In this book you'll learn all the fundamental techniques and technologies needed to develop a secure connection to the Internet. Before selecting a firewall, VPN, or intrusion detection system, you must define exactly what your information assets are, who needs to get to them, and what the external and internal threats to those assets are. Internet Site Security walks you through the process of assessing your Internet environment and developing the procedural and technical policies required to protect your critical information and network resources.
After helping you develop an information security program, this book details the technologies required to implement network and server security measures. You will learn about the real-world details (and "gotchas") of firewalls, virtual private networks, authentication, and intrusion detection. You'll then put the pieces together using several architectures suitable for the enterprise and for small business networks. Finally, the book examines the common mistakes that custom Internet application developers often make and provides solutions that all software developers should know to ensure that their code can weather the harsh environment of the Internet.
In Internet Site Security you will
1. Core Concepts: Risks, Threats, and Vulnerabilities.
Defining Your Assets.
Proprietary Information and Intellectual Property.
Company Reputation or Image.
The Motivation for Security.
What Constitutes Security?
The Security Process.
Assessment and Policy.
Operational Policies and Procedures Development.
Implementing the Security Policy.
Monitoring and Detection.
Log File Review.
Response and Recovery.
Understanding and Connecting to the Internet.
Internet Service Providers.
What Does an ISP Provide?
Security Implications of Choosing an ISP.
Overview of TCP/IP.
The Domain Name Service.
Management of the Internet.
Domain Name Registries.
What Makes the Internet (In)Secure?
Inherent Insecurity of the Technology.
Lack of Authentication.
Lack of Privacy.
Lack of Centralized Security Management and Logging.
Day-to-Day Security Is Hard!
Why Is the Internet Attractive to Businesses?
Media and Data Delivery.
Introduction: The Importance of Knowing the Details.
A Brief History of Networking and Protocols.
The Commercialization of the Internet.
The OSI Model and Relevance to TCP/IP.
Data-Link Layers: Moving Data Across a Single Link.
Network Layers: Moving Data Across a Series of Links with IP.
The Domain Name System (DNS).
Revisiting the Data Link Layer: Ethernet and IP.
Configuring a Host to Work on an IP Network.
Transport Layers: Moving Data Reliably with TCP (and Not So Reliably with UDP).
Multiplexing with UDP.
Adding Reliability with TCP.
Controlling TCP Connections.
Common Well-Known Ports.
Common Application-Layer Protocols.
Common Internet Applications.
UNIX Remote Procedure Calls.
Microsoft Networking Protocols and TCP/IP.
A Brief History of IBM and Microsoft Networks.
NetBIOS over TCP (NBT).
SMB and File Sharing.
The Network Neighborhood and the Browser Protocol.
Microsoft Remote Procedure Calls.
General Configuration Tips for Home Networks.
Summary of Microsoft Networking Protocols.
A Brief Overview of Other Networking Protocols.
Implementing Secure Protocols.
Virtual Private Network Protocols and Encapsulation.
Point-to-Point Tunneling Protocol (PPTP).
Layer 2 Forwarding.
Layer 2 Tunneling Protocol (L2TP).
Secure Socket Layer (SSL).
Wired Equivalent Privacy (WEP).
Secure Shell (SSH).
SSH Server Authentication.
Tunneling with SSH.
Bringing It All Together.
The Enterprise Network.
A Typical Enterprise Network.
Securing External Links.
Internal Links and Threats.
Small Office/Home Office (SOHO).
Outsourced Web Hosting.
Content Delivery Sites.
Windows NT and 2000 Security Concepts.
Authentication, Access Tokens, and Security Identifiers.
Object Access Control Lists.
Remote Procedure Calls (RPC) and the Component Object Model (COM).
Security Mechanisms for RPC/COM.
Tightening Windows User Rights.
Auditing Security Events.
Linux Security Concepts.
Overview of the Linux Kernel.
Overview of Linux User Space.
Linux File System Permissions.
Linux Authentication Mechanisms.
How PAM Works.
The Structure of /etc/pam.conf.
UNIX Network Services and How to Secure Them.
Remote Access/File Transfers.
Graphical User Interfaces.
Application Software Security.
Starting with a Secure OS.
Web Server Security.
Mail Server Security.
Name Server Security.
One Shot, One Kill DoS Attacks.
System Resource-Exhaustion DoS Attacks.
Distributed Denial-of-Service Attacks.
Gathering Network Information.
Network Probes and Detection-Evasion Techniques.
Network Routing Information.
Gathering Information About Individual Systems.
Vulnerability Determination and Choosing Targets.
Compromising a System.
Using Targeted Viruses and Trojans.
Extending the Reach.
Sniffing the Wire.
Exploiting Trust Relationships.
What Is a Firewall Supposed to Do?
Firewall Ancillary Functions.
The Basic Firewall Types.
Application Proxy Firewalls.
Secondary Firewall Features.
Utilization with VLANs.
DoS Prevention Features.
Implementation Issues and Tips.
Complex Rule Sets.
Logging, Monitoring, and Auditing.
What Is IDS?
How Internet Sites Utilize IDS.
The Different Types of IDS.
NetBIOS over TCP/IP (NBT).
Other Networking Protocols.
Ethernet and Other Data-LinkLayer Headers.
Volume, Volume, Volume.
IP Fragmentation and TCP Segmenting.
Evasion via Application-Layer Encoding.
Other IDS Avoidance Techniques.
DoSÕing an IDS.
Practical IDS Implementation Issues.
Tuning Your IDS Sensors.
Incident Response and Recovery.
Severity of IDS Events.
Tier 1 Response.
Responding to Real Incidents.
Hacking Back: Just Say No!
Do It Yourself or Outsource?
What Constitutes Incident Response?
Preparing for an Incident.
Maintaining Log Files.
Maintaining User Accounts.
Real-Time Incident Response.
Organizational Roles and Responsibilities.
What Constitutes an Electronic Crime?
Admissibility of Digital Evidence.
Chain of Custody and Documentation.
Importance of Licensed Software.
Liability and Right to Privacy Issues.
Securing the Crime Scene.
Shutting Down Equipment.
Copying Hard Drives and Floppies.
Searching Hard Drives.
Conducting a System Audit.
Tracking the Intruder.
Web Site Hack.
The Unstable IT Employee.
Employee Misuse of Company Resources.
A Few Words on Anonymous Postings.
Working with Law Enforcement.
Common Sources of Programming Mistakes.
Danger of Metacharacters.
Working Safely with Metacharacters.
Exploiting Executable Code.
An Example: String Functions in C.
How Buffer Overflows Are Utilized by Hackers.
Format String Bugs.
A Final Word on Executable Code Exploits.
Source IP Addresses.
Effective Session Management.
Replay Attacks and Session Security.
Credential Checks Within the Application.
Example: Access Control for a Trouble-Ticketing System.
Coding Standards and Code Reviews.
Before September 11, we probably would have started out this introduction talking about how nothing has made more of an impact in recent years than the growth of the Internet. In light of the events of that day, though, such a statement seems both ludicrous and disrespectful. What we can do is point out that networks of all kinds have always been media of change and instruments of progress, good or bad.
Networks don't have to be created from routers and cable. Networks can weld together individuals of similar purpose and allow them to pool their efforts to accomplish an end. Such ends, unfortunately, are not always principled. Every day we read and hear about terrorist networks and webs of terror. The newspapers report about organized crime networks and law enforcement's efforts to break them. Unfriendly governments run networks of spies and saboteurs. Such images cast the network as an instrument of malevolence, an infrastructure for evil. But networks are not always used to promote discord. There are networks of giving that collect funds for the needy. There are networks of caring that concern themselves with the welfare of the sick. In the business world, people network to improve their company's growth opportunities, while others network to find a mate.
The Internet, like any network, provides the same opportunities to individuals who would use it for the common good as it does to those who would abuse it. The intent of this book is to provide security professionals with a guide to the real-world implications of security, to allow them to build their networks and systems in ways that least expose them to risk. Many security books take an encyclopedic approach to security, dutifully going through the details of every protocol and operating system configuration parameter. Although this book does cover the technical details of many operating systems, networking components, applications, and protocols, and although the intended reader of this book is an in-the-trenches practitioner, you will not find it filled with the usual collection of dry explanations and theoretical vulnerabilities. Our intent in creating this book was to encapsulate the experiences that we have garnered during years of system development, cryptographic design, secure networking, and security consulting for scores of large and small clients in a book that takes the reader from security policy to security reality. To that end, you will find that we have included many examples of how security principles have been applied in real networks by real companies. You'll also see a few examples of what can happen when sound security principles are not followed.
Most books make the choice of either talking to an audience at the policy and principle level or neglecting these aspects of security and delving immediately into the technical details of such components as firewalls, operating systems, and applications. We believe that it is an injustice to talk about security without talking about the process of security as well. Like it or not, for security to be effective, the steps that an administrator takes to lock down a network have to be an extension of an overarching security policy. Security practitioners who do nothing but implement point solutions such as firewalls and VPNs without thinking about how they fit into an overall program and policy are doing themselves, their employers, and their budgets a disservice. A company that does not protect its critical assets, whether they are information, business processes, or services, will not be in business for long.
To protect an asset, you need to first identify it. To protect it adequately, you need to determine what threatens it. To protect it in an efficient manner, you need to weigh the cost and effort to protect it against its value. All of these factors come together in the development of a security policy and program. In the end, the IT department still gets to deploy its firewalls andintrusion-detection systems, but only through a thoughtful process can these systems be selected and put in place in ways that offer the best protection to the most critical assets. This mode of thinking has led us to include two chapters that deal exclusively with risk and policy. These are not the usual dry calls to develop a security policy by picking the appropriate statements from a book of templates. We believe that a meaningful policy must be developed to protect the specific aspects of the organization and that the security practitioner can and should be a valuable contributor in putting together a policy that works.
After all this talk about policy, we really need to speak to what the bulk of this book is about, and that's down-and-dirty security. In each chapter, we have attempted to cover aspects of security that build upon each other and ultimately lead to the creation of a "secure" infrastructure. We have taken great efforts to make certain that we talk not just about "ivory tower" security, but that we bring that discussion down to the real-world implementation level as well. For example, many technologists talk about how digital certificates are the silver bullet that can provide a ubiquitous basis for authenticating users on the Internet. They forget to tell you that of the 500 million users who are estimated to be citizens of the Net, about 99.99% of them still rely on a username and password to log on to their systems. Knowing about PKI is good, but knowing how to utilize the username/password in an effective and secure manner is practical.
The same holds true in discussions of system vulnerabilities. The classic man-in-the-middle attack, in which a nefarious character intercepts the communications between two network entities and then masquerades as one of the entities, is interesting from a technical standpoint but hardly ever possible from a practical standpoint. This doesn't mean that such an attack can't happen--it just means that, in our experience, it hardly ever does. The security practitioner will utilize his time better by keeping Web servers patched to prevent a 13-year-old hacker from crashing them than by implementing encryption among all the servers to block man-in-the-middle attacks. That's just reality, and that's what we think is one of the main differentiators of this book--and a good reason for you to read it.
In the end, security requires constant learning and adaptation, much like life itself. This book presents a philosophy of security, an explanation of the techniques and processes used to engineer and maintain a secure network, and examples of how others have used these principles to protect themselves without closing the door on productivity and utility. It is our sincere desire that this book will help to raise the general level of security awareness as well as arm security practitioners with the specific knowledge that they require to go about, as Elvis used to say, taking care of business.