Protecting your Web site with firewalls

62820-6 The complete Webmaster's guide to Website security. Whether you have a Website, an intranet, or both, Protecting Your Website with Firewalls is your end-to-end resource for maximizing security. This highly readable, hands-on book covers all the security choices associated with virtually every Internet resource, including: *WWW/HTTP. *Conferencing. *E-mail. *FTP. *News gateways/NNTP. *Telnet. Learn how firewalls, packet filtering, and proxy servers work-and how you can use them to protect your site with minimum cost, disruption, and complexity. Explore the leading HTTP security protocols, Secure-HTTP, and Secure Sockets Layer (SSL), as well as today's advanced authentication and encryption solutions. Then, walk step-by-step through planning, implementing, and maintaining your firewall and related security technologies. Protecting Your Website with Firewalls includes detailed checklists, step-by-step instructions, and case studies to help you identify common security gaps at your site-and systematically close them. Learn how to decide which resources are worth protecting-and which may not be worth the trouble.Finally, if you do have a break-in, the book shows you what to do next-both to improve security and to pursue the intruder. The accompanying CD-ROM includes the comprehensive TIS security toolkit for Windows NT servers. Protecting Your Website with Firewalls also contains comprehensive, up-to-date resource listings for: *Tools that can identify weaknesses and improve authentication and passwords. *Firewall products, resellers, and consultants. *Software patches to enhance security. Your Internet connection places your most critical business secrets at risk. With this conversational, thorough guide, you can dramatically reduce those risks now -and for years to come.

Foreword. Preface. Acknowledgements. List of Figures. I. PLANNING FOR WEB SECURITY. 1. Why Protect Your Web Site? What to Protect and Why. Protecting Information and Resources. Protecting Your Clients and Users. Preserving Privacy. Forms of Threat. Spoofing. E-mail Fraud and Risks. Web Client Threats. Web Server Threats. Transaction Security between Client and Server. Authentication. Confidentiality. Integrity. Errors and Omissions. Fraud and Theft. Discontented Employees. Industrial Espionage. Malicious Code. Breach of Confidentiality. Protecting Your Web Site. Alternatives. Basic Protection of Documents at Your Web Site. Authentication. The Role of Firewalls. Proxies. 2. Web Security Requirements. Web Requirements. Confidentiality. You Are Responsible! Integrity. Transactions between Client and Web Servers. Data Security. Integration. Firewall and Proxy Support. Gateways Support. Traffic. Monitoring Requests. Estimating Number of Hits. Transmission. Freshness of Transmission. Providing a Quality Service. 3. Financial Issues. Preventing Break-in Expenses. Protecting Financial Transactions. The SSL Protocol. The F-SSH Protocol. Preserving the User/Client Financial Information. Secure Electronic Transactions (SET). Offering Access to "Digital Money". First Virtual. DigiCash. Cybercash. Securing Your Site: Going to the Core. 4. Strategies for Protecting Your Web Site. Blocking Everything? When Is It Too Much? Recognizing the Weaknesses of Your Site. Choosing a Web Server Software. Highlights of the Main Windows NT-Based Products. Highlights of the Main UNIX-Based Product. Highlights of the Main Novell-Based Products. Windows NT Servers. Netscape Communications Server, Netscape Communications. WebSite, O'Reilly & Associates. Purveyor, Process Software Corp. Internet Information Server, Microsoft Corp. UNIX Servers. NCSA http. Apache Server. CERN httpd. Apache httpd. Netscape Server. IBM Internet Connection Secure Server for AIX. WN Server. Macintosh Servers. WebStar. MacHTTP. Security Options. Keeping It Simple. The Risk of Applets (Java Included!). II. IMPLEMENTING WEB SERVICES. 5. Conferencing. About Server. WebBoard. Agora. Internet Phone. DigiPhone. WebTalk. Pretty Good Privacy Phone. The Multicast Backbone (MBONE). Configuration Checklist. Security Checklist. 6. Electronic Mail. A CGI Script-Cgimail. An ANSI C Script-Simple CGI Email Handler. A Perl Script-Web Mailto Gateway. HTML Form Processing Modules (HFPM). TCL Scripts. CGI-Uniform. Security Issues. Configuration Checklist. Security Checklist. Cgimail Security Concerns. Forms of E-mail Threat-Spoofed E-mail. Forms of E-mail Threats-E-mail Bombing. Protecting Your E-mail Messages. 7. File Transfer Protocols. File Transfer Protocol (FTP). Taking Control of the FTP Server and User Access. Configuration Checklist. Is Your FTP Server Running Correctly? Is Your FTP Server Configured Right? Is Your Anonymous FTP Configuration Safe? Reviewing Your Anonymous FTP Configuration. Security Checklist. Avoiding Mr. Hacker! 8. The Network News Transfer Protocol (NNTP). News Gateways. News-WWW Gateway. The Usenet-Web Archiver. Configuration Checklist. Security Checklist. Setting It Up in a Firewall Environment. 9. The Web and HTTP Protocol. Web Security Issues. HTTP Security Consideration. Secure HyperText Transfer Protocol (S-HTTP). Secure Sockets Layer (SSL). Caching: Security Considerations. Configuration Checklist. Security Checklist. Security Hole with Novell's HTTP. Most Typical UNIX-based Web Server Security Problems. III. ADMINISTRATION: SECURING YOUR WEB SITE WITH FIREWALLS. 10. Firewall Design and Implementation. The Concept of a Firewall. The Role of Firewalls. Using Firewalls to Enhance Web Security. The Most Common Types of Firewall. Network-Level Firewalls. Application-Level Firewalls. Few Suggested Firewall Types for Web Sites. Dynamic Firewalling and Web Security. HTTP and Firewalls, Proxy Servers and SOCKS. Proxy Servers. Advanced Proxy Configuration-A Practical Example. The Network Setup. The Proxy Setup. FTP and TELNET. Security Checklist. 11. When Things Don't Go Well: The System Perspective. Dealing with an Incident. Network Information Service as a Cracking Tool. Remote Login/Shell Service as a Cracking Tool. Network File System as a Cracking Tool. File Transfer Protocol Service as a Cracking Tool. A To-Do List in Case of an Incident. Assessing the Situation. Cutting Off the Link. Analyze the Problem. Take Action. Catching an Intruder. Reviewing Security. 12. Pursuing Intruders: The Legal Perspective. What the Legal System Has to Say. The Current Regulatory Environment. Protecting Your Web Site. Preventing Break-ins at Your Web Site. Final Considerations. IV. APPENDIXES. Appendix A: Firewall-Related Resources, Resellers, and Firewall Tools. AlterNet. Atlantic Computing Technology Corporation. ARTICON Information Systems GmbH. Cisco Routers. Cohesive Systems. Collage Communications, Inc. Conjungi Corporation. Cypress Systems Corporation (Raptor Reseller). Data General Corp. (Gauntlet Reseller). Decision-Science Applications, Inc. E92 PLUS, LTD. Enterprise System Solutions, Inc. (BorderWare Reseller). E.S.N.-ServiTHo e Comrcio de Inform<186>tica Ltda. FSA Corporation. IConNet. Ingress Consulting Group, Ltd. INTERNET GmbH. Jeff Flynn & Associates. Media Communications eur ab (Gauntlet Reseller). Mergent International, Inc. (Gauntlet Reseller). Momentum Pty., Ltd. NetPartners (Phil Trubey) (JANUS Reseller). Network Translation Services, Inc. OpenSystems, Inc. PDC. PENTA. PRC. Racal Airtech, Ltd. (Eagle Reseller). RealTech Systems. Sea Change Corporation (JANUS Reseller). Security Dynamics Technologies. Softway Pty., Ltd. (Gauntlet Reseller). Spanning Tree Technologies Network Security Analysis Tool. Stalker by Haystack Labs, Inc. Stonesoft Corporation. TeleCommerce. Trident Data Systems (SunScreen provider). Tripcom Systems, Inc. Trusted Network Solutions (Pty.), Ltd. UNIXPAC AUSTRALIA. X + Open Systems Pty., Ltd. (Internet Consultants). Zeuros Limited. Firewall Tools. Drawbridge. Freestone by SOS Corporation. fwtk-TIS Firewall Toolkit. ISS. SOCKS. Appendix B: Firewall Products. Actane Controller. Black Hole. BorderWare Firewall Server. Brimstone SOS Corporation. CENTRISecure Internet Gateway. CONNECT: Firewall Sterling Software. Cyberguard-Harris Computer Systems Firewall. Cypress Labyrinth by Cypress Consulting, Inc. Digital Firewall Service. Eagle from Raptor Systems. ExFilter V1.1.2 for SunOS 4.1.x. FireWall-1 (by CheckPoint Software Technologies). FireWall/Plus by Network-1. Gauntlet by TIS. GEMINI Trusted Security Firewall. GFX-94 Internet Firewall. Guardian Firewall by LanOptics, Ltd. HSC GateKeeper by Herve Schauer Consultants. ICE BLOCK. Integralis. Interceptor by Technologic. Inter-Ceptor by Network Security International. ANS InterLock Service from ANS CO+RE Systems, Inc. Internet Secure Router (ISR) by Atlantic Systems Group. IRX Router-Livingston Firewall Router. IWare-Internetware. iWay-One. KarlBridge/KarlBrouter. Mazama. MIDnet's Securit Firewall. NetCS. NetGate. NetPartners (Hardware and Software). Netra Server by Sun (SMCC). NetSeer and NetSeer Light from Telos. NetSP-IBM. Network Systems ATM Firewall. The Security Router, BorderGuard, ATM Firewall. Novix by FireFox (Novell only). Orion by Zebu Systems. PIX Private Internet Exchange. PrivateNet by NEC Technologies. PORTUS by LSLI (Livermore SW Labs). Quiotix. SecurityGate by DEC. SecureConnect by Morning Star Technologies. Sidewinder by Secure Computing. Site Patrol by BBN Planet Corp. SmartWall by V-ONE. SunScreen SPF-100 by Sun MicroSystems. Appendix C: Web Server Products. Amiga Web Servers. AWS. NCSA. Macintosh Web Servers. Common Lisp Hypermedia Server (CL-HTTP). Enhanced Mosaic. http4mac. InterServer Publisher. Mac Common Lisp Server. MacHTTP. NetPresenz or FTPd. WebSTAR. MSDOS and NetWare Web Servers. GLACI-HTTPD. KA9Q. NetWare Web Server. Purveyor WebServer for NetWare. The Major BBS. WonLoo Telenologies NLM. UNIX Web Servers. Apache httpd. Boa. Common Lisp Hypermedia Server (CL-HTTP). EIT httpd. GN Gopher/HTTP server. Internet Office Web Server. Navisoft Server. NCSA httpd. Netscape Commerce and Communications Server. Phttpd. Plexus. Spinner. Spyglass httpd. Thttpd. w3 httpd. WebServer. WN Server. XS-HTTPD. VM/CMS Web Servers. VM:Webserver. Webshare. VMS/OpenVMS Web Servers. CERN HTTP for VMS. Purveyor for OpenVMS. Region 6 Threaded HTTP Server. IBM OS/2 Web Servers. Apache for OS/2. oserve for OS/2. Internet Connection Server for OS/2. OS2HTTPD. OS2WWW. W3 HTTPD with Proxy Support. MS Windows NT and Windows 95 Web Servers. Alibaba. Commerce Builder. Common Lisp Hypermedia Server (CL-HTTP). Cyber Presence. FolkWeb Web Server. HTTPS. Internet Information Server. Navisoft Server. Netsite Servers. Purveyor Webserver for Windows NT and Windows 95. SerWeb for Windows NT. SIAC HTTPD. SuperWeb Server. Web Commander. WebQuest for Windows 95 and Windows NT. WebSite. MS Windows 3.1 and Compatible Web Servers. Alibaba. Chameleon Web Personal Server. SerWeb. WEB4HAM. WebServer. Windows httpd. ZBServer. Appendix D: Internal Vulnerability Scanning Tools. CheckXusers. Chkacct v1.1. COPS (Computer Oracle and Password System). crashme. Doc (Domain Obscenity Control). ISS (Internet Security Scanner). Perl Cops. Secure_Sun. SPI (Security Profile Inspector). Test Hosts for Well-Known NFS Problems/Bugs. Tiger. trojan.pl. Appendix E: Patches and Replacements. bsd-tftp. fingerd. Fix Kits for sendmail, WU-ftpd, TCP Wrappers. gated. Mountd for Solaris 2.3. msystem.tar.Z. osh. Patches for SGI machines. Patches for Sun machines. PortMap_3. Rpcbind. securelib. sendmail. sfingerd. SRA (Secure RPC Authentication for TELNET and FTP). tftpd. ftpd Washington University. xinetd. Appendix F: Advanced Authentication and Password Enhancing Tools. anlpasswd. chalace. cracklib. npasswd. obvious. passwd+. passwdd. pwdiff. shadow. Yppapasswd. Appendix G: Auditing and Intrusion Detection Tools. Auditing and Logging Tools. Authd (Authentication Server Daemon). dump_lastlog. logdaemon. Logging fingerd in Perl. loginlog.c.Z. Netlog. Spar. surrogate-syslog. Logging Utilities. chklastlog. chkwtmp. trimlog. L5. traceroute. Intrusion Detection Tools. ASAX (Advanced Security Audit Trail Analysis on UNIX). Argus. ARP Monitor. ARPWATCH 1.3. Gabriel. Hobgoblin. md5check. NETMAN. nfswatch. NID (Network Intrusion Detector). NOCOL (Network Operations Center On-Line). noshell. Raudit. RIACS Intelligent Auditing and Categorizing System. Swatch. swIPe. TAMU Check Integrity Script. Tripwire. Watcher. X Connection Monitor. System Status Reporting Tools. Cpm (Check Promiscuous Mode). Dig. Fremont. Icmpinfo. host. ident. Ifstatus. lsof. STROBE. TCP Port Probing Program. tcpwho. Mail Security Tools. Alphanumeric Pager via E-mail. PGP. RPEM (Rabin Privacy Enhanced Mail). Appendix H: Password Breaking Tools. scannt.exe. cbw.tar.Z. Crack. Password Checking Routine. UFC-crypt. Appendix I: Access Control Tools. deslogin. Drawbridge. kerberos. md5. Permissions. skey. Snefru 2.5. Appendix J: Glossary of World Wide Web Terms. Bibliography. Index.