Internet Site Security

Erik Schetina, CISSP, is the CTO for TrustWave Corporation (http://www.trustwave.com). He spent 14 years with the U.S. Department of Defense (DoD) developing information security systems and public key cryptosystems. He has worked with national and international firms to develop managed security and intrusion detection systems. He is a member of the Information Security Consortium and a Certified Information Systems Security Professional (CISSP). Ken Green is a senior security engineer for TrustWave Corporation where he works extensively on intrusion detection systems, firewalls, and virtual private network initiatives. A former technical director and senior electronic engineer for the DoD, Ken is a recognized expert in the areas of telecommunications and data network analysis and protocols, including TCP/IP, IPsec, VPNs, Microsoft Networking, ATM, SONET/SDH, Frame Relay, and SS7. Jacob Carlson is a senior security engineer for TrustWave Corporation. His primary role is leading the penetration testing and vulnerability assessment team. In his copious free time he likes breaking things and writing code. 0672323060AB03282002

Introduction.


1. Core Concepts: Risks, Threats, and Vulnerabilities.


First Steps.



Defining Your Assets.



Proprietary Information and Intellectual Property.



Company Reputation or Image.



Business Processes.



Threats Agents.



Insider Threats.



Outsider Threats.



Determining Risk.



Summary.



2. Developing a Trusted Internet Infrastructure.


The Motivation for Security.



What Constitutes Security?



The Security Process.



Assessment and Policy.



IA Programs.



Organizational Assessment.



Policy Development.



Operational Policies and Procedures Development.



Technical Assessments.



Asset Protection.



Implementing the Security Policy.



Protective Devices.



Monitoring and Detection.



Log File Review.



Intrusion-Detection Systems.



Data Fusion.



Response and Recovery.



Summary.



3. Infrastructure Components: A 10,000-Foot View.


Understanding and Connecting to the Internet.



Internet Service Providers.



What Does an ISP Provide?



Security Implications of Choosing an ISP.



Transporting Information.



Addressing.



Networks.



Routing.



Overview of TCP/IP.



The Domain Name Service.



Management of the Internet.



The ICANN.



Domain Name Registries.



whois Databases.



What Makes the Internet (In)Secure?



Inherent Insecurity of the Technology.



Implicit Trust.



Lack of Authentication.



Anonymity.



Lack of Privacy.



Lack of Centralized Security Management and Logging.



Day-to-Day Security Is Hard!



Why Is the Internet Attractive to Businesses?



Application Services.



Media and Data Delivery.



Information Services.



Financial Services.



Products.



Summary.



4. Network and Application Protocols: TCP/IP.


Introduction: The Importance of Knowing the Details.



A Brief History of Networking and Protocols.



The ARPANET.



NSFnet.



The Commercialization of the Internet.



The OSI Model and Relevance to TCP/IP.



Data-Link Layers: Moving Data Across a Single Link.



Network Layers: Moving Data Across a Series of Links with IP.



Routing Protocols.



ICMP.



The Domain Name System (DNS).



Revisiting the Data Link Layer: Ethernet and IP.



Configuring a Host to Work on an IP Network.



Transport Layers: Moving Data Reliably with TCP (and Not So Reliably with UDP).



Multiplexing with UDP.



Adding Reliability with TCP.



Controlling TCP Connections.



Common Well-Known Ports.



Common Application-Layer Protocols.



Common Internet Applications.



UNIX Remote Procedure Calls.



SNMP.



Microsoft Networking Protocols and TCP/IP.



A Brief History of IBM and Microsoft Networks.



NetBIOS Names.



NetBIOS over TCP (NBT).



SMB and File Sharing.



The Network Neighborhood and the Browser Protocol.



Microsoft Remote Procedure Calls.



General Configuration Tips for Home Networks.



Summary of Microsoft Networking Protocols.



A Brief Overview of Other Networking Protocols.



Summary.



5. In-Depth with Protocols and Building Blocks.


Secure Protocols.



Implementing Secure Protocols.



Network-Layer Implementations.



Virtual Private Network Protocols and Encapsulation.



IPSec.



Point-to-Point Tunneling Protocol (PPTP).



Layer 2 Forwarding.



Layer 2 Tunneling Protocol (L2TP).



Secure Socket Layer (SSL).



Wired Equivalent Privacy (WEP).



Secure Shell (SSH).



SSH Authentication.



SSH Server Authentication.



Tunneling with SSH.



Authentication Systems.



Passwords.



Challenge/Response Mechanisms.



Biometric Mechanisms.



Digital Certificates.



Summary.



6. Example Network Architectures and Case Studies.


Bringing It All Together.



The Enterprise Network.



A Typical Enterprise Network.



External Threats.



Securing External Links.



Internal Links and Threats.



Small Office/Home Office (SOHO).



Web Sites.



Outsourced Web Hosting.



Content Delivery Sites.



E-Commerce Sites.



Summary.



7. Operating System and Server Software Issues.


Windows NT and 2000 Security Concepts.



Authentication, Access Tokens, and Security Identifiers.



Object Access Control Lists.



Remote Procedure Calls (RPC) and the Component Object Model (COM).



Security Mechanisms for RPC/COM.



Hardening Windows.



Tightening Windows User Rights.



Auditing Security Events.



Linux Security Concepts.



Overview of the Linux Kernel.



Overview of Linux User Space.



Linux File System Permissions.



Linux Authentication Mechanisms.



How PAM Works.



The Structure of /etc/pam.conf.



PAM Examples.



UNIX Network Services and How to Secure Them.



Remote Access/File Transfers.



Graphical User Interfaces.



RPC.



NFS.



Application Software Security.



Starting with a Secure OS.



Web Server Security.



Mail Server Security.



Name Server Security.



FTP Security.



Summary.



8. Attack Scenarios.


Denial-of-Service Attacks.



One Shot, One Kill DoS Attacks.



System Resource-Exhaustion DoS Attacks.



Network Abuse.



Amplification Attacks.



Fragmentation Attacks.



Distributed Denial-of-Service Attacks.



System-Penetration Techniques.



Reconnaissance.



Gathering Network Information.



Network Probes and Detection-Evasion Techniques.



Network Sweeps.



Network Routing Information.



Gathering Information About Individual Systems.



Vulnerability Determination and Choosing Targets.



Compromising a System.



./0wnit.



Password Guessing.



Using Targeted Viruses and Trojans.



Extending the Reach.



Sniffing the Wire.



Exploiting Trust Relationships.



Summary.



9. Protecting Your Infrastructure.


What Is a Firewall Supposed to Do?



Firewall Functions.



Firewall Ancillary Functions.



The Basic Firewall Types.



Packet-Filtering Firewall.



Stateful-Inspection Firewall.



Application Proxy Firewalls.



Hybrid.



Air Gap.



Secondary Firewall Features.



Address Translation.



Antispoofing.



Utilization with VLANs.



VPN Capabilities.



Management Capabilities.



Authentication.



High Availability.



Firewall Platforms.



Third-Party Integration.



DoS Prevention Features.



Performance.



Implementation Issues and Tips.



Firewall Architecture.



Intrusion Detection.



Translation Issues.



Complex Rule Sets.



Logging, Monitoring, and Auditing.



Firewall Vulnerabilities.



Covert Channels.



Firewall Bugs.



Summary.



10. Watching the Wire: Intrusion-Detection Systems.


What Is IDS?



How Internet Sites Utilize IDS.



The Different Types of IDS.



IDS Capabilities.



TCP/IP Tests.



NetBIOS over TCP/IP (NBT).



Other Networking Protocols.



Ethernet and Other Data-LinkLayer Headers.



Application-Layer Protocols.



Application Data.



File Integrity.



Log Processing.



Counter-IDS Techniques.



Volume, Volume, Volume.



IP Fragmentation and TCP Segmenting.



Evasion via Application-Layer Encoding.



Other IDS Avoidance Techniques.



DoSÕing an IDS.



Practical IDS Implementation Issues.



Switched Networks.



Encryption.



Tuning Your IDS Sensors.



IDS Management.



Security Responsibility.



Staffing.



Privacy Issues.



Incident Response and Recovery.



Severity of IDS Events.



Automated Response.



Tier 1 Response.



Responding to Real Incidents.



Hacking Back: Just Say No!



Do It Yourself or Outsource?



Summary.



11. Incident Response and Forensics.


What Constitutes Incident Response?



Preparing for an Incident.



Maintaining Log Files.



Maintaining User Accounts.



Timestamping.



Creating Banners.



Creating Checksums.



Real-Time Incident Response.



Response Policy.



Response Procedures.



Organizational Roles and Responsibilities.



Training.



Remediation.



What Constitutes an Electronic Crime?



Admissibility of Digital Evidence.



Chain of Custody and Documentation.



Importance of Licensed Software.



Investigator Credentials.



Liability and Right to Privacy Issues.



Investigation Techniques.



Securing the Crime Scene.



Shutting Down Equipment.



Copying Hard Drives and Floppies.



Searching Hard Drives.



Conducting a System Audit.



Tracking the Intruder.



Case Studies.



Web Site Hack.



The Unstable IT Employee.



Employee Misuse of Company Resources.



A Few Words on Anonymous Postings.



Working with Law Enforcement.



Summary.



References.



12. Developing Secure Internet Applications.


Common Sources of Programming Mistakes.



Metacharacters.



Danger of Metacharacters.



Working Safely with Metacharacters.



Exploiting Executable Code.



Buffer Overruns.



An Example: String Functions in C.



How Buffer Overflows Are Utilized by Hackers.



Format String Bugs.



A Final Word on Executable Code Exploits.



Application-Level Security.



Cookies.



Source IP Addresses.



Effective Session Management.



Replay Attacks and Session Security.



Credential Checks Within the Application.



Example: Access Control for a Trouble-Ticketing System.



Coding Standards and Code Reviews.



Summary.



Index. 0672323060T03282002