Home > Store > Network Technology > General Networking > Web Security Field Guide

Web Security Field Guide

View Larger Image

Published: Nov 8, 2002
Copyright 2003
Dimensions: 7-3/8" x 9-1/8"
Pages: 608
Edition: 1st

Book
ISBN-10: 1-58705-092-7
ISBN-13: 978-1-58705-092-3

More Information

Description Extras Reviews Sample Content

Product Description

Hands-on techniques for securing Windows(r) servers, browsers, and network communications

Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Improve security at the end user's workstation, including web browsers, desktops, and laptops
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Discover ways to test the current state of security and keep it up to date
Learn to engage end users as part of the overall network security solution

While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.

Web Security Field Guide provides you with hands-on, proven solutions to help patch the most common vulnerabilities of Windows(r) web servers and browsers within the context of an end-to-end network security architecture. Avoiding conceptual discussions of underlying technologies, the book spends little time discussing how each application works. Using plain language and lots of step-by-step examples, the book instead focuses on helping you secure your web servers and prevent the majority of network attacks. Divided into five parts, the book opens with an overview of essential background information and helps you establish working network security rules and policies. Parts II through IV teach you the techniques for hardening the operating system, the web server, and the browser. Part V of the book addresses overall network security, focusing on preventing and controlling access. Topics such as becoming a Certification Authority, Cisco PIX(r) Firewall, Cisco IOS(r) Firewall, access lists, ongoing security maintenance, and testing are all examined in-depth, providing an overall network security plan that can drastically reduce the risk to your business systems and data.

Full of diagrams, screen captures, and step-by-step instructions for performing simple tasks that can radically improve the security of your Internet business solutions, Web Security Field Guide is a practical tool that can help ensure the integrity and security of your business-critical applications.

Links

Read an interview with Steve Kalman, courtesy of Help Net Security. Help Net Security's site receives more than 430,000 page views per month.

Steve Kalman participated in a live forum January 22, 2003 to discuss Web security. Visit the Ask the Expert Forum on InfoWorld.com.

Customer Reviews

6 of 7 people found the following review helpful

Great Practical book with Tried and True Advice, November 26, 2002

Thomas Jerry Scott (Dauphin Island, AL USA) - See all my reviews

This review is from: Web Security Field Guide (Paperback)

To really understand Web security, you need to know how TCP/IP networks function, thoroughly understand the concept of network layering, and then fully grasp or as Heinlein would say "groc" the important details such as port numbers, etc., found in the IP and TCP headers.

Kalman shows his understanding of these areas by starting off with a concise discussion of these valuable items. This form the basis for the later Chapters.

To achieve computer security, you need a security policy. Kalman moves to this indespensible area next, covering the basics of this easy to understand, but difficult to implement, concept.

Achieving Web Security means securing your WEB browsers, hardening your operating systems on your Web Servers, hardening your WEB servers, securing the dataflow between browser and server, and finally, taking care of the entire Web environment.

Most writers seem to think that Web security is only about items such as hardening a WEB server, using something... Read more

Help other customers find the most helpful reviews

Was this review helpful to you?

Report abuse | Permalink

Comment

Share your thoughts with other customers:

› See the customer review...

Index

Download - 254 KB -- Index

(NOTE: Each chapter concludes with a Summary.)

Introduction.

I. THE FUNDAMENTALS OF WEB SECURITY.

1. Essential Information for Web Security Administrators.

Two Internetworking Models. OSI Reference Model. TCP/IP Model. Headers. Data Link Headers. Network Layer Headers. Transport Layer Headers. Shims. Above the Transport Layer. Telnet. HTTP. SSL, TLS, and HTTPS. DNS. DHCP. NAT.

2. Security Policies.

Justifying Security. Security Defined. Kinds of Security Risks. Knowing the Enemy. The C-I-A Triad. Approaches to Risk Analysis. Solving Security with Technology. Security Policies. Contents of a Security Policy. Sample Password Policy. Example Security Policies. Creating Your Own Security Policy. Key Topics for Security Policies. Effectively Implementing Your Security Policy. Avoiding Failure.

II. HARDENING THE SERVER.

3. Windows System Security.

NT 4 Security. NT 4 File System Security. Securing the NT 4 File System. NT 4 Operating System Security. Securing the NT 4 Web Server. Windows 2000/XP Security. 2K/XP File System Security Templates. 2K/XP Operating System Security. Modifying Security Templates for Web Servers. One Final Task.

III. INSTALLING AND PROTECTING IIS.

4. IIS Installation.

Installing IIS4. Installing the NT-4 Option Pack. Installing IIS4 on NT-4. Installing IIS5. Windows 2000 Installation. Windows XP Installation.

5. Enhancing Web Server Security.

Web Servers Versus Development Servers. Locating Document Root. Logging. Limiting Access to Your Web Server. Enabling Basic Authentication. Setting Secure Authentication. Restricting Access Based on IP Address. Miscellaneous Security Enhancements. Moving the Metabase. Managing Web Server Access Permissions. Managing IIS5 Execute Permissions. Managing Application Isolation. Setting Advanced Security Configuration Options. Assigning Web Server Operators. Hosting Multiple Web Servers.

6. Enhancing the FTP Server.

Inner Workings of FTP. Network Diagram for FTP Examples. PORT Mode FTP. PASV Mode FTP. Secure FTP. RFC Status. Example of Secure FTP Product. Secure Server Installation. Secure Client Installation. Secure FTP in Action.

IV. PROTECTING THE USER.

7. Browser Security.

Dangerous Content. Java. JavaScript. VBScript. ActiveX. Four Zones. Setting Your PC for Zone Detection. Setting Security for the Internet Zone. Setting the Local Intranet Zone. Keeping Your Settings Intact. Cookies. How Cookies Are Used. How Cookies Are Abused. Managing Cookies.

8. Desktop/Laptop Security.

Acquiring IEAK6. Licensing the IEAK. Downloading the IEAK. Installing the IEAK. Configuring the IEAK. Gathering Setup Information. Specifying Setup Parameters. Customizing Your Setup Choices. Customizing the Browser. Specifying Additional Components. Finishing the Wizard. Building a Desktop. IEAK Profile Manager. Running the PM. Managing Multiple INS Files.

V. PROTECTING THE NETWORK.

9. Becoming a Certification Authority (CA).

Encryption Schemes. Symmetric Encryption. Asymmetric Encryption. CA Responsibilities. Types of Certificates. Verification of Identity. Contents of a Certificate. Maintaining a Certificate Revocation List (CRL). CA Chaining. Establishing Your Own CA. Installing Microsofts Certificate Server. Requesting a Server Certificate. IIS4 Certificate Request Technique. IIS5 Certificate Request Technique. Issuing the Server Certificate. Installing a Certificate on Your Web Server. IIS4 Certificate Installation Technique. IIS5 Certificate Installation Technique. Trusting Your Own CA. Browser Certificates. Requesting a Browser Certificate. Installing a Browser Certificate in IE. Requiring a Browser Certificate.

10. Firewalls.

Firewall-Protected Network Components. External Network. Packet Filtering Router. DMZ. Bastion Host / Firewall. Internal Network. Firewall Design. Classic Firewall. Chapman. Belt and Braces. Separate Services Subnet. Access Lists. Generic Access List Rules. Editing Access Lists. Standard Access Lists. Extended Access Lists. Using Access Lists. First Level Filtering. Sanity Checking. Protecting the Control Plane. Firewall Feature Set. Dynamic Access Lists. Context Based Access Control. TCP Syn Flood Protection. Cisco PIX Firewall. Comparing the IOS Firewall to the Cisco PIX Firewall. Overview of Cisco PIX Firewall Architecture. Configuring the Cisco PIX Firewall.

11. Maintaining Ongoing Security.

Patches and Fixes. Finding Available Patches and Service Packs. Deciding When to Apply the Fix. Automating the Decision Process: HFNetChk. Applying a Service Pack. Miscellaneous Risks. Public Access Ports. Wireless Security Risks. Unauthorized User Modification of Web Forms. Antivirus. Personal Firewalls. Installing ZoneAlarm. ZoneAlarm in Action. The Weakest Link. Why Worry?

12. What You Can Do.

Make Security Important to Your Staff. Physical Security. Password Security. Procedural Security. Telephone Security. User Awareness and Education. Closing Remarks.

VI. APPENDIXES.

Appendix A. Customizing Internet Explorer Error Messages.

Customizing Messages. Generating an Error. Creating a Custom Error Message. Installing the Custom Message in Internet Explorer. Testing Your Work.

Appendix B. Decoding Base64.

Capturing the Data. Translating from Base64.

Appendix C. Contents of the WSFG Web Site.

Home Page. Referenced Pages. Normal Page Contents. Basic. IPADDR. SSL.

Downloadable Sample Chapter

Download - 225 KB -- Chapter 2: Security Policies

Book

This product currently is not for sale.

By completing any purchase on Cisco Press, you become eligible for an unlimited access one-month subscription to Safari Books Online.

Get access to thousands of books and training videos about technology, professional development and digital media from more than 40 leading publishers, including Addison-Wesley, Prentice Hall, Cisco Press, IBM Press, O'Reilly Media, Wrox, Apress, and many more. If you continue your subscription after your 30-day trial, you can receive 30% off a monthly subscription to the Safari Library for up to 12 months. That's a total savings of $199.