By Josh Sokol. # whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application.

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Advertisements

DMZ (De-Militarized Zone)
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
System and Network Security Practices COEN 351 E-Commerce Security.
Guide to Network Defense and Countermeasures Third Edition
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Lesson 19: Configuring Windows Firewall
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Payment Card Industry (PCI) Data Security Standard
Installing and Configuring a Secure Web Server COEN 351 David Papay.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Internet and Intranet Fundamentals Class 9 Session A.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Securing Wired Local Area Networks(LANs)
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Security fundamentals Topic 10 Securing the network perimeter.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Chapter 7: Identifying Advanced Attacks
1.
Secure Software Confidentiality Integrity Data Security Authentication
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CompTIA Security+ Study Guide (SY0-401)
* Essential Network Security Book Slides.
IS4680 Security Auditing for Compliance
– Chapter 3 – Device Security (B)
Introduction to Network Security
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

By Josh Sokol

# whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application Security (GWAS)  Web Systems Engineer for National Instruments  Own the Web Systems “Security Practice”

What We’re Talking About  Most OWASP presentations focus on securing the web application by scanning for vulnerabilities or fixing the code  The key to a secure web application is building it on top of a secure foundation  All part of a Defense-in-Depth approach to web application security  Focus on the network and server level protections  Throw in what PCI has to say about things where applicable

How We’ll Accomplish It  Start with a clean slate  Create a secure network  Add some secure servers  Throw in a secure web application

Clean Slate

Think Before You Act  Too many organizations just start building without taking the time to think about what they’re trying to accomplish in the long term  Leads to many issues down the road  Performance  Scalability  Security  Ends up costing more time, money, and resources than if you just took some time in the beginning to plan it right

Establish an Internet Connection INTERNET INTRANET  ISP  Public IP Addresses  Edge router  Switch Intended Traffic Unintended Traffic

Establish an Internet Connection  Router and Switch Configurations  Most recent software release/patches  No local user accounts (use TACACS+ for user authentication)  Enable password should be in a secure encrypted form  Enable password should be changed from default  Use corporate standardized SNMP community strings  Disable SNMP system shutdown (“no snmp-server system-shutdown”)  Log to a centralized log server  Use Network Address Translation (NAT)  Don’t use telnet to manage  Set up with NTP for clock synchronization  Disallow  IP directed broadcasts  Incoming packets sourced with invalid addresses  TCP small services (“no service tcp-small-servers”)  UDP small services (“no service upd-small-servers”)  All source routing  All web services running on router

Separate Users From Servers  Benefits of NAT  Using NAT to Protect Our Users

 Firewall Configurations  Many of the same configurations as routers/switches for firmware, SNMP, passwords, etc  Deny all inbound traffic unless explicitly authorized  All deny rules are logged Add a Firewall INTERNET INTRANET

Some Definitions  N-tier/Multi-tier Architecture  A client-server architecture in which, the presentation, the application processing and the data management are logically separate processes.  Presentation Tier  The topmost level of the application which displays information related to such services as browsing merchandise, purchasing, and shopping cart contents. It communicates with the other tiers by outputting results to the browser/client tier and all other tiers in the network.  Application/Business Logic/Logic Tier  The logic tier is pulled out from the presentation tier and, as its own layer, it controls an application’s functionality by performing detailed processing.  Data Tier  Consists of database servers where information is stored and retrieved. This tier keeps data neutral and independent from application servers or business logic.

Our n-tier Architecture (In Theory) Internet FirewallPresentation Tier Application Tier Data Tier External NAT Router Internal NAT Router Users

Major Benefit of n-tier  Reliability  An attribute of any system that consistently produces the same results, preferably meeting or exceeding its specifications.  Availability  The degree to which a system suffers degradation or interruption in its service to the customer as a consequence of failures of one or more of its parts.  Serviceability  The ease with which corrective maintenance or preventative maintenance can be performed on a system.

Our n-tier Architecture (In Practice) Internet Firewall External NAT Router Internal NAT Router Users Switch Application Tier Data Tier Presentation Tier

Definition  Demilitarized Zone (DMZ)  aka Data Management Zone, Demarcation Zone, or Perimeter Network  A physical or logical subnetwork that contains and exposes an organization’s external services to a larger, untrusted network, usually the Internet.  Adds an additional layer of security to an organization’s LAN; an external attacker only has access to equipment in the DMZ, rather than the whole of the network.

What PCI Has to Say About the Network  Requirement 1: Install and maintain a firewall configuration to protect cardholder data  Firewall at each Internet connection and between any DMZ and the internal network zone.  Implement a DMZ to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment.  Limit inbound Internet traffic to IP addresses within the DMZ.  Place the database in an intenral network zone, segregated from the DMZ.

N-tier with DMZ (old skool) Internet Firewall Presentation Tier Application Tier Data Tier External NAT Router Users Internal NAT Router Firewall

N-tier with DMZ (new skool) Internet Firewall Presentation Tier Application Tier Data Tier Core Router Users Internal NAT Router

Other Benefits of n-tier  Scalability  How well a solution to some problem will work when the size of the problem increases.  Security  Protection against unauthorized access to, or alteration of, information and system resources including CPUs, storage devices, and programs.

What PCI Has to Say About the Servers  Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters  2.1 Always change vendor-supplied defaults before installing a system on the network  Implement only one primary function per server.  Disable all unnecessary and insecure services and protocols.  Remove all unnecessary functionality such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.  2.3 Encrypt all non-console administrative access.

Assume a Fresh OS Install  Update and patch software  Change default passwords  File change monitoring (tripwire)  Client Firewall (iptables)  Stateless/stateful packet filtering  Disable unused/unnecessary services (telnet, any “r” service such as rsh, rcp, etc)  Log to a centralized log server  Use SSH/SSL to manage the box  Check file ownership and permissions  Check all unlocked user accounts for necessity  TCP Hardening in /etc/sysctl.conf  Ignore broadcasts  IP Spoofing Protection

What PCI Has to Say About the Apps  Pretty much every other requirement not previously mentioned talks about how to secure your application.  6.5 Develop all web applications (internal and external) based on secure coding guidelines such as the Open Web Application Security Project Guide.

The OWASP Guide  Policy Frameworks  Secure Coding Principles  Threat Risk Modeling  Handling E-Commerce Payments  Phishing  Web Services  Authentication  Authorization  Session Management  Data Validation  Interpreter Injection  Canonicalization, Locale, and Unicode  Error Handling, Auditing, and Logging  …  The list goes on…and on…and on

Defense-in-Depth  Defend a system against any particular attack using several, varying methods.  Layering tactic, conceived by the NSA as a comprehensive approach to information and electronic security.

Add-ons  Network  IDS/IPS  WAF  NAC  Load Balancer  Server  Host-based Intrusion Prevention System  Auditing  Network Vulnerability Scanning  Application Vulnerability Scanning

The Picture Gets Complicated Internet Firewall Presentation Tier Application Tier Data Tier Core Router WAF IDS or IPS NACLoad Balancer

I warned you…

Question 1:  Name one of the three issues I mentioned at the beginning when you act without taking the time to think about what you’re trying to accomplish?

Question 2:  What are the three tiers that I presented as part of my n-tier architecture?

Question 3:  Name two different things that you can do secure a network device?

Question 4:  Name two different things that you can do to secure a newly-built server?

Question 5:  What term is used to describe a layering tactic, conceived by the NSA, that is used to defend a system against any particular attack using several varying methods?

Additional Resources  Networks  Router Security   Firewall Security   Servers  RedHat Linux Server Security  securitychecklist.php securitychecklist.php  Applications  OWASP Project Guide 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.