Slashdot Mirror
Internet Site Security
About the authors
Erik Schetina, CISSP, is the CTO for TrustWave Corporation. He spent 14 years with the U.S. Department of Defense developing information security systems and public key cryptosystems. Jacob Carlson is a senior security engineer for TrustWave Corporation. His primary role is leading the penetration testing and vulnerability assessment team. In his copious free time he likes breaking things and writing code. Ken Green is a senior security engineer for TrustWave Corporation where he works extensively on intrusion detection systems, firewalls, and virtual private network initiatives.
When you read biographies like the ones above you can be somehow reassured that the content of the book is good. All of the authors come from TrustWave Corporation and the fact that they work together has influenced the writing of this book, in a very good way.
The basicsAt the very beginning of the book the authors show us that the starting point of building a secure environment is not the implementation of a solution but rather the defining of the assets we want to protect. You have to know what's a threat to your assets in order to choose the best security solution.
The authors manage to successfully illustrate how different things such as system administration, policy and audits fit into an overall security plan. Through the book, the authors educate the reader by making sure he sees "the big picture." The bottom line is that "the transition from a techie to a security professional consists in the recognizing the importance of all the components of security." In the second chapter some great material is covered: description of the security process, assessment and policy, asset protection, monitoring and detection.
Which one is better?When describing the way things can be done, the authors always give you the pros and the cons. For example, at one point they describe the difference when using commercial scanners in penetration testing compared to using a team of people who will do it by hand. They provide good pros and cons for both ways, and that's one of the great things about this book, you always get to look at the other side of the coin.
The insecuritiesWhat we all know is that the Internet is inherently insecure -- that's why this book was published in the first place. The authors explain why it's insecure, who administers it and how it works. Some of the topics presented here are: an overview of TCP/IP, the Domain Name Service (DNS), Whois databases, anonymity, and much more.
History is also present in this book. Chapter 4 begins with a brief overview of the history of the Internet and the TCP/IP protocol suite. Also mentioned is the Morris Worm (November 1998). As we move on, the DNS is explained in greater detail (with some security issues addressed specifically), and we are slowly presented with an abundance of technical details that stretches over several chapters. Some of the things that are explained in the book include: secure protocols, virtual private network protocols and encapsulation, the secure shell (SSH) and authentication systems.
As an inevitable part of a book of this kind, there's a part dedicated to passwords (and good rules for their generation), and another on digital certificates. The authors present the shortcomings of certificates as well as their best uses. Although neither of these are explained in great detail, you'll be able to get an overview of the things presented.
Moving on, we get a plethora of information covering: firewalls, DMZs, VPNs, external and internal threats, the security of wireless networks, workstation management issues, intrusion detection systems and log processing, etc.
Operating systemsThe book also gives some good information when it comes to operating systems and server software. Some of the covered topics include:
- Windows NT and 2000 - authentication, access tokens, security identifiers, object access control lists, tightening Windows users rights, etc.
- Linux - overview of the Linux Kernel, file system permissions, authentication mechanisms, how PAM works, etc.
- Server security: web, mail, FTP, etc.
If you want information about attacks, denials of service attacks are covered in great detail, along with many other attack scenarios. Since you also want to protect yourself from all of these attacks there's naturally much material dedicated to firewalls: their functions, implementation issues and vulnerabilities. Now that's not enough, is it? Now you want more. There's a whole chapter dedicated to intrusion detection systems and one dedicated to incident response and forensics. The chapter on incident response and forensics will be of particular interest for all of you who want more knowledge of legal and privacy issues.
Secure CodeTo complete the book, there's a chapter dedicated to the developers, which discusses the development of secure Internet applications. Here you'll be able to read about common sources of programming mistakes, exploiting executable code, application-level security, coding standards, and more.
The verdictThis book manages to shade a new light on the problems of security implementation by explaining the position of the system administrator and the position of the IT manager in order to make them both understand their role in the overall process of security in the company. It's a good idea to give it to both your IT manager and your system administrator, they will both learn from it and in the process start to understand each other on a new level. With this book, you basically learn to think on a larger scale.
There are not many downsides. There are basically only two things that I didn't like about this book: the lack of resources, and (in parts) the writing style. There are not enough resources listed, and I always like to get to more information. As regards the writing style it's obvious that this book was not meant to entertain in any way, but it sometimes seems a bit too serious. I always believed that learning should be fun. That's just me :)
Overall, this is an excellent book, two thumbs up!
If you're interested in hearing what one of the authors of the book has to say, you can check out an interview with him here. You can purchase Internet Site Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Well, here was me thinking that the morris worm was in 1988, not 1998.
-- Hulver's site
I don't want to wade through 1500 pages of crap if the text can be condensed into 50 pages. I always got pissed of at those certain linux-books that had 100 pages of introductory material written by the author and 1400 pages of reprinted HOW-TOs and man-pages. That just plain sucks.
K&R book was OK. Anything beyond 500 pages is way too much, unless you're aiming at "The World Explained for Really Dumb People: From Physics to Philosophy"
Most of those huge books contain several hundred pages of pure reference in the back - for example, a large number of appendices. An html book I have here contains quick tag listings, number-->symbol conversions, etc. Sometimes they're more useful than the rest of the book's content.
I alternate between posting +5 and -1 Comments. Karma: +53 -47 = 6
at the end of the review. If you decide to buy this book consider using the /. clickthrough link. It generates revenue for the /. crew, and is a convenient way to shop. This is a new feature outside of the OSDN advertising. So support Rob and the crew directly and click on that link.
If we don't fight for ourselves no one will.
Looks like you can pick it up for about US$35.99 (I have no connection to this vendor).
When you have nothing left to burn you must set yourself on fire
Contrary to popular belief, it isn't impossible to run IIS and not get hacked.
../../../cmd.exe stuff)
;)
We ran about 30 of them, and if you are clever about it, you can do all kinds of things to keep the bugs out.
Step 1. Remove all mappings apart from asp.dll
Step 2. Keep web content on a different drive to the system (thus negating
Step 3. Disable, and never use the default website.
With those 3 things, you don't get affected by about 60% of the bugs.
Add things like making all the static content read only, and only allowed a certain secured firewalled server to update the DBs, and you're almost there. Disallowed any net connections originated by the webservers (with exceptions of course) and you rule out strange shells making connections to IRC servers, etc.
The only other thing is then to STAY PATCHED.
Having said what I've said, I wouldn't like to do it again. Keeping those things secure took up so much of my time. Should it be a full time job to keep webservers running securely?
rpm --freshen -vah apache*.rpm anyone?
Now I have lots more time to do more interesting things
Get your own free personal location tracker
Did anyone notice that there is a newer book available on amazon.com than the book mentioned it the text above? The publisher is now Addison Wesley Professional and it is also a little bit cheaper. It has the same amount of pages and seems to be the same edition.
.sigh
I like to take the initials of a sentence. For example,
"I like to take the initials of a sentence" -> "iltttioas"
You can do things like alternate case and add symbols before/after.
Prescriptive grammar:linguistics
Tons of papers on site security
www.cgisecurity.com/lib
Some people buy cars with the turning radius of an oil tanker, books with 10 pages of useful content and 1000 pages of bug-ridden listings, and big plastic boxes with a couple of silicon chips in them, so maybe this is a cultural thing. I leave admiring the bigger is better idea to personal attributes (Jouko Ahola/Lola Ferrari/Filip Smirnov for example) or possibly monumental architecture rather than consumer items.
Why would you post such a high price? You can get it much cheaper... $23.95.
BTW, the $ symbol tells everyone it is US currency, hence the US is redundant in your price post.
If you're interested writing secure applications for Linux/Unix systems, take a look at my free book, Secure Programming for Linux and Unix HOWTO, available at http://www.dwheeler.com/secure-programs.
- David A. Wheeler (see my Secure Programming HOWTO)
Just use a Mac. Not one exploit ever for mac webservers according to huge BugTraq database.
You cannot use the unix OS X mac OS, it has already had over 30 remote exploit weaknesses that had to be pathced.
I am talking about using a comemrcial webserver progrom on Mac OS 8.x or 9.x
9.2.2 is latet Mac OS, yet NO mac OS from 8.x through 9.2.2 has ever had one remote weakness that did not involve specific user interaction to causea problem, the defaults are very secure.
In fact so secure not one mac server has ever been compromised, though at one point a 3rd party addon cgi tool was found to be buggy and could cause a problem back in 1995 I believe. I forgot its name.
I do not care for a reply to this. Therefore by definition, it is not a troll. I am sick of linux fans moderating "0" posts to -1 because they cannot handle the fact that NOT ONE REMOTE EXPLOIT FOR MAC OS exists and has ever been published or used.
And, yes, macs are fast, and cached static pages are the same speed on almsot any OS, and Webstar 4.0 is fully featured.
This 1400 page book should mention that a mac would give you 7 years of hassle free no-exploit web serving.
Macs have no filename extensions, nor heavy usage of C strings (null terminated), nor root account, nor shell, nor dangerous way to pass return addresses, and avoid intel making hacking a little more difficult, also macs require files to have a second invisible file associated with them called "resource forks" to execute and network tools typically will not create these resource forks. There are countless reasons makes have not been exploited remotely.
I find it both sad and amusing that people try to publish books about topics without first addressing the fact that there are more secure platforms for webserving. Most of these short-sighted me-too security bandwagons concentrate onthe porous unix/linux offerings, or MS weaknesses,
:
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely.
That is why the US Army gave up on MS IIS and got a Mac for a web server.
I am not talking about FreeBSD derived MacOS X (which already had a more than a 30 exploits and potential exploits ) I am talking about current Mac OS 9.x and earlier.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
2> No Root user. All Mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The Mac avoids C strings historically in most of all of its OS. In fact even its ROMs originally used Pascal strings. As you know Pascal strings (length prefixed) are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, especially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by design of creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
4> Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac compilers usually place return address in front or out of context of where the buffer would overrun. Much safer.
7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are MILLIONS of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac has ever been rooted in history of the internet, except with a strange 3rd party tool in 1995.
8> MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.
Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.
One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event or a rouge 3rd party CGI tool ages ago in 1995, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc. They few mistaken defacements recently attributed to Mac OS are actually Mac OS X (unix) events.
I think its quite amusing that there are over 200 or 300 known remote exploit vulnerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack. There are even vulnerabilities a month ago in OpenBSD! Each month vulnerabilities in XP arise.
Not one remote exploit. And that includes Webstar and other web servers on the Mac.
A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX. but all of his unix methods will find little to exploit on a traditional MacOS server.
BTW this is NOT an add for webstar.. the recent versions of webstar sold for over the last year are insecure and cannot run on Mac OS 9.x or 8.x, and only run on the repeatedly exploited MacOS X.
--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.
BugTraq concurs! As does the WWW consortium. So you do not need a book to teach you how to pathetically try to secure a website, just use a Mac, as many colleges and large media sites do, and most commercial airlines for there in-house security.