www.SwTech.com

SwTech.com
- Network and Server Security

[ Home | Whats New | Recommended Books | Search | Subscribe ]
[ TP | DB | Java | JavaBeans | C++ | Design-Pattern | CORBA | Server | Script | SCM | Dev-Mags | Net-News | WebDev | Net | XML ]


Get the FREE SwTech e-mail newsletter :
Support this site by buying one of our Recommended Books

Search the SwTech.com site:   

Internet Communications : Network and Server Security


See Also:
^Internet Communications
>Servers


* Consensus' Security Info Page
Contains links to several sources of information on SSL (Secure Sockets Layer) and encrypted communications.
* The World Wide Web Security FAQ
Maintained by Lincoln D. Stein. Attempts to answer some of the most frequently asked questions relating to the security implications of running a Web server. There is also a short section on Web security from the browser's perspective.
* Netsurfer Focus - Digest on Computer and Network Security - vol 1
The first (1995) volume of Netsurfer Focus' Digest on Computer and Network Security.
Provides a very detailed coverage of the areas of network security, and what can be done to improve it.
* Improving the Security of Your Site by Breaking Into it
A paper giving the rationale for the SATAN network security testing tool.
* Pointers to Authentication Info
* Electronic Commerce and Security
A detailed discussion of the security aspects to be considered when developing electronic commerce system.
* The DoD Orange Book
An on-line text version of the "Orange Book" - the U.S. DOD Trusted Computer System Evaluation Criteria. This is THE bible when it comes to the definition of secure operating systems, and is where the term "B1 security" originates.
Warning: Very big file (271KB!)
* CERT Coordination Center
Home page for CERT.
* CERT Advisories
A CERT advisory is a document that provides information on how to obtain a patch or details of a workaround for a known computer security problem. The 01-README file provides a short summary of each advisory.
* CERT Summaries
A CERT Summary calls attention to the types of attacks currently being reported to the CERT Coordination Center. The 01-README file provides an index.
* S/Key One Time Passwords
Information about the S/Key challenge/response one time password scheme.
* BellCore
The BellCore S/Key distribution and One-Time Password (OTP) archive.
* jotp: The Java OTP Calculator
A One-Time Password (OTP) calculator written in Java for the S/Key system. Includes full source code, so you can check what the applet is doing before using it, and compile everything yourself locally for extra security.
* S/KEY introduction
An introduction and technical description of the S/Key one-time password system.
* Securing Windows NT Installation
This white paper talks about various security issues with respect to configuring all Windows NT version 4.0 operating system products for a highly secure computing environment. Direct access, or try the TOC
* E-Commerce Sites Top Hacker's Hit Lists
A news article outlining the results of a survey by NetSolve into the type and frequency of attacks on Internet sites - particularly e-commerce sites.
* The Unix Secure Programming FAQ
Tips on security design principles, programming methods, and testing. A quick guide of must-do secure programming techniques along with advice on methods to avoid.
* Designing secure software
A methodology for avoiding the security holes that drive you mad in other people's software [;-^]
* Opera Browser
Opera Software produce the Opera browser - a very small, and extremely fast web browser. However, it's other main claim to fame is support for full 128-bit encryption for anyone living outside the U.S. but requiring guarenteed online purchase security and privacy.
* Headline: Navy's Open Source Security Project Shines
The U.S. Navy's SHADOW (Secondary Heuristic Analysis System for Defensive Online Warfare) intrusion-detection program has succeeded in pinpointing attackers who were probing military computers in ways that had previously gone unnoticed.
SHADOW is different from the growing number of intrusion-detection tools on the market at the moment, in that it is freely distributed online as an open source program.
* NOT the Orange Book
A Guide to the Definition, Specification, Tasking, and Documentation for the Development of Secure Computer Systems. (Including condensations of the National Computer Security Center's Rainbow Series and related documents.)
A guide to computer security standards that is somewhat easier to read than the full DOD Orange Book spec!
* Intruder Detection Checklist
This CERT document outlines suggested steps for determining if your system has been compromised. System administrators can use this information to look for several types of break-ins.
* Steps for Recovering from a UNIX Root Compromise
This CERT document sets out the suggested steps for responding to a UNIX root compromise.
* UNIX Configuration Guidelines
This CERT document describes common UNIX system configuration problems that have been exploited by intruders and recommends practices that can be used to help deter several types of break-ins.
* List of Security Tools
This CERT document describes tools that can be used to help secure a system and deter break-ins.
* Tripwire
Tripwire checks file and directory integrity; it is a utility that compares a designated set of files and directories to information stored in a previously generated database. Any differences are flagged and logged, including added or deleted entries. When run against system files on a regular basis, Tripwire enables you to spot changes in critical system files and to immediately take appropriate damage control measures.
* Getting started with SSH
This document by Kimmo Suominen is a basic guide on how to setup a user new to ssh with the appropriate files necessary for accessing remote hosts in a secure manner.
* TTSSH: An SSH Extension to Teraterm
TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro. Teraterm Pro is a superb free terminal emulator/telnet client for Windows, and its source is available. TTSSH adds SSH capabilities to Teraterm Pro without sacrificing any of Teraterm's existing functionality. TTSSH is also free and its source is available too. Furthermore, TTSSH has been developed entirely in Australia, and can be exported from here to anywhere in the world (apart from places where people aren't allowed to own cryptographic software at all :-( ).
* The Stanford SRP Authentication Project
The Secure Remote Password protocol is the core technology behind the Stanford SRP Authentication Project. The Project is an Open Source initiative that integrates secure password authentication into existing networked applications.
The Project's primary purpose is to improve network security from the ground up - by integrating strong password authentication into widely-used protocols instead of adding security as an afterthought. SRP makes these objectives possible because it offers a unique combination of password security and user convenience, and because it is compatible with Open Source Software licensing.
This site serves as the semi-offical home of the SRP distribution, which contains secure versions of Telnet and FTP. In addition, it contains links to a number of SRP-related projects, products (both commercial and non-commercial), and research on the Web.
* Simple Authentication and Security Layer (SASL)
The Simple Authentication and Security Layer (SASL), described in RFC 2222, is a means of adding authentication support to connection-based protocols. It is used with popular Internet protocols such as POP3, IMAP, SMTP and LDAP.
The Cryptix SASL Library includes an implementation of the Java language bindings for the core SASL features plus a number of additional SASL Mechanisms such as SRP.
* Book: Applied Cryptography: Protocols, Algorithms, and Source Code in C
Bruce Schneier's Applied Cryptography: Protocols, Algorithms, and Source Code in C offers an authoritative introduction to the field of cryptography, suitable for both the specialist and the general reader. The book adopts an encyclopedic approach to cryptographic systems throughout history, from ciphers to public key cryptography. Schneier also outlines cryptographic protocols -- the steps required for secure encryption -- with the precision of a chess master. Readable, instructive, and truly exhaustive, this text is a must for anyone wanting a solid introduction to the field in a single volume. Applied Cryptography presents the source code for most algorithms and other procedures in C rather than using pure math. The book also includes source code for the Data Encryption Standard (DES) and other algorithms, but readers don't need to know programming to benefit from this text. With a truly comprehensive bibliography of over 1,600 entries, Applied Cryptography provides the reader with plenty of sources for more information. Cryptographic techniques have applications far beyond the obvious uses of encoding and decoding information. For Internet developers who need to know about capabilities, such as digital signatures, that depend on cryptographic techniques, there's no better overview than Applied Cryptography, the definitive book on the subject. Bruce Schneier covers general classes of cryptographic protocols and then specific techniques, detailing the inner workings of real-world cryptographic algorithms including the Data Encryption Standard and RSA public-key cryptosystems. The book includes source-code listings and extensive advice on the practical aspects of cryptography implementation, such as the importance of generating truly random numbers and of keeping keys secure.
Buy it TODAY from Amazon Worldwide/U.S.A. or U.K.
* Book: Internet Cryptography
For all the talk about the Internet's very real security weaknesses, information safety is not all that difficult to achieve. Yes, most Internet technology does a better job of making information accessible than it does of protecting privacy. Still, modern cryptographic products and techniques have made more than adequate security available to just about anyone who needs it. In Internet Cryptography, network security consultant Richard Smith explains the basics of online security. He avoids getting technical with too much cryptographic theory or the mathematics behind the magic. Instead he focuses on providing just enough information to enable information systems managers and administrators to make wise decisions. In fact, Smith pays close attention to matters of system configuration and operation, showing how even the best encryption methods can be ruined by careless operation. From there, Smith explains how today's techniques can protect information from being forged, altered, or stolen. Smith devotes most of his discussion of various cryptographic options to products that are presently on the market. Therefore, the techniques he describes are generally within the reach of most businesses and organizations. He progresses from the simplest to most complex approach, examining the strengths and weaknesses of each. As a result, readers wind up with a solid understanding of cryptographic security as well as a good feel for the level of security they require.
Buy it TODAY from Amazon Worldwide/U.S.A. or U.K.
* Book: Secrets and Lies : Digital Security in a Networked World
Whom can you trust? Try Bruce Schneier, whose rare gift for common sense makes his book Secrets and Lies: Digital Security in a Networked World both enlightening and practical. He's worked in cryptography and electronic security for years, and has reached the depressing conclusion that even the loveliest code and toughest hardware still will yield to attackers who exploit human weaknesses in the users. The book is neatly divided into three parts, covering the turn-of-the-century landscape of systems and threats, the technologies used to protect and intercept data, and strategies for proper implementation of security systems. Moving away from blind faith in prevention, Schneier advocates swift detection and response to an attack, while maintaining firewalls and other gateways to keep out the amateurs. Newcomers to the world of Schneier will be surprised at how funny he can be, especially given a subject commonly perceived as quiet and dull. Whether he's analyzing the security issues of the rebels and the Death Star in Star Wars or poking fun at the giant software and e-commerce companies that consistently sacrifice security for sexier features, he's one of the few tech writers who can provoke laughter consistently. While moderately pessimistic on the future of systems vulnerability, he goes on to relieve the reader's tension by comparing our electronic world to the equally insecure paper world we've endured for centuries--a little smart-card fraud doesn't seem so bad after all. Despite his unfortunate (but brief) shill for his consulting company in the book's afterword, you can trust Schneier to dish the dirt in Secrets and Lies.
Buy it TODAY from Amazon Worldwide/U.S.A. or U.K.
* Gibson Research Corporation
Some great security checking tools, including the "Shields Up!" port scanner to quickly test the security of your internet connected PC.
* PuTTY: A Free Win32 Telnet/SSH Client
PuTTY is a free implementation of Telnet and SSH for Win32 platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham.
* Grid Security Infrastructure (GSI)
The Globus Toolkit uses the Grid Security Infrastructure (GSI) for enabling secure authentication and communication over an open network. GSI provides a number of useful services for Grids, including mutual authentication and single sign-on. Software developed by the Globus Project is available for use, free of charge. The Globus Toolkit Public License governs its use.
* Open Web Application Security (OWASP) Project
Home page for OWASP, the "Open Web Application Security Project". The project aims to help everyone build more secure web applications and web services. The Web Application Security Testing Framework is setting out to produce an industry standard blueprint for how to methodically test the security of all web applications and web services.
* Risks of the Passport Single Signon Protocol
An analysis from researchers at AT&T Labs of the security problems with the Passport system.
* Reponse to Kormann & Rubin Document
Kormann and Rubin from AT&T Labs Research wrote a paper entitled "Risks of the Passport Single Sign-on Protocol" in March of 2000. Unfortunately, the authors were working only from white papers and observing client behavior, not from conducting an in-depth analysis of the system or installing and using the publicly available software development kit. Nonetheless, the misinformation associated with the paper and the impact of its findings continues to circulate, so Microsoft has prepared the following Q&A to address each risk identified by Kormann and Rubin, and discuss the steps that Microsoft has taken to resolve the issues.
* Non-repudiation Simple to understand, Difficult to implement
An important piece of information security in the digital economy is providing a mechanism for the non-repudiation function. The information security professional must help provide that mechanism by collecting and protecting the irrefutable evidence needed as defined within the transactional envelope. This article looks at what constitutes non-repudiation, and what conditions needs to be present for non-repudiation to occur.



DevLynx - Developer Links

Add your own Developer Links:

You can now suggest your own DevLynx to include on this page.
Search the Software Technologies site:   




Home Copyright © 1996-2006 Software Technologies Ltd.
All rights reserved. All trademarks acknowledged. E & O E.
Privacy Policy.
Designed for
Microsoft Internet Explorer
Designed for
Netscape Navigator
webmaster@SwTech.com http://www.SwTech.com/net/security/