Email a friend about this book
|
Summary
The complete Webmaster's guide to Website security. Whether you have a Website, an intranet, or both, Protecting Your Website with Firewalls is your end-to-end resource for maximizing security. This highly readable, hands-on book covers all the security choices associated with virtually every Internet resource, including: - WWW/HTTP.
- Conferencing.
- E-mail.
- FTP.
- News gateways/NNTP.
- Telnet.
Learn how firewalls, packet filtering, and proxy servers work—and how you can use them to protect your site with minimum cost, disruption, and complexity. Explore the leading HTTP security protocols, Secure-HTTP, and Secure Sockets Layer (SSL), as well as today's advanced authentication and encryption solutions. Then, walk step-by-step through planning, implementing, and maintaining your firewall and related security technologies. Protecting Your Website with Firewalls includes detailed checklists, step-by-step instructions, and case studies to help you identify common security gaps at your site—and systematically close them. Learn how to decide which resources are worth protecting—and which may not be worth the trouble. Finally, if you do have a break-in, the book shows you what to do next—both to improve security and to pursue the intruder. The accompanying CD-ROM includes the comprehensive TIS security toolkit for Windows NT servers. Protecting Your Website with Firewalls also contains comprehensive, up-to-date resource listings for: - Tools that can identify weaknesses and improve authentication and passwords.
- Firewall products, resellers, and consultants.
- Software patches to enhance security.
Your Internet connection places your most critical business secrets at risk. With this conversational, thorough guide, you can dramatically reduce those risks now —and for years to come.
|
Table of Contents
Foreword.
Preface.
Acknowledgements.
List of Figures.
I. PLANNING FOR WEB SECURITY. 1. Why Protect Your Web Site?
What to Protect and Why. Protecting Information and Resources. Protecting Your Clients and Users. Preserving Privacy. Forms of Threat. Spoofing. E-mail Fraud and Risks. Web Client Threats. Web Server Threats. Transaction Security between Client and Server. Authentication. Confidentiality. Integrity. Errors and Omissions. Fraud and Theft. Discontented Employees. Industrial Espionage. Malicious Code. Breach of Confidentiality. Protecting Your Web Site. Alternatives. Basic Protection of Documents at Your Web Site. Authentication. The Role of Firewalls. Proxies.
2. Web Security Requirements.
Web Requirements. Confidentiality. You Are Responsible! Integrity. Transactions between Client and Web Servers. Data Security. Integration. Firewall and Proxy Support. Gateways Support. Traffic. Monitoring Requests. Estimating Number of Hits. Transmission. Freshness of Transmission. Providing a Quality Service.
3. Financial Issues.
Preventing Break-in Expenses. Protecting Financial Transactions. The SSL Protocol. The F-SSH Protocol. Preserving the User/Client Financial Information. Secure Electronic Transactions (SET). Offering Access to "Digital Money". First Virtual. DigiCash. Cybercash. Securing Your Site: Going to the Core.
4. Strategies for Protecting Your Web Site.
Blocking Everything? When Is It Too Much? Recognizing the Weaknesses of Your Site. Choosing a Web Server Software. Highlights of the Main Windows NT-Based Products. Highlights of the Main UNIX-Based Product. Highlights of the Main Novell-Based Products. Windows NT Servers. Netscape Communications Server, Netscape Communications. WebSite, O'Reilly & Associates. Purveyor, Process Software Corp. Internet Information Server, Microsoft Corp. UNIX Servers. NCSA http. Apache Server. CERN httpd. Apache httpd. Netscape Server. IBM Internet Connection Secure Server for AIX. WN Server. Macintosh Servers. WebStar. MacHTTP. Security Options. Keeping It Simple. The Risk of Applets (Java Included!). II. IMPLEMENTING WEB SERVICES.
5. Conferencing.
About Server. WebBoard. Agora. Internet Phone. DigiPhone. WebTalk. Pretty Good Privacy Phone. The Multicast Backbone (MBONE). Configuration Checklist. Security Checklist.
6. Electronic Mail.
A CGI Script-Cgimail. An ANSI C Script-Simple CGI Email Handler. A Perl Script-Web Mailto Gateway. HTML Form Processing Modules (HFPM). TCL Scripts. CGI-Uniform. Security Issues. Configuration Checklist. Security Checklist. Cgimail Security Concerns. Forms of E-mail Threat-Spoofed E-mail. Forms of E-mail Threats-E-mail Bombing. Protecting Your E-mail Messages.
7. File Transfer Protocols.
File Transfer Protocol (FTP). Taking Control of the FTP Server and User Access. Configuration Checklist. Is Your FTP Server Running Correctly? Is Your FTP Server Configured Right? Is Your Anonymous FTP Configuration Safe? Reviewing Your Anonymous FTP Configuration. Security Checklist. Avoiding Mr. Hacker!
8. The Network News Transfer Protocol (NNTP).
News Gateways. News-WWW Gateway. The Usenet-Web Archiver. Configuration Checklist. Security Checklist. Setting It Up in a Firewall Environment.
9. The Web and HTTP Protocol.
Web Security Issues. HTTP Security Consideration. Secure HyperText Transfer Protocol (S-HTTP). Secure Sockets Layer (SSL). Caching: Security Considerations. Configuration Checklist. Security Checklist. Security Hole with Novell's HTTP. Most Typical UNIX-based Web Server Security Problems. III. ADMINISTRATION: SECURING YOUR WEB SITE WITH FIREWALLS.
10. Firewall Design and Implementation.
The Concept of a Firewall. The Role of Firewalls. Using Firewalls to Enhance Web Security. The Most Common Types of Firewall. Network-Level Firewalls. Application-Level Firewalls. Few Suggested Firewall Types for Web Sites. Dynamic Firewalling and Web Security. HTTP and Firewalls, Proxy Servers and SOCKS. Proxy Servers. Advanced Proxy Configuration-A Practical Example. The Network Setup. The Proxy Setup. FTP and TELNET. Security Checklist.
11. When Things Don't Go Well: The System Perspective.
Dealing with an Incident. Network Information Service as a Cracking Tool. Remote Login/Shell Service as a Cracking Tool. Network File System as a Cracking Tool. File Transfer Protocol Service as a Cracking Tool. A To-Do List in Case of an Incident. Assessing the Situation. Cutting Off the Link. Analyze the Problem. Take Action. Catching an Intruder. Reviewing Security.
12. Pursuing Intruders: The Legal Perspective.
What the Legal System Has to Say. The Current Regulatory Environment. Protecting Your Web Site. Preventing Break-ins at Your Web Site. Final Considerations. IV. APPENDIXES.
Appendix A: Firewall-Related Resources, Resellers, and Firewall Tools.
AlterNet. Atlantic Computing Technology Corporation. ARTICON Information Systems GmbH. Cisco Routers. Cohesive Systems. Collage Communications, Inc. Conjungi Corporation. Cypress Systems Corporation (Raptor Reseller). Data General Corp. (Gauntlet Reseller). Decision-Science Applications, Inc. E92 PLUS, LTD. Enterprise System Solutions, Inc. (BorderWare Reseller). E.S.N.-Servio e Comrcio de Inform‡tica Ltda. FSA Corporation. IConNet. Ingress Consulting Group, Ltd. INTERNET GmbH. Jeff Flynn & Associates. Media Communications eur ab (Gauntlet Reseller). Mergent International, Inc. (Gauntlet Reseller). Momentum Pty., Ltd. NetPartners (Phil Trubey) (JANUS Reseller). Network Translation Services, Inc. OpenSystems, Inc. PDC. PENTA. PRC. Racal Airtech, Ltd. (Eagle Reseller). RealTech Systems. Sea Change Corporation (JANUS Reseller). Security Dynamics Technologies. Softway Pty., Ltd. (Gauntlet Reseller). Spanning Tree Technologies Network Security Analysis Tool. Stalker by Haystack Labs, Inc. Stonesoft Corporation. TeleCommerce. Trident Data Systems (SunScreen provider). Tripcom Systems, Inc. Trusted Network Solutions (Pty.), Ltd. UNIXPAC AUSTRALIA. X + Open Systems Pty., Ltd. (Internet Consultants). Zeuros Limited. Firewall Tools. Drawbridge. Freestone by SOS Corporation. fwtk-TIS Firewall Toolkit. ISS. SOCKS.
Appendix B: Firewall Products.
Actane Controller. Black Hole. BorderWare Firewall Server. Brimstone SOS Corporation. CENTRISecure Internet Gateway. CONNECT: Firewall Sterling Software. Cyberguard-Harris Computer Systems Firewall. Cypress Labyrinth by Cypress Consulting, Inc. Digital Firewall Service. Eagle from Raptor Systems. ExFilter V1.1.2 for SunOS 4.1.x. FireWall-1 (by CheckPoint Software Technologies). FireWall/Plus by Network-1. Gauntlet by TIS. GEMINI Trusted Security Firewall. GFX-94 Internet Firewall. Guardian Firewall by LanOptics, Ltd. HSC GateKeeper by Herve Schauer Consultants. ICE BLOCK. Integralis. Interceptor by Technologic. Inter-Ceptor by Network Security International. ANS InterLock Service from ANS CO+RE Systems, Inc. Internet Secure Router (ISR) by Atlantic Systems Group. IRX Router-Livingston Firewall Router. IWare-Internetware. iWay-One. KarlBridge/KarlBrouter. Mazama. MIDnet's Securit Firewall. NetCS. NetGate. NetPartners (Hardware and Software). Netra Server by Sun (SMCC). NetSeer and NetSeer Light from Telos. NetSP-IBM. Network Systems ATM Firewall. The Security Router, BorderGuard, ATM Firewall. Novix by FireFox (Novell only). Orion by Zebu Systems. PIX Private Internet Exchange. PrivateNet by NEC Technologies. PORTUS by LSLI (Livermore SW Labs). Quiotix. SecurityGate by DEC. SecureConnect by Morning Star Technologies. Sidewinder by Secure Computing. Site Patrol by BBN Planet Corp. SmartWall by V-ONE. SunScreen SPF-100 by Sun MicroSystems.
Appendix C: Web Server Products.
Amiga Web Servers. AWS. NCSA. Macintosh Web Servers. Common Lisp Hypermedia Server (CL-HTTP). Enhanced Mosaic. http4mac. InterServer Publisher. Mac Common Lisp Server. MacHTTP. NetPresenz or FTPd. WebSTAR. MSDOS and NetWare Web Servers. GLACI-HTTPD. KA9Q. NetWare Web Server. Purveyor WebServer for NetWare. The Major BBS. WonLoo Telenologies NLM. UNIX Web Servers. Apache httpd. Boa. Common Lisp Hypermedia Server (CL-HTTP). EIT httpd. GN Gopher/HTTP server. Internet Office Web Server. Navisoft Server. NCSA httpd. Netscape Commerce and Communications Server. Phttpd. Plexus. Spinner. Spyglass httpd. Thttpd. w3 httpd. WebServer. WN Server. XS-HTTPD. VM/CMS Web Servers. VM:Webserver. Webshare. VMS/OpenVMS Web Servers. CERN HTTP for VMS. Purveyor for OpenVMS. Region 6 Threaded HTTP Server. IBM OS/2 Web Servers. Apache for OS/2. oserve for OS/2. Internet Connection Server for OS/2. OS2HTTPD. OS2WWW. W3 HTTPD with Proxy Support. MS Windows NT and Windows 95 Web Servers. Alibaba. Commerce Builder. Common Lisp Hypermedia Server (CL-HTTP). Cyber Presence. FolkWeb Web Server. HTTPS. Internet Information Server. Navisoft Server. Netsite Servers. Purveyor Webserver for Windows NT and Windows 95. SerWeb for Windows NT. SIAC HTTPD. SuperWeb Server. Web Commander. WebQuest for Windows 95 and Windows NT. WebSite. MS Windows 3.1 and Compatible Web Servers. Alibaba. Chameleon Web Personal Server. SerWeb. WEB4HAM. WebServer. Windows httpd. ZBServer.
Appendix D: Internal Vulnerability Scanning Tools.
CheckXusers. Chkacct v1.1. COPS (Computer Oracle and Password System). crashme. Doc (Domain Obscenity Control). ISS (Internet Security Scanner). Perl Cops. Secure_Sun. SPI (Security Profile Inspector). Test Hosts for Well-Known NFS Problems/Bugs. Tiger. trojan.pl.
Appendix E: Patches and Replacements.
bsd-tftp. fingerd. Fix Kits for sendmail, WU-ftpd, TCP Wrappers. gated. Mountd for Solaris 2.3. msystem.tar.Z. osh. Patches for SGI machines. Patches for Sun machines. PortMap_3. Rpcbind. securelib. sendmail. sfingerd. SRA (Secure RPC Authentication for TELNET and FTP). tftpd. ftpd Washington University. xinetd.
Appendix F: Advanced Authentication and Password Enhancing Tools.
anlpasswd. chalace. cracklib. npasswd. obvious. passwd+. passwdd. pwdiff. shadow. Yppapasswd.
Appendix G: Auditing and Intrusion Detection Tools.
Auditing and Logging Tools. Authd (Authentication Server Daemon). dump_lastlog. logdaemon. Logging fingerd in Perl. loginlog.c.Z. Netlog. Spar. surrogate-syslog. Logging Utilities. chklastlog. chkwtmp. trimlog. L5. traceroute. Intrusion Detection Tools. ASAX (Advanced Security Audit Trail Analysis on UNIX). Argus. ARP Monitor. ARPWATCH 1.3. Gabriel. Hobgoblin. md5check. NETMAN. nfswatch. NID (Network Intrusion Detector). NOCOL (Network Operations Center On-Line). noshell. Raudit. RIACS Intelligent Auditing and Categorizing System. Swatch. swIPe. TAMU Check Integrity Script. Tripwire. Watcher. X Connection Monitor. System Status Reporting Tools. Cpm (Check Promiscuous Mode). Dig. Fremont. Icmpinfo. host. ident. Ifstatus. lsof. STROBE. TCP Port Probing Program. tcpwho. Mail Security Tools. Alphanumeric Pager via E-mail. PGP. RPEM (Rabin Privacy Enhanced Mail).
Appendix H: Password Breaking Tools.
scannt.exe. cbw.tar.Z. Crack. Password Checking Routine. UFC-crypt.
Appendix I: Access Control Tools.
deslogin. Drawbridge. kerberos. md5. Permissions. skey. Snefru 2.5.
Appendix J: Glossary of World Wide Web Terms.
Bibliography.
Index.
|
Excerpt
Preface
Protecting Your Web Site with Firewalls
This book was designed to be a sort of "night-table" book for Webmasters, Web site administrators, and systems administrators involved with Web site security. It is a practical guide to protecting a Web site utilizing firewalls. It is not a high-level technical book, although it will be very useful for veterans as it serves as a practical guide, being objective, yet very broad.
This book was written for all sorts of Information Systems and Technology (IS&T) professionals who are becoming more and more involved with Cyberspace, either by opinion, or . . . by condition! I know that many systems and Local-Area Network (LAN) administrators, as well as systems managers, generally involved with LAN administration and networks, are now inheriting all aspects of Web site setup and administration, as well as security. This book is for those who do not have enough time to dig into the more technical aspects of Web security but need reliable alternatives for Web site protection. It offers quality information, with lots of practical examples and illustrations, step-by-step instructions, and most important, in a conversational and comprehensive way.
Protecting Your Web Site with Firewalls will help you to design and implement security using firewalls and proxy servers as an alternative. Of course, a firewall alone will not guarantee this protection, even for Web sites. Even though Web security can be a complex task, with a realistic security policy and planning you can have a fairly secure site.
Of course, there is no way you can have a 100 percent secure site. Still, just as in a symphony, a lot will depend on the instruments (or hardware) that will play (or interact) together, the concert (or operating system) you will be playing, and the arrangement (or networking) you are presenting at your site. Also, what you want your audience (or users) to be able to do, and not do, will make a lot of difference.
If you have ever attended a concert, you know they can vary in size and shape. This book provides you with enough case studies, rules, examples, do's and don'ts, as well as of lots of resources for you to understand how this "symphony" is supposed to work, select the best model, and be able to maintain it.
Before we go any further you need to understand what a firewall is and how it can help you protect your Web assets and the interests of your users. Basically, a firewall allows you to restrict unauthorized access between the Internet and your internal network. It exists to work as a blockage to keep unauthorized connections and outside attackers from penetrating your internal network as well as prevent inside connections from reaching the Internet without any authorization. By monitoring inside users, firewalls can prevent them from sending dangerous information, such as unencrypted passwords or sensitive corporate data, to the "wild Internet."
According to the American National Security Agency (NSA), attacks to systems connected to the Internet are becoming more and more complex, thus much more dangerous. For instance, hackers today have the ability to penetrate computer systems using "logic bombs," which are coded devices that can be remotely detonated, electromagnetic pulses, and "high emission radio frequency guns," which blow a devastating electronic "wind" through a computer system.
In order to protect your Web site and keep such attacks from threatening your systems, you must rely on effective security systems, which are not limited to password encryption or proxies but extend beyond them, combining firewalling hardware and software, as well as a designed security policy adoption and implementation.
Before implementing firewalls at your site, it is important to establish a security policy that takes into consideration services to be blocked and allowed. It should also consider implementation of authentication and encryption devices and the level of risk you are willing to undertake in order to be connected to the Internet.
This book will discuss all of these topics and the issues involved when dealing with Web site security and administration. It will go over all the services, such as TELNET, FTP, e-mail, news,-services you can (and cannot) offer through the Web and the security implications and limitations of each one of them.
This book is divided into four parts and ten appendixes. Part I, "Planning for Web Security," is composed of four chapters discussing the need for setting up a security plan for your Web site and what it involves. It addresses the threats and risks a Web site incurs once connected to the Internet and the basic requirements demanded by a Web site. It also covers the financial issues associated with the lack of security, as well as its implementation and some of the strategies for protecting your site. You will have the opportunity to review case studies addressing these issues.
Chapter 1, "Why Protect Your Web Site?," addresses what you should be protecting (e.g., information, your clients and users, transactions, privacy) and why. It also addresses some forms of threats you should be aware of, such as spoofing, e-mail fraud, and breaking of confidentiality. Finally, it presents case studies and some of the alternatives in protecting your Web site and the role of firewalls in doing so.
Chapter 2, "Web Security Requirements," outlines the basic requirements for having a safe Web site. It addresses requisites, such as confidentiality being your responsibility, the need for transactions, and data integrity. It explains the importance of integrating security through proxies, gateways, and firewalls, the advantages of monitoring traffic and number of hits as a security aid, and the importance of having a quality transmission service.
Chapter 3, "Financial Issues," explores the financial implications associated with security. It looks at the potential costs associated with a break-in into your site, the protection of financial transactions, and other financial issues related to the preservation of customers.
Chapter 4, "Strategies for Protecting a Web Site," explores basic security strategies. It describes how to recognize weaknesses in your site and presents defense options and ways to keep it simple.
Part II, "Implementing Web Services," describes how to implement Internet services on the Web in light of security. It lists some of the most common implemented services and discusses the risks associated with each one of them.
Chapter 5, "Conferencing," discusses some of the conferencing technologies available and provides a configuration checklist for implementing them as well as a security checklist to check against.
Chapter 6, "Electronic Mail," reviews some of the industry's standard protocols, their characteristics, and how they interact with the Web. It also provides a configuration checklist, with loopholes to watch for, and a security checklist for your review.
Chapter 7, "File Transfer Protocols," describes the file transfer protocols available and their applicability to the Web, as well as security holes to be aware of.
Chapter 8, "News Gateways," describes how news gateways work and interact with the Web. It looks closely at the Network News Transfer Protocol (NNTP) and its security issues and provides a list of recommendations, with do's and don'ts, when implementing it.
Chapter 9, "The Web and HTTP Protocol," based on the Web security requirements discussed on Chapter 2, shows how to build a security policy using Hypertext Transmission Protocol (HTTP). It discusses the proxing characteristics of HTTP and its security concerns. It explores the Secure HTTP (S-HTTP) as well as the use of the Secure Sockets Layer (SSL) for enhanced security.
Part III, "Administration: Securing Your Web Site with Firewalls," discusses how to set a firewall through authentication systems and encryption. It outlines preventive and curative planning and explains routine maintenance and how to keep track of it as well as ways of recycling your firewall. It also prepares you to deal with a break-in, providing a to-do list of actions that should be taken, including trying to catch an intruder and the revision of security. This section explores what the legal system has to say about pursuing the intruder, and what laws are available, in terms of "cyberlaw," to protect your interests.
Chapter 10, "Firewall Design and Implementation," describes in detail what a firewall is and how packet filtering works. It discusses proxy servers and socks implementation and presents the TIS toolkit and a sample configuration for basic protection of a site using these tools and firewalling schemes. Lastly it introduces the concept of a bastion host, its design, and implementation, as well as management.
Chapter 11, "When Things Don't Go Well: The System Perspective," describes how to deal with an incident and how to prepare a to-do list in case one happens. It also explores what can be done when trying to catch an intruder and the importance of reviewing security afterwards.
Chapter 12, "Pursuing Intruders: The Legal Perspective," describes what the legal system has to say by introducing a new term: cyberlaw. It looks at ways to protect your Web site from the legal perspective and what can be done today to prosecute a hacker.
Part IV, "Appendixes," consists of ten appendixes.
Appendix A, "Resellers and Firewall-Related Resources," contains a list of major resellers you can contact for information and help with Web security. Appendix B, "Firewall Products," lists a number of the firewall products available and where to get them. Appendix C, "Web Server Products," contains a list of the main Web server products available on the market and makes a comparison between them and where to get them. Appendix D, "Internal Vulnerability Scanning Tools," provides a list of tools designed to check for internal vulnerabilities such as easy passwords, configuration problems, and misbehaving domains. Appendix E, "Patches and Replacements," discusses patches designed to increase security and robustness of servers. Appendix F, "Advanced Authentication and Password Enhancing Tools," describes tools to enhance security such as applications that check for bad passwords. Appendix G, "Auditing and Intrusion Detection Tools," provides a list of tools to aid auditing and intrusion detection. Appendix H, "Password Breaking Tools," provides a list of most of the password breaking tools available. It is intended for reference only! It is a good idea to be aware of these tools and how they work. Appendix I, "Access Control Tools," describes tools to enhance access control. Appendix J, "Glossary of World Wide Web Terms," provides a collection of terms acronomes and specifications generally used on the Internet and Web.
Audience
This book is aimed primarily to those involved with the management and security of Web sites. However, it is a useful book for everyone concerned with Web security.
Platforms
For the most part, this book focuses on Windows NT and Windows 95-based servers. However, it does mention and briefly discuss Novell and UNIX-based Web servers as well as Macintosh. Some of the tools listed in the appendixes are intended for UNIX-based servers as well. Nevertheless, much of the information provided in this book is applicable to any platform.
Still, most of the examples and screenshots are oriented to either Windows NT or Windows 95 as there is clearly an increasing demand for them, as more and more Web sites are being powered by software developed for these platforms. We must acknowledge that most of the tools and resources are UNIX oriented, as presently the freely available tools are still part of the UNIX world. Also, I must say, my own experience with Web technologies is mainly in the Windows NT/95 world.
Comments and Questions
Comments and questions should be addressed to Marcus Goncalves at goncalves@ process.com.
|
|
