Views

InformationTechnology:Security:Resources

Contents

[edit]

Navigation



[edit]

Related categories



[edit]

About this page

We apologize for the little information we provide, this page is still under construction. Please stay tuned.

Image:Construction_worker.gif

[edit]

Tools of the trade

This is far from being an extensive list of resources for security operations, instead aims at giving just a few useful examples thereof. Let's start with a few generic resources
It allows transforming any low-end x86 system (Pentium II and above) into a security powerhouse for network traffic analysis, intrusion detection, network packet generation, wireless network monitoring, or network/host scanning


[edit]

Tools for penetration and vulnerability testing



[edit]

File-System encryption

  • Encryption of confidential data
    • Password Plus, for encryption of confidential information [2]
    • KeyPass password and bookmark manager [3]


[edit]

Encryption of Linux file systems

  • Linux Encryption HOWTO [4]
  • Kurt Seifried's Linux Encryption pages [5] [6]
  • Peter van der Linden's Linux Encryption tutorial [7]
  • PGP on-the-fly encryption [8]
  • AES Crypt - AES File Encryption/Decryption tool for Linux [9]


[edit]

Encryption of Windows file systems

  • EFS - Encrypting File System for NTFS5 [10]
  • Windows Server Hacks: Finding All Encrypted Files on a volume [11]
  • Addison-Wesley Getting the Most from Microsoft EFS [12]
  • Encrypting File System Primer: Basics and Best Practices [13]
  • Mark Sussinovich Inside Encrypting File System part 1 [14] and part 2 [15]
  • AES Crypt - AES File Encryption/Decryption tool for Windows [16]
  • TrueCrypt - open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux


[edit]

Password robustness checking - Epasswd

  • Epasswd - Solving the heterogenous passwd program problem [17]
  • Epasswd home page [18]


[edit]

Log auditing and analysis

  • EMC-RSA Envision suite [19], able to correlate and analyze raw events recorded in access logs
  • IBM Tivoli Security Operations Manager [20] (formerly Netcool/NeuSecure) automates log aggregation, correlation and analysis.
  • Sawmill log-file analyzer [21] supporting over 700 log formats
  • NetForensics Security Management suite [22] [23], supports all major vendors' log formats and allows development of custom agents for other formats.
  • AWStats real-time logfile analyzer [24]
  • LogReport's Lire [25] supporting many formats for firewall and web-server logs
  • Simple Event Correlator (SEC) - an open source, platform independent rule-based event correlation tool based on event matching conditions
  • "How to detect hackers on your web server" - a GFI whitepaper on using the GFI LANguard S.E.L.M.


[edit]

Host-based Intrusion Protection Systems (HIPS)

Intrusion Protection Systems (IPS) can be implemented at the network (network-based intrusion prevention – NIPS) or on the host (host-based intrusion prevention – HIPS). NIPS are hardware devices (e.g. firewalls) while HIPS are software solutions.
Gartner has identified three levels and nine distinct protection styles of host-based intrusion prevention.
Several vendors offer HIPS solutions:

[edit]

SNORT Intrusion Detection Systems

The Open-Source SNORT IDS software is a rule-based engine able to scan network traffic at wire-speed up to the application layer, for detection of patterns of intrusion. Higher SNORT performance can be obtained on standard hardware using Phil Wood's MMAP-ed libpcap. SNORT has also an "inline" mode, where it performs the function of an Intrusion Protection System (IPS) by dynamically injecting rules into iptables. The SNORT-based Sourcefire 3D9800 appliance is supporting up to 10Gbps packet-inspection throughput, by using specialized hardware for the network interface. Other 10Gbps-capable SNORT-based IDS implementations are available from Endace (Ninja Probe, based on the DAG chipset) and from Tilera (based on the TILE64 CPU array).
Detection data from multiple SNORT sensors can be post-processed by the Barnyard log spooler and may be centralized on a SGUIL Network Security Monitoring (NSM) console.

[edit]

Configuration auditing and control

One of the greatest challenges in security operations is to detect and prevent unauthorized changes in the environments. Different approaches exists, from strict access control to using tools that can detect in real time such unauthorized changes. One of the best toolsets in this class is Tripwire [26],available in Enterprise and Open Source flavors. The Enterprise version supports a large variety of IS-IT components and operating systems. The Open Source version [27] functions as a host-based intrusion detection system, by detecting in real-time any changes to file system objects by comparing their cryptographic hashes of existing file-system objects to the reference ones, archived in a database. Beyond the intrusion detection, Tripwire can help to enforce policies for integrity assurance, change management and access-rights compliance. A very interesting product that enforces application-usage at the desktop is BIT9 Parity. According to a WindowsITPro article the tool simplifies the desktop administration tasks. BIT9 uses agents deployed on each desktop in order to validate any application against a "gray-list" maintained on a server and against predefined policies.

.
[edit]

The Public Key Infrastructure (PKI)

A public key infrastructure (PKI) is a foundation on which applications, system, and network security components can rely in order to provide security mechanisms such as confidentiality, integrity, authentication, and non-repudiation. The PKI archiecture relies on public-key cryptography to support the security requirements of emerging online business models.

PKI resources:
  • Public Key Infrastructure Overview [28]
  • Introduction to Public Key Infrastructure [29]
  • Understanding Public Key Infrastructure (PKI) [30]
  • DoD Public Key Infrastructure - Deploying the PKI Token [31]
  • Building an Open Source Public Key Infrastructure using OpenXPKI [32]
  • Trust Management in the Public-Key Infrastructure [33]
  • The Internet public key infrastructure [34]
  • VeriSign Managed Public Key Infrastructure [35]
  • Entrust Authority Security Manager PKI commercial solution


[edit]

Firewall security practice

The ShieldsUp service from Gibson Research Corporation [www.grc.com] allows scanning from the Internet side of the open ports in a firewall.

The IPTables firewall mechanism in Linux allows configuring fine-grained firewall policies. It is based on the Netfilter [36] kernel-based packet filtering mechanism.

The IPTables configuration is not trivial and tools exist to simplify it:
  • FireHOL, the iptables stateful packet filtering firewall builder [37]
  • Guarddog, a firewall configuration utility for Linux systems [38]


A lot of literature exists on firewall theory:

[edit]

Firewall Log Analysis

The firewall log analysis is of great importance in operational computer security. A good overview on firewall logging & monitoring is available online [41]

The Inspect Scripting [42] supported by the Checkpoint firewalls allows configuring the behavior of the firewall engine and even defining policies without using the OpenLook [43] GUI.

Tools for analysis of Checkpoint firewall logs are mainly available from third-party vendors, using the OPSEC (Open Platform for Security) APIs that document also the log format [44]

An introduction to log analysis practice [45] is available from NISCC. A variety of commercial and free tools exist for simplifying the log analysis process:
  • FW1-Loggrabber, a command-line tool to grab logfiles from Checkpoint FW-1 remotely using Checkpoints LEA (Log Export Api), which is one part of Checkpoints OPSEC API [46]
  • Firegen, a family of firewall log-analysis products [47]. It does not support however analysis of the Checkpoint FW1 and NG firewalls.
  • Balazs Barany's shell script to parse and summarize firewall logfiles [48]
  • Fwlogsum, a tool used to summarise FW1 logs [49]
  • Fwlogwatch, a packet filter/firewall/IDS log analyzer [50] [51]
  • Wflogs: a firewall log analyzer (netfilter,ipchains,ipfilter,PIX or snort log formats) [52]
  • using SPLUNK commercial log search engine


[edit]

Web-application IDS and firewalls

The web-application firewalls (WAF) are application-layer firewalls that detect and/or block web-borne attacks against vulnerabilities in browsers and web-applications. OWASP published a set of WAF evaluation criteria and security-expert Jeremiah Grossman explains in more detail here what is a WAF. More recently, the WAF functionality is referred to as Unified Threat Management (UTM) or Extensible Threat Management (XTM).

[edit]

Other firewall-related resources



[edit]

ISO 17799 resources

  • Excellent resources for security practices and ISO 17799 compliance [58]
  • Excellent ISO 17799 resources and the annotated standard online [59]
  • ISO 17799:2005 [60]
  • ISO 17799 compliance criteria [61]


[edit]

SAS-70 and outsourcing security compliance

CICA 5970 is the Canadian version of SAS 70 (hereand here there is some background). There are 2 types of SAS-70 certifications for an outsourcer:
  • Type 1 report : no testing of security mechanisms
  • Type 2 report : based on actual testing of security mechanisms
However, according to security experts, a SAS-70 certification is extremely costly (>US$300K) and not very meaningful. Here are some "security secrets of outsourcing" - what has outsourcer must comply to. For instance, the rapport between logging & SAS-70 is the checking logs implies that controls are put in place.

[edit]

Other compliance topics

  • HIPAA compliance issues [62]
  • Sarbanex Oxley compliance [63]
  • Basel-II compliance [64]


[edit]

Other resources

Retrieved from "http://www.mindtrek.dnsalias.net/components/com_mambowiki/index.php/InformationTechnology:Security:Resources"