Hands-on techniques for securing Windows(r) servers, browsers, and network communications
While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Web Security Field Guide provides you with hands-on, proven solutions to help patch the most common vulnerabilities of Windows(r) web servers and browsers within the context of an end-to-end network security architecture. Avoiding conceptual discussions of underlying technologies, the book spends little time discussing how each application works. Using plain language and lots of step-by-step examples, the book instead focuses on helping you secure your web servers and prevent the majority of network attacks. Divided into five parts, the book opens with an overview of essential background information and helps you establish working network security rules and policies. Parts II through IV teach you the techniques for hardening the operating system, the web server, and the browser. Part V of the book addresses overall network security, focusing on preventing and controlling access. Topics such as becoming a Certification Authority, Cisco PIX(r) Firewall, Cisco IOS(r) Firewall, access lists, ongoing security maintenance, and testing are all examined in-depth, providing an overall network security plan that can drastically reduce the risk to your business systems and data.
Full of diagrams, screen captures, and step-by-step instructions for performing simple tasks that can radically improve the security of your Internet business solutions, Web Security Field Guide is a practical tool that can help ensure the integrity and security of your business-critical applications.
Read an interview with Steve Kalman, courtesy of Help Net Security. Help Net Security's site receives more than 430,000 page views per month.
Steve Kalman participated in a live forum January 22, 2003 to discuss Web security. Visit the Ask the Expert Forum on InfoWorld.com.
Download - 225 KB -- Chapter 2: Security Policies
(NOTE: Each chapter concludes with a Summary.)
I. THE FUNDAMENTALS OF WEB SECURITY.1. Essential Information for Web Security Administrators.
Two Internetworking Models. OSI Reference Model. TCP/IP Model. Headers. Data Link Headers. Network Layer Headers. Transport Layer Headers. Shims. Above the Transport Layer. Telnet. HTTP. SSL, TLS, and HTTPS. DNS. DHCP. NAT.2. Security Policies.
Justifying Security. Security Defined. Kinds of Security Risks. Knowing the Enemy. The C-I-A Triad. Approaches to Risk Analysis. Solving Security with Technology. Security Policies. Contents of a Security Policy. Sample Password Policy. Example Security Policies. Creating Your Own Security Policy. Key Topics for Security Policies. Effectively Implementing Your Security Policy. Avoiding Failure.
II. HARDENING THE SERVER.3. Windows System Security.
NT 4 Security. NT 4 File System Security. Securing the NT 4 File System. NT 4 Operating System Security. Securing the NT 4 Web Server. Windows 2000/XP Security. 2K/XP File System Security Templates. 2K/XP Operating System Security. Modifying Security Templates for Web Servers. One Final Task.
III. INSTALLING AND PROTECTING IIS.4. IIS Installation.
Installing IIS4. Installing the NT-4 Option Pack. Installing IIS4 on NT-4. Installing IIS5. Windows 2000 Installation. Windows XP Installation.5. Enhancing Web Server Security.
Web Servers Versus Development Servers. Locating Document Root. Logging. Limiting Access to Your Web Server. Enabling Basic Authentication. Setting Secure Authentication. Restricting Access Based on IP Address. Miscellaneous Security Enhancements. Moving the Metabase. Managing Web Server Access Permissions. Managing IIS5 Execute Permissions. Managing Application Isolation. Setting Advanced Security Configuration Options. Assigning Web Server Operators. Hosting Multiple Web Servers.6. Enhancing the FTP Server.
Inner Workings of FTP. Network Diagram for FTP Examples. PORT Mode FTP. PASV Mode FTP. Secure FTP. RFC Status. Example of Secure FTP Product. Secure Server Installation. Secure Client Installation. Secure FTP in Action.
IV. PROTECTING THE USER.7. Browser Security.
Acquiring IEAK6. Licensing the IEAK. Downloading the IEAK. Installing the IEAK. Configuring the IEAK. Gathering Setup Information. Specifying Setup Parameters. Customizing Your Setup Choices. Customizing the Browser. Specifying Additional Components. Finishing the Wizard. Building a Desktop. IEAK Profile Manager. Running the PM. Managing Multiple INS Files.
V. PROTECTING THE NETWORK.9. Becoming a Certification Authority (CA).
Encryption Schemes. Symmetric Encryption. Asymmetric Encryption. CA Responsibilities. Types of Certificates. Verification of Identity. Contents of a Certificate. Maintaining a Certificate Revocation List (CRL). CA Chaining. Establishing Your Own CA. Installing Microsofts Certificate Server. Requesting a Server Certificate. IIS4 Certificate Request Technique. IIS5 Certificate Request Technique. Issuing the Server Certificate. Installing a Certificate on Your Web Server. IIS4 Certificate Installation Technique. IIS5 Certificate Installation Technique. Trusting Your Own CA. Browser Certificates. Requesting a Browser Certificate. Installing a Browser Certificate in IE. Requiring a Browser Certificate.10. Firewalls.
Firewall-Protected Network Components. External Network. Packet Filtering Router. DMZ. Bastion Host / Firewall. Internal Network. Firewall Design. Classic Firewall. Chapman. Belt and Braces. Separate Services Subnet. Access Lists. Generic Access List Rules. Editing Access Lists. Standard Access Lists. Extended Access Lists. Using Access Lists. First Level Filtering. Sanity Checking. Protecting the Control Plane. Firewall Feature Set. Dynamic Access Lists. Context Based Access Control. TCP Syn Flood Protection. Cisco PIX Firewall. Comparing the IOS Firewall to the Cisco PIX Firewall. Overview of Cisco PIX Firewall Architecture. Configuring the Cisco PIX Firewall.11. Maintaining Ongoing Security.
Patches and Fixes. Finding Available Patches and Service Packs. Deciding When to Apply the Fix. Automating the Decision Process: HFNetChk. Applying a Service Pack. Miscellaneous Risks. Public Access Ports. Wireless Security Risks. Unauthorized User Modification of Web Forms. Antivirus. Personal Firewalls. Installing ZoneAlarm. ZoneAlarm in Action. The Weakest Link. Why Worry?12. What You Can Do.
Make Security Important to Your Staff. Physical Security. Password Security. Procedural Security. Telephone Security. User Awareness and Education. Closing Remarks.
VI. APPENDIXES.Appendix A. Customizing Internet Explorer Error Messages.
Customizing Messages. Generating an Error. Creating a Custom Error Message. Installing the Custom Message in Internet Explorer. Testing Your Work.Appendix B. Decoding Base64.
Capturing the Data. Translating from Base64.Appendix C. Contents of the WSFG Web Site.
Home Page. Referenced Pages. Normal Page Contents. Basic. IPADDR. SSL.
Download - 254 KB -- Index