, 41
evaluation of, 40
importance of, 39
installation of, 40
of network service software, 50
policy considerations regarding, 42
problems caused by, 40-41
USENIX Advanced Computing Systems Association, 17
Users
authentication of, 51-55, 106, 115, 401-402
characterization of, 208
education of, 52, 65-66, 106, 398
fostering trust with, 107
identification of, 29-30, 90
identity of, 24
monitoring of, 247-248
notification of monitoring, 174
privileges of, 30
restrictions on, 114
/usr/adm link (Solaris), 336

/var/adm directory (Solaris), 336
/var/cron directory (Solaris), 340
/var/log directory (Solaris), 338
/var system directory (Solaris), 336
Viruses, 64, 287
modus operandi of, 235
policies regarding, 403
tools to prevent/cure, 65, 66
user education about, 65-66
VPN (virtual private network), 88
Vulnerabilities
correcting, 292
identifying, 100
Vulnerability detection, 163, 170
for systems, 250
Vulnerability notes, 16

Warm backups, 32
Watermarking, digital, 113-114
Web content
storage on secure host, 32, 114, 407
policy considerations regarding, 116
transfer of, 116
Web servers, 24
alternative architectures for, 88
compromised, 79, 81
configuration of, 84-85, 87
external software on, 103-105
improper operation of, 81
information stored on, 89
isolation of, 83-89, 405
securing of, 79-120
server side include functionality of, 103
use rules for, 90-91
user and group identities for, 90
Whois, 225
Workstations, 400
acceptable use policy for, 72-73, 404-405
backup procedures for, 60
cryptographic checksumming of, 48
functions of, 46, 47-48
importance of security of, 25
on network, 46-47
policy considerations regarding, 48, 66
software on, 48

FREE

ONE MONTH ACCESS!

WITH PURCHASE


Get unlimited 30-day access to thousands of Books & Training Videos about technology, professional development and digital media If you continue your subscription after your 30-day trial, you can receive 30% off a monthly subscription to the Safari Library for up to 12 months.