[thelist] Hardening a webserver More Exact

[Ken Schaefer]

: -----Original Message-----
: From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On
: Behalf Of Chris Johnston
: Subject: Re: [thelist] Hardening a webserver More Exact
: 
: On Sun, 16 Jan 2005 22:06:57 +1100, Ken Schaefer <Ken at adopenstatic.com>
: wrote:
: > A book on what?
: >
: > "Real" security is not for dilettantes. I certainly won't claim to be a
font
: > of knowledge, but I've talked to enough security pros to know that I
don't
: > know enough (I'm consciously incompetent, which is a step beyond
: > unconsciously incompetent). If you need "real security", get some good
: > consultants in for you. There are plenty of well known and reputable
security
: > firms that can do this for you, for a fee.
: >
: 
: So are you trying to say that security can not be learned from a book?
: The only to ensure that your computers are secure is to hire a
: consultant?
: 
: I can understand the fact that each situation is different and that
: the security that needs to be put in place is highly dependant on the
: situation, however, I think there is a certain amount of knowledge
: that can be learned from reading web articles and books. Even if I
: were to hire a consultant, as you so strenously argue, I would still
: want to acquire a fairly good grounding in computer security.

OP wants to build an "extremely secure" solution. Since we are talking about
an enormous array of stuff here: all the way from the psychical layer through
to the application layer (and everything in between), you'd need to have a
fair amount of knowledge to even cover stuff (and then, not in depth). Just
to have a good understanding of PKI requires reading a number of books, and
documents, and that's just to have a good understanding of how it works with
no real practical knowledge of its pitfalls and how to protect yourself
against that.

So, I agree that you can teach yourself TCP/IP, IPSEC, Firewalls, PKI,
SSL/TLS, HTTP, OS hardening, secure coding practises, SQL injection, cookie
theft, session hijacking, cross site scripting and so on from books *BUT*
unless you have a lot of time on your hands, and you have some practical
experience, you're not going to learn in quickly and you won't know any of
the real-life issues that one has to deal with.

I'm not "strenuously" suggesting getting in a consultant, but given that this
probably needs to be implemented sometime soonish, it would probably be best
to get someone who has a good understanding of infrastructure and application
security to at least give you a thorough checklist of issues that need to be
dealt with, and some options on what to go about doing them.

As for books: Secrets and Lies: Digital Security in a Networked World (Bruce
Schneier) is a great primer on security concepts IMHO. 
Windows Server 2003 PKI and Certificate Security (MS Press) has some good
info on how certificates work (and it's relatively readable which is a
bonus).
The OWASP Web Application Guide is a good, platform agnostic, guide to
examining common application security threats
I don't have any recommendations on threat modelling etc unfortunately,

Cheers
Ken


 This way
: I work intelligently with the consultant and I am not taken for a
: ride. If a consultant can learn this stuff, then so can other people.
: 
: This ain't rocket science.
: 
: In addition, although some of the suggestions have been simplistic,
: there are some tips that can be employed to raise the level of
: security. Even if the person employing those tips does not fully
: understand all the reasons behind them.
: 
: 
: --
: chris johnston
: 
: www.fuzzylizard.com
: 
: "For millions of years, mankind lived just like the animals and
: something happened which unleashed the power of our imagination, we
: learned to talk."
: Pink Floyd
: --
: 
: * * Please support the community that supports you.  * *
: http://evolt.org/help_support_evolt/
: 
: For unsubscribe and other options, including the Tip Harvester
: and archives of thelist go to: http://lists.evolt.org
: Workers of the Web, evolt !