1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Slides:



Advertisements
Similar presentations
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Advertisements

Enabling Secure Internet Access with ISA Server
DMZ (De-Militarized Zone)
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Chapter 7 HARDENING SERVERS.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Chapter 13 Chapter 13: Managing Internet and Network Interoperability.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Payment Card Industry (PCI) Data Security Standard
Installing and Configuring a Secure Web Server COEN 351 David Papay.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Security Guidelines and Management
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
Course 201 – Administration, Content Inspection and SSL VPN
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.
Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
Chapter 7: Using Windows Servers to Share Information.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Chapter 13 – Network Security
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 14: Configuring Server Security Compliance
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
OV Copyright © 2005 Element K Content LLC. All rights reserved. Hardening Internetwork Devices and Services  Harden Internetwork Connection Devices.
TCP/IP (Transmission Control Protocol / Internet Protocol)
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Security fundamentals Topic 10 Securing the network perimeter.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Wireless and Mobile Security
Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Security fundamentals
Chapter 6 Application Hardening
Chapter 4: Security Baselines
Unit 27: Network Operating Systems
Information Security Session October 24, 2005
Chapter 27: System Security
Configuring Internet-related services
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

1 Infrastructure Hardening

2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications

3 Security Baselines The process of baselining involves both the Configuration of the IT environment Disabling of non-essential services The baselining process involves the hardening the key components Operating Systems Network Applications

4 Operating System Hardening System is configured to limit the possibility of either internal or external attack. While the methods for hardening vary from one operating system to another the concepts involved are largely similar regardless of whether Windows, UNIX, Linux, MacOS X or any other system is being baselined.

5 Operating Systems Hardening techniques Disable Non-essential services - For example, unless a host is functioning as a web or mail server there is no need to have HTTP or SMTP services running on the system. Update vendor supplied Patches and Fixes (Security Updates) Password Management Strong passwords Enforcing the regular changing of passwords Disabling of user accounts after repeated failed login attempts Remove unnecessary accounts Guest, unused and unnecessary user accounts When employees leave an organization

6 Operating Systems Hardening techniques File and Directory Protection – Through the use of Access Control Lists (ACLs) and file permissions. File and File System Encryption – All disk partitions are formatted with a file system type with encryption features (NTFS in the case of Windows) Enable Logging - Operating system is configured to log all activity, errors and warnings. File Sharing - Disable any unnecessary file sharing

7 Network Hardening Updating Software and Hardware Ongoing process All networking software together with the firmware in routers are updated with the latest vendor supplied patches and fixes Password Protection Routers and wireless should be protected with strong passwords Disable and remove unnecessary Protocols and Services – For example, in a pure TCP/IP network environment it makes no sense to have AppleTalk protocols

8 Network Hardening Ports Unneeded ports blocked by a firewall and associated services disabled on any hosts within the network For example, a network in which none of the hosts acts as a web server does not need to allow traffic for port 80 to pass through the firewall Wireless Security Wireless networks must be configured to highest available security level. For older access points WEP security should be configured with 128-bit keys. Newer routers should implement WPA security measures.

9 Network Hardening Restricted Network Access There should be a firewall between the network and the internet. Other options include the use of Network Address Translation (NAT) and access control lists (ACLs). Authorized remote access should be enabled through the use of secure tunnels and virtual private networks.

10 Application Hardening All applications and services installed on network based host systems must be included in the security hardening process to ensure that they do not provide a weak link in the security defenses. A number of common operating system based services are installed by default and need to be reviewed.

11 Web Servers For non-public sites authentication methods should be put in place and for sites that are only to be accessible by internal users Intranet approach should be used so that external access is prevented by a firewall Secure web based transactions - SSL communication Web server logs should be reviewed routinely for suspicious activity. Any attempts to access unusual URLs on the web server typically indicate an attempt to exploit problems in outdated or Unpatched web servers Latest vendor supplied patches

12 Servers Unneeded configuration options of the mail server software are disabled All the latest vendor supplied updates are applied Relay prevention options should be activated Authentication must be used to ensure that only authorized users are able to send and receive messages

13 FTP Servers The purpose of the File Transfer Protocol (FTP) is to allow files to be downloaded from and uploaded to remote servers. Access can be in the form of: Anonymous FTP Authenticated FTP Anonymous FTP accounts should be used with caution and monitored regularly. In the case of authenticated FTP it is essential that Secure FTP be used so that login and password credentials are encrypted, rather than transmitted in plain text.

14 DNS Servers Domain Name Servers (DNS) provide the translation of human friendly names for network destination (such as a web site URL) to the IP addresses understood by routers and other network devices. Steps should be taken to ensure DNS software is updated regularly and that all access to servers is authenticated to prevent unauthorized zone transfers. Access to the server may be prevented by blocking port 53, or restricted by limiting access to the DNS server to one or more specified external systems.

15 Am I Vulnerable? Have you performed the proper security hardening across the entire application stack? Do you have a process for keeping all your software up to date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries. Is everything unnecessary disabled, removed, or not installed (e.g. ports, services, pages, accounts, privileges)? Are default account passwords changed or disabled? Is your error handling set up to prevent stack traces and other overly informative error messages from leaking? Are the security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries understood and configured properly? A concerted, repeatable process is required to develop and maintain a proper application security configuration.

16 Example Attack Scenarios Scenario #1: Your application relies on a powerful framework like Struts or Spring. XSS flaws are found in these framework components you rely on. An update is released to fix these flaws but you don’t update your libraries. Until you do, attackers can easily find and exploit these flaw in your app. Scenario #2: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.

17 Example Attack Scenarios Scenario #3: Directory listing is not disabled on your server. Attacker discovers they can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which they reverses to get all your custom code. They then find a serious access control flaw in your application. Scenario #4: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide.

18 How Do I Prevent This?

19 How Do I Prevent This?

20 How Do I Prevent This?

21 How Do I Prevent This?

22 How Do I Prevent This?

23 Questions

24 Security Training Presentation prepared by Nishi Kumar Systems Architect Processing Professional Services FIS OWASP CBT Project Lead OWASP Global Education Committee

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.