Home > Store

CERT Guide to System and Network Security Practices, The

Register your product to gain access to bonus material or receive a coupon.

CERT Guide to System and Network Security Practices, The


  • Sorry, this book is no longer in print.
Not for Sale




  • Copyright 2001
  • Dimensions: 7-3/8" x 9-1/4"
  • Pages: 480
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-73723-X
  • ISBN-13: 978-0-201-73723-3

Now, the world's leading information security response organization has written the ultimate guide to system and network security for working administrators. SEI's Computer Emergency Response Team (CERT) offers a practical, start-to-finish approach to developing secure networks, covering every stage of the process: planning, implementation, maintenance, intrusion detection, response, recovery, and beyond. Reflecting CERT's role as the world's #1 computer security response team, this book presents up-to-the-minute information on new attacks, viruses, and other IT security threats. Coverage includes: establishing effective security practices and policies, deploying firewalls, securing network servers and public web servers, security desktop workstations, intrusion detection, response, and recovery. This book not only shows how to enhance computer security today: it shows how to learn from experience to build even more secure systems tomorrow. For all system and network professionals, and other IT professionals concerned with security.

Sample Content

Online Sample Chapter

Detecting Signs of Intrusion

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:


Table of Contents


1. The Handbook of System and Network Security Practices.


2. Securing Network Servers and User Workstations.
3. Securing Public Web Servers.
4. Deploying Firewalls.


5. Setting Up Intrusion Detection and Response Practices.
6. Detecting Signs of Intrusion.
7. Responding to Intrusions.
Appendix A. Security Implementations.
Appendix B. Practice-Level Policy Considerations.


As the Internet and other international and national information infrastructures become larger, more complex, and more interdependent, the frequency and severity of unauthorized intrusions into systems connected to these networks are increasing. Therefore, to the extent possible and practical, it is critical to secure the networked systems of an organization that are connected to public networks.

The CERT© Guide to System and Network Security Practices is a practical, stepwise approach to protecting systems and networks against malicious and inadvertent compromise. The practices are primarily written for mid level system and network administrators--the people whose day-to-day activities include installation, configuration, operation, and maintenance of systems and networks. The practices offer easy-to-implement guidance that enables administrators to protect and securely operate the systems, networks, hardware, software, and data that comprise their information technology infrastructure. Managers of administrators are intended as a secondary audience; many practices cannot be implemented without active management involvement and sponsorship.

CERT security practices address critical and pervasive security problems. Practice topic selection is based on CERT's extensive data on security breaches (21,756 in 2000) and vulnerabilities (774 in 2000), that provide a field of vision not available to other security groups. Our practices fill the gap left by the usual point solutions (typically operating-system-specific) or general advice that lacks "how to" details. With CERT security practices, an administrator can act now to improve the security of networked systems.

By implementing these security practices, an administrator will incorporate solutions and protection mechanisms for 75-80 percent of the security incidents reported to CERT. Each practice is written as a series of technology-neutral "how to" instructions, so they can be applied to many operating systems and platforms. However, an administrator can only implement a solution using a specific host operating system. Therefore, we have included examples of technology-specific implementation details in a separate appendix as these tend to become outdated much sooner than the technology-neutral practices.

Throughout the book, emphasis is placed on planning as a precursor to implementing, wherever possible. Ideally, the following risk analysis activities need to occur before deciding what actions to take to improve security:

  • Identify and assign value to information and computing assets
  • Prioritize assets
  • Determine asset vulnerability to threats and the potential for damage
  • Prioritize the impact of threats
  • Select cost-effective safeguards including security measures

In our observation and as reflected in this book, system and network security is an ongoing, cyclical, iterative process of planning, hardening, preparing, detecting, responding, and improving, requiring diligence on the part of responsible administrators. Configuring and operating systems securely at one point in time do not necessarily mean that these same systems will be secure in the future. And no level of security can ensure 100% protection other than disconnecting from public networks and, even then, the threat of attack from insiders still exists.

To get the most out of this book, you should already know how to install and administer popular operating systems and applications, and be familiar with fundamental system security concepts such as establishing secure configurations, system and network monitoring, authentication, access control, and integrity checking.

The book is organized into two parts and two appendices:

Part I: Hardening and Securing the System. Preventing security problems in the first place is preferable to dealing with them after the fact. This part of the book covers the practices and policies that should be in place to secure a system's configuration. Guidelines for securing general purpose network servers and workstations are contained in Chapter 2, followed by chapters containing additional guidance on securing public web servers and deploying firewalls.
Part II: Intrusion Detection and Response. Even the most secure network perimeter and system configurations cannot protect against every conceivable security threat. Administrators must be able to anticipate, detect, respond to, and recover from intrusions, and understand how to improve security by implementing lessons learned from previous attacks. This part of the book covers practices required to do so.
Appendix A: Security Implementations. The Appendix contains examples of several procedural and tool-based implementations that provide technology-specific guidance for one or more practices (the applicable implementations are referenced in the practices they support). The implementations chosen for this book are specifically geared for Sun Solaris (UNIX) operating environments, given CERT experience. These implementation examples are intended to be illustrative in nature and do not necessarily reflect the most up-to-date operating system versions. The most current versions of over seventy UNIX and Windows NT implementations and tech tips are available on the CERT web site.
Appendix B: Policy Considerations. This Appendix contains all of the security policy considerations and guidance that are presented throughout the book. Having this material in one location may aid you in reviewing and selecting policy topics and generating policy language. You can also treat this Appendix, along with the checklists appearing at the end of each Chapter, as an overall summary of the entire book.

The most effective way to use this book is as a reference. We do not intend that you read it from cover to cover, but rather than you review the introductory sections of each Part and Chapter and then refer to those Chapters and practices that are of most interest.

The web site addresses (URLs) used in this book are accurate as of the publication date. In addition, we have created a CERT web site that contains all URLs referenced in the book. We plan to keep these URLs up to date, provide book errata, and add new references after book publication. At this book site (http://www.cert.org/security-improvement/practicesbk.html), you will find links to all references, information sources, tools, publications, articles, and reports for which a URL exists and is mentioned in the book. We also regularly refer to CERT advisories, incident notes, vulnerability notes, technical tips, and reports, all of which can be found at the CERT web site, http://www.cert.org. We sometimes use the phrase "the CERT web site" to refer to this URL.

The content in The CERT© Guide to System and Network Security Practices derives from Carnegie-Mellon University's Software Engineering Institute (SEI) and CERT Coordination Center. CERT/CC, established in 1988, is the oldest computer security response group in existence. The Center provides technical assistance and advice to sites on the Internet that have experienced a security compromise and establishes tools and techniques that enable typical users and administrators to effectively protect systems from damage caused by intruders. The Software Engineering Institute is a federally funded research and development center with a broad charter to improve the practice of software engineering.

The material that serves as the primary content for this Guide has been posted and updated on the CERT web site over a period of 5 years. It has been reviewed and used by external security experts in commercial, federal government, and university-level academic organizations and by SEI staff members. All materials are periodically reviewed (and tested, where appropriate) for accuracy and currency.



Acceptable use policy
elements of, 72-73
importance of, 72
policy considerations regarding, 404-405
user education in, 73
controlling, 51, 55-58, 115
enforcement of privileges, 31
policy considerations regarding, 58-59
restricting, 146-147
Access controls, 90, 402, 406
levels of, 90-91
policy considerations regarding, 93
software, 92-93
Access log, 94
managing, 52
types of, 51
ActiveX, 49
Address-based authentication, 107
adm/lastlog file (Solaris), 337
adm/log/asppp.log (Solaris), 336
adm/messages file (Solaris), 338
adm/sulog file (Solaris), 337
adm/utmp file (Solaris), 337
adm/utmpx file (Solaris), 337
adm/wtmp file (Solaris), 337
adm/wtmpx file (Solaris), 337
Administrator accounts, 51
Advisories, 15
subscription to, 17
Agent log, 95
Alerts, 159-160, 206
configuration of mechanism of, 263, 410
reviewing, 239
Snort, 393-394
types of, 159
disposal of, 264
documentation of, 262
investigation of, 262
policy considerations regarding, 264
response to, 263-264
Anomaly detection, 206
Anti-spoofing rules, 152-153
Anti-virus tools, 65
updating of, 66
Application proxies, 125, 126, 129-130
Architectural trade-off analysis, 136-137
of distribution media, 222
of log files, 220
of operating systems, 222
of security-related patches, 222-223
of test results, 224
ARP (address resolution protocol), 242
Asset information, protection of, 211
Assets, defined, 13
Attack, defined, 14
Attack signature detection, 205
Auditing, as part of intrusion detection and response, 212
Authentication, 105
address-based, 107
alternative systems of, 54-55
basic, 108
plan, 30-31
policy considerations regarding, 113, 406
reauthentication, 53
technologies for, 107-110
types of, 30
user, 51-55, 106, 115, 401-402
using hardware-based access controls, 51
Authentication servers, 24
Automatic replication mechanisms, 60
Availability of services, 24, 25
assuring, 136-137

Back doors, 277, 290, 295
Backups, 403
encryption in, 60
importance of, 147, 295
after intrusion, 274, 288
plan for, 59-61
policy considerations regarding, 62
procedures for, 31-32, 223-224
storage of files, 60
tools for, 61
types of, 32
before updating software, 41
utility of, 223
of Web content, 32, 114, 407
importance of, 36
setting up, 238-239
Basic authentication, 108
features of, 110
Basic border firewall, 132-133
with untrustworthy host, 133
Bibliography, 423-429
Biometric devices, as authentication tool, 30, 54
Boot disks, archiving, 222
Breach. See Intrusion
Buffer overflows, 101
Bugtraq, 16

CERIAS, 17, 181
publications of, 14-16
statistics on intrusions, xix, xx
Certificate authorities (CAs), 108
CGI (Common Gateway Interface) scripts, 85-86
security issues in, 97-98
CGI-BIN directory, 103
Chain of custody, 284
Character input, standardizing, 101-102
components of, 207-209
development and maintenance of, 211-212
iterative nature of, 206
policy considerations regarding, 211, 414
of systems, 198-199
trust assumptions for, 207
updating, 263-264
CIAC, 17
CLF (Common Log Format), 95
COAST, 181
Cold backups, 32
Combined Log Format, 95-96
Common Vulnerabilities and Exposures, 17
information dissemination procedures, 279
after intrusion, 278-279, 297, 418-419
with other affected sites, 280-281
policy considerations regarding, 281-282
security of, 225-226, 280
Computer crime
incidence of, 1
perpetrators of, 2-3
Computer deployment plan, 28-36
policy considerations regarding, 35-36
security issues addressed in, 399-400
updating of, 35
Computer Incident Advisory Capability, 17
Computer security
checklist for, 74-78
and computer deployment plan, 28-36
configuration and, 27
importance of, 2-4
information sources regarding, 14-18
maintenance of, 27
and physical access, 70-71, 404
planning for, 27
policy considerations regarding, 35-36, 71
and servers, 36-39
table of practices for, 27
user awareness of, 27
Computer Security Institute, 17
configuration of, 21
identifying purpose of, 28
location of, 71
network connection of, 34
physical access to, 70-71
securing of, 19-20, 26-27
Confidentiality, 23
files, 291
integrity of files, 348
for local hosts, 345-346
for log files, 345
for loghost, 346-347
for logsurfer, 353-354
testing, 347-348
Connection time-outs, 91
new, 172
replacement, 172
aspects of, 285
and backup systems, 288
decisionmaking regarding, 285-286
monitoring, 288
objectives of, 286
policy considerations regarding, 288-289, 420
quarantine procedures, 287-288
system shutdown, 286-287
crack, 53
Credit card information, security of, 112
cron/log file (Solaris), 340
Cryptographic checksumming, 46, 48, 63
advantages of, 59
in secure remote administration, 69
CSI, 17
CSIRT (computer security incident response team), 192
CVE, 17

Daemon dialers, 210
Data collection
identifying data for, 204-206
iterative nature of, 206
management of, 216-221, 414
policy considerations regarding, 221
prioritization of, 200
protection of, 220
table of practices for, 201-204
updating configurations, 264
Data storage, locations for, 343-347
Data traces, storage of, 262
Database services, 86
difficulty of monitoring of, 254
restoration of, 295
Default gateway, changing, 175
Denial-of-service (DoS) attacks, 3, 91
effects on log files, 348
mitigating the effects of, 91-92
types of, 348
DHCP (Dynamic Host Configuration Protocol), 173, 174
DHCP/BOOTP (dynamic host configuration protocol/boot protocol), 242
Digest authentication, 113
Digital watermarking, 113-114
Digital signatures, 109, 113
characterization of, 208-209
policy considerations regarding, 254
protection of, 93
unexpected changes in, 251-252, 253-254, 416
verification of, 252
Directory services, 86
Distribution media
archiving, 222
DMZ network, 133-134
DNS (Domain Name Service), 318
DNS spoofing, 107
Documentation of unusual behavior, 262
Drivers, device, 42
Dual firewall, 134-135
Dynamic packet filtering, 130-131
Dynamic rules, in logsurfer, 356-357

E-mail services, 85
ELF (Extended Log Format), 95-96
Encryption, 54, 105
of backup files, 60
of files, 58
importance of, 106
of log files, 220
policy considerations regarding, 113, 406
technologies for, 107-110
Error log, 95
analysis of, 97
Escape characters, 101
Ethernet, 34
chain of custody of, 284
protection of, 195-196, 235, 283-284
External programs. See Plug-ins, Scripts

File directory listings, protecting, 93
File systems
characterization of, 208-209
compromised, 287
encryption of, 58
policy considerations regarding, 254
unexpected changes in, 251-252, 253-254, 416-417
verification of, 252
Filtering, as part of intrusion detection and response, 212
Firewall systems
architecture of, 124-125
checklist for, 178-181
designing, 124-127, 407
documenting environment for, 127
enabling private traffic in, 174-178
evolution of, 131-132
implementation of, 173-177
inside and outside, 149-150
installation of, 171-172, 408, 411
policy considerations regarding, 138, 178
preparing for use, 170-171
testing of, 160-171, 410-411
transition to, 173-174, 411
Firewalls, 83-84
architectural considerations of, 136-137
defined, 121
deployment of, 123
dual, 134-135
functions of, 127-132
hardware requirements for, 139-140
improvement after intrusion, 292
indications for use of, 138
installing and configuring, 144-147
logging and alert mechanisms, 410
need for, 122-123
ongoing monitoring of, 171
online resources regarding, 181
operating system for, 145-146
policy considerations regarding, 147
procurement for, 141-142
security of, 138
site of application of, 124
software requirements for, 140
table of practices for, 123
testing components for, 141
topology of, 132-135
training for use of, 142-254
vendor support for, 143-144
FIRST (Forum of Incident Response and Security Teams), 17, 224-225
FTP (File Transfer Protocol), 29
disabling of, 45

German Computer Emergency Response Team, 17
Group identities, establishing, 90
Guest accounts, 51

Handshake protocol, 108

Hardening, 9-10
auditing of, 255
for firewall, 139-140
inventorying, 210-211
policy considerations regarding, 256
security of offline, 35
unauthorized, 70, 255-256, 417
Host machine, 42, 400
configuration files for, 345-346
cryptographic checksumming of, 46
functions of, 43-44
limiting access to, 44
and network security, 43
policy considerations regarding, 46
remote services, 45
software for, 45-46
Hot backups, 32
HTTP (HyperText Transfer Protocol), 29

ICMP (Internet Control Message Protocol), 84, 153-154
ICSA, 17
IETF, 17
Implementations, 16
Improvement actions, 12
Incident, defined, 14
Incident notes, 16
Incident report
components of, 260
evaluation of, 260
investigation of, 260-261
policy considerations regarding, 261
sources of, 258-259
triage of, 259
Information dissemination, 279
policy considerations regarding, 281-282
Information security policy
characteristics of, 398
topics covered by, 399
Information security risk analysis and assessment, defined, 13-14
Inside firewall systems, 149-150
Inspecting, as part of intrusion detection and response, 212
of firewall, 144-147
of firewall system, 171-172
of operating system, 32-33
of software, 145-146
Integrity checking, 42
of configuration files, 348
as part of intrusion detection and response, 212
using Tripwire, 312-313
Integrity of information, 24, 25
Internet, threats from, 412
Internet Engineering Task Force (IETF), 17
CERT statistics on, xix, xx
communication after, 278-279
consequences of, 232, 278
containment of, 285-289
curtailment of, 286, 420-421
damage assessment, 277
dangers of, 271
defense against, 289-293
defined, 14
via hardware, 255-256
identification of, 276-277
investigation of, 260-261
lessons of, 296-298
plan for dealing with, 65-66
preventing recurrence after, 285-298, 421
reviewing reports of, 258-261, 417-418
sniffers, 248-249
sources from network, 241-242
sources within system, 246-248
unauthorized access to physical resources, 257-258
Intrusion detection, 11-12, 163, 186
action after, 261-264
analysis approaches to, 205-206
approach to, 187-188
checklist for, 265-268
data collection for, 198-204
documentation of procedures for, 192-194
improvement of, 292-293
keeping current, 197-198
logging and, 157
monitoring in, 189, 415-416
need for, 186-187, 232
policies and procedures for, 188-198, 411-414
real-time, 205
roles and responsibilities for, 195
scale of, 233
security of software used for, 234-237
strategies for, 31
table of practices for, 188, 233-234
threat assessment, 190-191
tools for, 212-216
user training for, 196-197
Intrusion response
approach to, 187-188, 271-272
authority for, 191-192, 413
checklist for, 228-230, 298-301
collecting and protecting information during, 282-285, 419-420
communication in, 225-226, 278-282, 418-419
contact information for, 224-225
containment, 285-289, 420
documentation of, 283
documentation of procedures for, 194-195
elimination of intruder access, 289-293, 420-421
information needed for, 273-274, 418
initiation of, 263
law enforcement and, 284-285
legal review of procedures, 195-196
logs and, 275-276
need for, 186-187, 271
policies and procedures for, 188-198, 411-414
policy considerations regarding, 227, 278, 285, 293
postmortem review of, 297-298
resource kit for, 226
resources for, 192, 414
roles and responsibilities for, 195
sequence of actions for, 191, 413
system quarantine, 275
table of practices for, 188, 270
test systems for, 226
tools for, 221-227, 415
user training for, 196-197
IP forwarding, disabling, 86
IP routing
addresses for, 148
configuration for, 148-150, 408
policy considerations regarding, 149
IP spoofing, 45, 86
Isolated subnets
policy considerations regarding, 88-89, 405
server on, 83
supporting services on, 85-86

Java, 49

Kerberos, 54
Keys, 70
as authentication tool, 30

l0phtCrack, 53
LANs (local area networks), 34
LDAP (Lightweight Directory Access Protocol), 86
Legal considerations
chain of custody, 284
protection of evidence, 195-196, 235, 283-284
log/sysidconfig.log (Solaris), 339
Log files
analysis of, 97
archive and backup of, 220
configuration of, 345
difficulty of monitoring of, 254
disk space required by, 348-349
encryption and disposal of, 220
examination after intrusion, 275-276
format of, 95-96
management of, 219
permissions of, 344
protection of, 217-218, 342-343, 345
remote access to, 69
rotation of, 219, 345, 365
Snort, 394-395
storage locations of, 344
types of, 94-96
under Solaris, 336-341
Log messages, 343-344
analyzing, 349-366
identification of, 349
in logsurfer, 355-356, 357-358
logger(1), 347, 349
configuration of, 157, 264, 410
designing environment for, 158
enabling, 96-97, 217
information for, 94-96
for intrusion detection, 198-200, 204-205
management of, 216-221, 414
options for, 158-159
policy considerations regarding, 160, 221
reasons for, 157
support tools for, 160
testing of, 169-170
user notification of, 238-239
configuration file for, 346-347
hostname for, 345
Login, 54
logsurfer, 304
actions in, 355
compared to swatch, 350
configuring, 352
configuration file structure of, 353-354
contexts in, 355-356
downloading and verifying, 351
effort estimates for installation of, 350
e-mail addresses used by, 362-363
initial configuration of, 358
installation of, 351-352
limitations of, 353
log message handling in, 357-358
prerequisites for, 350
quotes in, 354
restarting after rotation of log files, 365
rules syntax in, 356-357
sample rules for, 358-362
setup of, 362-366
startup file for, 363-365
Tripwire configuration for, 365-366
user IDs in, 362
Love Letter Worm, 3

Malicious code, 102
Mark messages, 347
MD5 algorithm, 113
Meta characters, 101
Model configuration
case-by-case changes to, 63
checksumming for, 63
creation and testing of, 62
replication of, 63
documentation of, 34
network connection with, 34
unauthorized, 255
of data streams, 189, 205-206
of firewall, 171
after intrusion, 288
in intrusion detection and response, 212
of network activities, 237-243, 415-416
policy considerations regarding, 242-243
of process activity, 246-247
of system activities, 243-251, 416
of user behavior, 247-248
Multiple-layer architecture, 124-125, 126, 167

Network clients
functions of, 48-49
security issues with, 49-50
policy considerations regarding, 50
software updates for, 50
Network error reports, 239-240
Network interface, 34
promiscuous vs. nonpromiscuous, 249
Network mapping and scanning, 250
Network performance
reviewing, 240
Network services
clients for, 401
identifying, 29
software for, 29
Network Time Protocol (NTP), 126, 219
Network traffic
characterization of, 207
monitoring and inspection of, 163, 237-243, 415-416
reviewing of, 241-242
Network traffic generators, 163
Network traffic logs, 256
Nonpromiscuous mode, 249
Notification, as part of intrusion detection and response, 206, 212
npasswd, 53

One-time passwords, 54
Operating system
archiving of, 222
installation of, 32-33
object, device, and file access controls for, 56-59, 402
requirements for using firewalls, 145-146
restoration of, 223, 290
updating of, 39-41, 400
OSPF (Open Shortest Path First), 173, 174
Outside firewall systems, 149

Packet filtering, 125, 126, 127-128
configuration of, 150
dynamic, 131
policy considerations regarding, 408-410
Packet filtering rules, 150-151
design of, 151-154
documentation of, 154-155
installation of, 155
logging options for, 158-159
policy considerations in, 155-157
Packet forwarding, disabling of, 147
Password security, 204
Passwords, 30
one-time, 54
policies regarding, 52-53, 55
security of, 290
writing policy regarding, 402
archiving of, 222-223
authentication of, 40
vulnerability, 251
PGP (Pretty Good Privacy), 211
described, 113
Physical resources
audit of, 258
tampering of, 258
policy considerations regarding, 258
unauthorized access to, 257-258, 417
security issues with, 98
use with Web server, 100-105
Port 53, 84
Port 80, 84
Port 443, 84
Portscanners, 163
Preparation, 10-11
documentation of, 30
enforcement of, 31
Probing, as part of intrusion detection and response, 212
Process accounting, 369
Process activity, monitoring, 246-247
Processes, characterization of, 208
Production environment, 168
testing in, 166-169
Promiscuous mode, 249
Protocol violations, 241
Proxy servers, 129-130, 131
Public key cryptography, 108
Public servers, 24

Quotes, use in logsurfer, 354

R-commands, 33
Reauthentication, 53
Reconnaissance, detection of, 241
Record protocol, 108
procedures for, 31-32
strategy for, 162
testing of, 61
Redundancy, importance of, 136, 191, 412
Referrer log, 95
Regression-testing, 170
of system, 290
tools for, 223
Reliability, importance of, 136
Remnant files, 227, 280
Remote administration, 67
authentication and credentialing of administrators, 67-68
cryptographic checksums in, 69
log files and, 69
policy considerations regarding, 69, 403-404
security of confidential information, 68
transferring information for, 68-69
Remote services, insecurity of, 45
Responding, 12
of application files, 291
of availability of services, 295
of operating system, 290
policy considerations regarding, 296
of system to normal operation, 293-296
of user data, 295-296
Restricted information
access requirements for, 106
encryption of, 58
protection of, 92
RIP (Routing Information Protocol), 173, 174
Risk analysis and assessment, defined, 13-14
Rootkit tool set, 235
Routers, 127-128
Routing table, updating, 176-177

SANS Institute, 17
Scanning, as part of intrusion detection and response, 212
defined, 98
use with Web server, 100-105
Securing Web servers
authentication and encryption, 105-114, 115-116
backup of site content, 32, 114, 407
checklist for, 117-120
cost-benefit tradeoffs in, 98
importance of, 79, 81-82
isolation, 83-89, 405
logging, 94-97
object, device, and file access controls, 89-94, 406
protection levels, 90-91
restricting information access, 92
restricting user access, 114
software access controls, 92-93
table of practices for, 82
Security, 137, 138
of communication, 225-226
day-to-day administration and, 34-35
login issues, 54
password, 204
sites for fixes and patches, 17
Security Focus, 16
Security policies, 5-6
adoption of, 7
enforcement of, 6
Security Portal, 17
Sensitive information
access requirements for, 106
encryption of, 58
protection of, 92
Separation of duties, 43, 68
applications of, 21
backup procedures for, 60
functionality requirements, 36, 37-38
host machine of, 42-46, 400
importance of security of, 21-23, 400
operating costs of, 38-39
policy considerations regarding selection of, 39
product features of, 38
security requirements, 37
selection of, 400
up-to-date software on, 41-42
vulnerability of, 25
Web, 79-120, 405
Service-level agreement, 144
Servlets, defined, 98
SET (Secure Electronic Transaction), 105
benefits of, 112
capabilities of, 109
features of, 110
use of, 110
S/HTTP (Secure Hypertext Transport Protocol), 105
features of, 109, 110
Single-layer architecture, 124, 125, 166
Smart hubs, 88
SMTP (Simple Mail Transfer Protocol), 85
Sniffers, 248-249
SSH to combat, 318-319
Snort, 305
alerts in, 393-395
building of, 388
described, 386
downloading and verification of, 387-388
effort estimates for installation of, 386
installation of, 389
integration with other tools, 395
log file directory of, 389
prerequisites for, 387
rules in, 390
sample rules for, 390-391, 392-393
testing correct operation of, 389
testing of, 389
Tripwire configuration of, 396
writing of rules for, 391-392
drivers, 42
for firewall, 140
functionality of, 99
installation of, 145-146
integrity checking of, 105
patches for, 146
policy considerations regarding, 100, 105
problems with, 101-102
regulating access on Web server, 103-104, 406
scanning of, 101
security of, 234-237
security implications of, 97-100, 406
sources of, 99
sterile technique for, 236-237, 415
testing of, 101
updating of, 39-41
use with Web server, 100-105
Solaris servers, special procedures regarding, 33
Source routing, disabling, 86
spar, 304
automated use of, 371
building of, 368
configuration of, 369
described, 366
downloading and verification of, 367
effort estimates for installation of, 366
installation of, 368-369
integration with other tools, 371
prerequisites for, 366-367
testing correct operation of, 368
testing of, 369
Tripwire configuration for, 371-372
use of, 370-371
SQL (Structured Query Language), 86
SSH (secure shell), 304
building of, 321-322
configuration of, 326-330
configuration settings for, 321-322
downloading of, 320
effort estimates for installation of, 319
host keys for, 323-324
information resources about, 335
installation of, 322-325
password authentication for, 333
prerequisites for, 319-320
sshd daemon for, 324-325, 325-326
Tripwire configuration for, 334-335
unpacking of, 321
user access to remote hosts, 332-333, 334
user accounts for, 330-333
user keys for, 330-332
uses of, 318-319
verification of download, 320-321
ssh_config file, 327
options for, 327-329
sshd daemon
starting, 324, 325
stopping, 325, 326
using telnet to connect to, 326
sshd_config file, 327
options for, 329-330
SSL (Secure Socket Layer), 105
certification and, 111-112
composition of, 108
future of, 109
supporting use of, 111-112
Stateful inspection, 130
Strings, 354
Summaries, 16
swatch, 349, 358
compared to logsurfer, 350
syslog files (Solaris), 339
actions associated with, 342
caveats regarding, 349
facilities of, 341
function of, 341
priorities of, 342
and UDP network service, 348
System administrators, 4-5
accounts for, 51
System behavior, characterization of, 207
System configuration files, 291
System error reports, 245
System files, write protection of, 237
System hardware, inventory of, 210-211
System information, recording of, 274
System monitoring, 243
baseline values for, 244
error reports and, 245
performance statistics and, 245
policy considerations regarding, 250-251, 416
system alerts and, 244-245
user notification for, 244
System performance
characterization of, 207-208
maximizing, 138
reviewing statistics of, 245

Tampering, detection of, 257
TCP connections, 84
security concerns regarding, 45
tcpdump, 304-305
building of, 374
configuration of, 375
described, 372
downloading and verification of, 373
effort estimates for installation of, 372
examples of use of, 383-384, 384-385
installation of, 375
integration with other tools, 385
options in, 376-387
prerequisites for, 373
primitives in, 379-383
qualifiers in, 379
recommended use of, 376-383
testing correct operation of, 374-375
testing of, 375
Tripwire configuration of, 385
use of, 376-385
Tech tips, 16
Testing of firewall
aspects of, 161
of log files, 169-170
monitoring and, 171
planning for, 161-162
policy considerations regarding, 171
in production environment, 166-169
regression, 170
steps in, 160
in test environment, 164-165
tools for, 163-164
vulnerability scanning, 170
Threat, defined, 13
Time stamps, 347
Tokens, as authentication tool, 30, 54
Transaction auditing, 254
Transfer log, 94
analysis of, 97
Transparent proxies, 131
Trespassing, detection of, 257
Triage, 259
Tripwire, 41, 208-209, 304
configuration files of, 310
contents of database, 305
described, 305-306
downloading and verification of, 306, 307
effort estimates for installation of, 306
generation of database, 311-312
history of, 317-318
installation of, 308, 310
integrity checking using, 312-313
for Linux, 318
open source versions of, 318
paths for files, 309
preparation for, 311
prerequisites for, 307
sample reports of, 313-318
system settings of, 308
testing of, 310-311
unpacking of, 308
verbose mode of, 313
Trojan horses, 274, 277, 287, 290
coping with, 64-65
defined, 64
TruSecure, 17

UDP (User Datagram Protocol), 84, 135
security concerns regarding, 45
and syslogd, 348
archiving of, 41-42
automated, 41
evaluation of, 40
importance of, 39
installation of, 40
of network service software, 50
policy considerations regarding, 42
problems caused by, 40-41
USENIX Advanced Computing Systems Association, 17
authentication of, 51-55, 106, 115, 401-402
characterization of, 208
education of, 52, 65-66, 106, 398
fostering trust with, 107
identification of, 29-30, 90
identity of, 24
monitoring of, 247-248
notification of monitoring, 174
privileges of, 30
restrictions on, 114
/usr/adm link (Solaris), 336

/var/adm directory (Solaris), 336
/var/cron directory (Solaris), 340
/var/log directory (Solaris), 338
/var system directory (Solaris), 336
Viruses, 64, 287
modus operandi of, 235
policies regarding, 403
tools to prevent/cure, 65, 66
user education about, 65-66
VPN (virtual private network), 88
correcting, 292
identifying, 100
Vulnerability detection, 163, 170
for systems, 250
Vulnerability notes, 16

Warm backups, 32
Watermarking, digital, 113-114
Web content
storage on secure host, 32, 114, 407
policy considerations regarding, 116
transfer of, 116
Web servers, 24
alternative architectures for, 88
compromised, 79, 81
configuration of, 84-85, 87
external software on, 103-105
improper operation of, 81
information stored on, 89
isolation of, 83-89, 405
securing of, 79-120
server side include functionality of, 103
use rules for, 90-91
user and group identities for, 90
Whois, 225
Workstations, 400
acceptable use policy for, 72-73, 404-405
backup procedures for, 60
cryptographic checksumming of, 48
functions of, 46, 47-48
importance of security of, 25
on network, 46-47
policy considerations regarding, 48, 66
software on, 48


Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020