What is the Best Firewall?

The answer is it depends, but if you are willing to invest an hour or two reading the references below, we have the information security knowledge to help you engineer the security architecture that is right for you. SANS constantly runs surveys to find out what tools you use. Currently, the three most popular firewalls used by the SANS community are:

• Checkpoint Firewall 1: (1) (2)
• Cisco Pix: (1)
• NetScreen: (1)

Perhaps you are in the market for a firewall and are in the comparison shopping phase, be sure to read paper "Comparison Shopping for Scalable Firewalls" by Laura Keadle.

The best book on firewalls by far is Inside Perimeter Security by Northcutt, Zeltser, Winters, Frederick and Ritchey.

At SANS, we have been very impressed with the free Unix/Linux/BSD firewall options described in the paper "IPFilter: A Unix Host-Based Firewall".

The latest buzz in firewalls is airgaps and SANS has a number of papers on this approach to perimeter security. "Disconnect from the Internet - Whale's e-Gap In-Depth" by Kevin Gennuso and others found in GCFW Gold certifications from GIAC as well as the Reading Room's Firewall section.

Explain Hacking

Computer Hacking is a bit broad for class of resources, but we have a number of great information security educational papers on hacking. If you are looking for the deeply technical stuff go straight to the last reference.

"Hacking: The Basics" by Zachary Wilson gets you started with the basics.

"The Brazilian Connection: Brazilian Defacement Groups Stake their Claim" by Mike Poor discusses one of the more skilled hacker groups.

Your education about hacking is incomplete until you read about hacktivism in "Ethics of Hacktivism" by Julie L.C. Thomas will get you up to speed.

"What Should I Tell My Kids About Hacking?" by Lee Biard on how we educate kids about hacking.

Related to the paper above, the FTC "Stay Safe Online" program for security awareness and government/citizen partnership is worth reading.

Explain the DMZ

DMZ - In information security, DMZ has multiple meanings. Classically it refers to the part of the perimeter between your service provider's point of demarcation and where you assume control. It can also mean any protected network, usually one at least partially accessible via the Internet. SANS has a number of papers shown below to help you learn about DMZ design and testing and also offers information security training in firewalls, DMZs and VPNs.

"Designing a DMZ" by Scott Young on DMZ design.

"Three Tired DMZs" by Chris Mahn on three tiered or complex DMZs, if this sounds like overkill to you, it is worth noting the Visa Security Commandments for credit card merchants specify a separate DMZ for credit card activity.

"Securing Extranet Connections" by Jeff Pipping on extranets, a special type of DMZ.

What is Netcat?

Netcat is the Swiss Army Knife of network and networked application testing.

RR paper by Tom Armstrong covers the basic commands and features of netcat and is in the Reading Room.

"Penetration Studues - A Technical Overview" by Timothy Layton is primarily focused on penetration testing, but includes a section on netcat. If you are interested primarily in penetration testing, Tim recommends Jessica Lowery's "Penetration Testing: The Third Party Hacker" on penetration testing at http://rr.sans.org/penetration/third_party.php. Jessica's paper did a great job of outlining and defining what penetration tests are and how an organization should view and use them.

How does a Reverse Proxy Work?

Reverse Proxy, this is a hot topic in information security training as the recent rash of Apache and IIS vulnerabilities have security engineers thinking they need something between their web servers and the Internet. SANS offers one day courses in securing IIS and also Apache and has a number of free papers listed below in our reading room.

"A Reverse Proxy is A Proxy By Any Other Name" by Art Stricek covers the fundamentals of reverse proxy.

"Perimeter Defense-in-Depth: Using Reverse Proxies and other tools to protect our internal assets" by Lynda L. Morrison shows an example reverse proxy with Apache and SSL.

"A Secure Implementation of HP OpenView Web Transaction Observer" reverse proxy architecture implemented with HP OpenView Web Transaction Observer by Matthew Patterson

Scanning Port 137

There has been an increase in security education regarding scanning for port 137. This has two sources, an increase in awareness among script kiddies of the ability to discover information about a target host using NBTSTAT and the spread of an internet worm known as network.vbs.

Following is a Port 137 document on Intrusion Detection located as a question in the Intrusion Detection FAQ.

Please also see the document and detailed chart on "Using IDS to Evaluate Outbound Port Usage for Security and Reduction of IDS Alerts: A Case Study" written by Kenneth Underwood.

What are TCP Wrappers?

TCP Wrappers acts much like a soldier at a checkpoint, verifying a host's clearance prior to entry. Simply put TCP Wrappers capitalizes on the client/server relationship necessary for most TCP/IP applications. TCP Wrappers inserts itself into the middle of the relationship and acts as the server until the client/host is authenticated. TCP Wrappers utilizes its access control feature to authenticate hosts. TCP Wrappers does all of this with no overhead to the system.

Detailed training information on TCP Wrappers in the paper "Configuring Secure Shell with TCP Wrappers on Solaris 2.8" by Jane Micheller is located at

You can get TCP Wrappers for free from porcupine.org.

Explain IP Spoofing

IP spoofing involves fooling a target system into thinking that the packets that it is receiving have been sent from a system other than the attacker's system. In its simplest form, IP spoofing is achieved by faking the source IP address in the packets that are sent by the attacker.

It is important to keep educated on spoofing since it can take on many forms in the computer world, all of which involve some type of fraudulent representation of information. There are a variety of methods and types of spoofing.

For an introduction to IP spoofing see "Introduction to IP Spoofing" by Victor Velasco.

For full information on the many forms of IP spoofing check out "Spoofing: An Overview of Some of the Current Spoofing Threats" on the SANS website.

What is a Security Policy?

All security and technical training classes talk about the necessity of basing procedures on a good security policy. We need to understand what is meant by policy.

For an expansive repository of sample security policies view: "The SANS Security Policy Project".

Safeguarding information is challenging when records are created and stored on a computer. Research projects are often excellent resources for security policies. A good sample of one is "Global Incident Analysis Center".

To learn how to define a sample security policy see the document "GIAC ISO Practical Assignment, VPN/Extranet Service Provider Security Policy and Procedure" by Jonathan Espenschied.

Explain fport

Fport identifies programs listening at ports even when a suspicious port is identified. For best practices of Fport view "Vulnerability Identification and Remediation Through Best Security Practices", by BJ Bellamy Jr.

To develop defense-in-depth computer security, an understanding of various vulnerabilities must be realized before a protection strategy is developed. The following document will help you identify those vulnerabilities, "Using Fport on Windows NT to Map Applications to Open Ports" by Teena J. Henson.

Fport is from www.foundstone.com.

What does Subseven mean?

SubSeven is a Trojan for the Windows platform. It comes at least in two parts a client and a server. The hacker to connect to the victim's machine uses the client. Once the server.exe is installed on the victim's machine the hacker has full access to the victim's machine. For details of subseven see the FAQ, "Intrusion Detection FAQ SubSeven Trojan v1.1"

Additional information on subseven can be found at "Deconstructing SubSeven, the Trojan Horse of Choice" by Jamie Crapanzano.

Also see "SubSeven 2.2: New Flavor of an Old Favorite" by Aaron Greenlee.

For more technical information on SubSeven including a Tcpdump of SubSeven Scans review the document by David Thibault.

What is a War Dialer?

By using a war dialer, hackers can set their computer to automatically dial thousands of number until finding a modem. All too frequently, such modems will be enabled to answer incoming calls, and the computer they are connected to also happens to be connected to, and trusted by, the corporate internet.

• "PhoneSweep: The Corporate War Dialer", by Greg Hodes
• "War Dialing", by Michael Gunn
• "Securing The Wile Modem: A Case Study on the Use of Policies, War Dialers, and Firewalls for Phone Lines" by Archie Woodworth

What is OS Fingerprinting?

The practice of determine what operating system a remote system is running.

What is snort?

Snort is a simple yet powerful packet sniffer and logger that can be used as a lightweight network intrusion detection system (NIDS). It is an important part of an overall approach to maintaining a secure network. For an excellent review of this tool as well as a large amount of more specific information, see Mark D. Tollison's paper; "An Analysis of theSnort Network Intrusion Detection System".

Intrusion Detection: It is possible to set up an effective intrusion detection system using open source tools at little to no cost. If you build such a system, snort is likely to be an important part of your solution. For an intelligent and readable explanation of how to do this, check out "Using Snort For a Distributed Intrusion Detection System" by Michael P. Brennan or take a look at the Hands on Intrusion Detection FAQ.

What is SnortSnarf? In an effective NIDS system, detection of an attack is a must. But how is detection possible if the data is buried deep within the IDS log files? SnortSnarf provides a solution. It is a Perl script that uses the snort log files and processes them into a web viewable format. Information on SnortSnarf as well as Spade, Nmap2HTML and SISR is in the article "Using Snort v1.8 with SnortSnarf on a RedHat Linux system".

Miscellaneous technical information: For a snort command line summary and other technical information read "An Analysis of theSnort Network Intrusion Detection System".

Snort can be used in a dynamically assigned IP address environment, "A tool for running Snort in dynamic IP address assignment environment" describs this.

Snort and Specific Operating Systems: To use snort as a network intrusions detection system (NIDS) and network monitor under Linux, see the work by James Kipp or William Metcalf, "Building and maintaining a NIDS cluster using FreeBSD and Snort" describes how to install and run snort on FreeBSD.

Snort and Windows Operating Systems: Snort can also be used under the various versions of Windows. The instructions, however, can be arcane. They leave out important details, and do not explain exactly why certain things are being installed or configured a specific way. If you are working in Win2000/XP, even if you have limited technical experience, and would like to install a network intrusion detection system, check out Christina Neal's "Snort Install on Win2000/XP with Acid, and MySQL for Dummies"

A similar set up is discussed in "Configuring Snort, MySQL, and ACID on Windows NT" If you want a tutorial on the use of Snort in a Windows environment that also examines Intrusion Detection systems and the growing need for them, Kenneth Rode's paper "Snort - Free Graphical IDS for the Windows Environment" may be useful.

What is dsniff?

If it's your job to manage or secure a network, you already know the importance of sniffing, that is, listening to the traffic on your network. Sniffing on a LAN is simple-just put a network card in promiscuous mode and grab everything. On a switched network though, every entity on your network is connected to its own port on the switch. Only packets destined for a given MAC address are sent down the segment that machine is connected to. A sniffing machine would only hear its own traffic. So how can you monitor traffic on a switched network? Simple: dsniff. Dsniff is a suite of utilities that allows a computer to intercept particular types of switched information in a variety of ways.

For an excellent introduction to dsniff as well as brief information on installation, use, detection, and countermeasures, read Lora Danielle's "Introduction to dsniff."

Packet sniffing on a switched network: To learn more about packet sniffing in a switched environment, take a look at Tom King's paper "Packet Sniffing In a Switched Environment" which discusses sniffing using dsniff as well as Cain and ScoopLMi or Douglas Hewes' "I Can See You Behind Layer 2: Overcoming the Difficulties of Packet Capturing on a Switched Network".

Detection and countermeasures: Dsniff is a powerful tool to help you know what's happening in your network. The downside is that it's an equally powerful tool for anyone else to know what's happening in your network. For information on detecting sniffing in your network and what you can do about it:

• "Finding dsniff on your network"
• "Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks"
• "Packet Sniffing In a Switched Environment"

Layer II vulnerabilities: Many people consider switches to be innately secure, because they operate at a low level of the TCP/IP protocol stack. This couldn't be further from the truth. If you would like a better understanding of this often misunderstood topic, and how dsniff is an important part of it, take a look at the following.

• "Securing Network Infrastructure and Switched Networks"
• "Protecting Network Infrastructure at the Protocol Level"
• "Security in an Ethernet LAN Environment"
• "Security from Scratch ~ How to Achieve It"
• "Why your switched network isn't secure"
• "Penetration testing with dsniff"

dsniff and your network security: If you want to build a more secure network, the Reading Room's Tools section provides pointers to information on dsniff and other network security related tools

• "SSL Man-in-the-Middle Attacks"
• "Encrypted Tunnels using SSH and MindTerm"
• "An Introduction to SSH Secure Shell"
• "Security Applications of Bootable Linux CD-ROMs"

What is Bluetooth?

There has been a lot of buzz lately about the Bluetooth protocol, with strong opinions expressed both for and against. Proponents describe it as a wireless networking panacea. Critics question its level of security, while the more extreme call it completely insecure. Is it brilliant or a belly-flop?

For an objective and fairly technical overview of Bluetooth security, check out either Nikhil Anand's "An Overview of Bluetooth Security" or the more recent "Bluetooth: The Global Technology?" by Howard Johnson. Both papers give background information on Bluetooth security as well as in-depth technical specifications, potential risks and possible responses.

he bigger picture: The extreme opinions about Bluetooth security are mirrored by the attitudes on wireless networking in general, with strong ideas being tossed out in favor and opposed. For more information, see Evan Uwakwe's "Wireless Computing- A Technological Breakthrough Laden with Risk?" or "Wireless Networks: Panacea or the Next Hacker's Playground?" by Lee Elmendorf.

Wireless networking: For an overview of the wireless situation and how Bluetooth fits in, try one of the following:

• "The Wireless Confusion" by Craig Harrison
• "Wireless Security" by Mike McMurry
• "Wireless Communications Technologies: An Analysis Of Security Issues" by Jeffrey Posluns
• "The Limits on Wireless Security: 802.11 in early 2002" by James Voorhees
• "Threats and Countermeasures in Wireless Networking" by Sean Wang

Bluetooth and PANs: Personal area networks that connect you to your printer, PDA, and etc. make sense, right? But are they a security risk? "Personal Area Networks - How Personal are They?" by Virgil L. Hovar proposes Bluetooth as one solution to this potentially hairy problem.

Less technical: If your interests lean more toward the business and legal aspects of wireless network security than to the technical, you might take a look at "How to Avoid Ethical and Legal Issues In Wireless Network Discovery" by Erik Montcalm.

What is Password Cracking?

Password Cracking is one area of computer hacking that still quite often provides access to a system or application. If you are interested in the underlying concepts of password cracking, take a look at Patrick Boismenu's paper on password cracking; if your focus is on risk mitigation, focus on the papers of David Beverstock, Sam Wilson and David H. Sherrod. Should you need some more "war stories" to illustrate to decision makers the risks associated with the status quo, take a look at the papers of Kimberly Rallo, Leonard Hermens and William Geimer.

"Password cracking with L0phtCrack 3.0" by Patrick Boismenu on password cracking uses L0phtCrack to illustrate how most password crackers operate, emphasizing the importance of password security for all authentication/based protected systems.

"Passwords are DEAD! (Long live passwords?)" by David Beverstock on three properties of passwords that render them risky or unsuitable for use, suggested risk mitigation for these properties, current attacks on passwords, and future trends in computing that will obsolete password use. The paper also includes a short description of a risk analysis as applied to authentication, as well as pointers to alternative forms of authentication.

"Combating the Lazy User: An Examination of Various Password Policies and Guidelines" by Sam Wilson on combating the lazy user via password policies and guidelines. The paper compares a variety of password policies and guidelines that are publicly available on the Internet, demonstrating that many of them allow for the creation of weak passwords by lazy or inexperienced users, vulnerable to dictionary attacks and readily available password cracking tools.

"Securing Access: Making Passwords a Legitimate Corporate Defense" by David H. Sherrod on making passwords a legitimate corporate defense, ensuring system and application passwords are secure from internal and external attacks. The paper outlines four easy steps to secure access to systems using strong passwords: Have a password policy and standards, and supporting procedures; Educate your users; Utilize your help desk personnel; Perform audits.

"Clear Text Password Risk Assessment Documentation" by Kimberly Rallo on the security implications of sending clear text passwords across an enterprise network, and documenting the implications in a risk assessment.

"Inadequate Password Policies Can Lead To Problems" by Leonard Hermens on various problems resulting from inadequate password policies.

"Is Your Personal Financial Information Safe? Practical Lessons in Quicken Password Vulnerabilities" by William Geimer on password encryption and authentication techniques applied to the file-level protection of personal documents and databases, exemplified by protection schemes used by Intuit Corporation's Quicken software, which fail to provide the level of security that might be expected.

Jason Mortensen: "Password Protection: Is This the Best We Can Do?"

What is Bastion Host?

Bastion Host - a host computer / server which has been hardened in anticipation of vulnerabilities that have not been discovered yet to make penetration as difficult as possible. This is always a good idea for systems in the DMZ, as well as for firewalls, intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), and can also be beneficial for production systems as a measure of risk mitigation. Jenkins' paper provides a general introduction to the topic; papers by Luz-Romero, Orebaugh and d'Albis provide an OS- and application-specific angle; and Vinciguerra and Foote in their respective papers discuss bastion hosts as a vital part of a Defense-in-Depth strategy.

"Hardening Bastion Hosts" by Tod Jenkins on installing a hardened bastion host, including a checklist by Zwicky/Cooper/Chapman: "The basic hardening process is as follows:

1. Secure the machine.
2. Disable all non-required services.
3. Install or modify the services you want to provide.
4. Reconfigure the machine from a configuration suitable for development into its final running state.
5. Run a security audit to establish a baseline.
6. Connect the machine to the network it will be used on."

"Secure OS Environments for Linux" by Pedro A. Luz-Romero, discussing secure OS environments for Linux, reviews the main set of tools and resources available for Linux system administrators willing to build an operating system with enhanced security features that allow applications to run securely in a network accessible from the Internet.

"Securing Solaris" by Angela Orebaugh, providing a brief introduction to securing Solaris.

"Securing the Symantec LiveUpdate Administrative Utility on Windows 2000" by Cedric d'Albis describing in detail the steps required to implement and harden a Symantec LiveUpdate server on a Microsoft Windows 2000 platform. In addition to being a cookbook to build a LiveUpdate FTP server, this paper describes methods and concepts that can be used to secure any vendor application on the Windows 2000 platform.

"A Layer-7 Secure Security Posture" by Paul Vinciguerra, covering a Layer-7 strong security stance based on defense-in-depth, including Apache modules for ATG Dynamo, BEA Weblogic, IBM WebSphere, and Apache Tomcat. Also included, a discussion on protecting Exchange Server, running Outlook Web Access (OWA).

"Improving Defense in Depth for NASA.s Mission Network" by Mary Foote, describing Defense-in-Depth improvements for NASA's Mission Network.

What is CIDR? (Classless Internet Domain Routing)

CIDR Table - Classless Internet Domain Routing (CIDR) is a technique that breaks the traditional barriers of class based addressing and allocates blocks of any power of two. With CIDR, IP addresses and their subnet masks are written as 4 octets, separated by periods, followed by a forward slash and a number that represents the subnet mask. The CIDR table helps you to determine your network's Base IP Address and Broadcast IP Address, so that you do not accidentally go beyond your network's boundaries while penetration testing, or conducting similar activities. CIDR notation is also frequently used as shorthand in the definition of firewall, IDS and IPS filtering rules.

The complete CIDR Table.

"IPFilter: A Unix Host-Based Firewall" by Dana Price on IPfilter, a UNIX host-based firewall, touches on CIDR shorthand for writing filters.

"Securing Solaris Servers Using Host-based Firewalls" by William Kirt Karl on securing Solaris servers using host-based firewalls, similarly touches on CIDR notation as a viable alternative in rule-writing.

"Is The Border Gateway Protocol Safe?" by Sargon Elias investigates whether or not the Border Gateway Protocol (BGP) is safe. In this context, the infamous AS7007 case is presented as an example of what can happen if incorrect BGP routes are advertised. A small ISP jointed their network to Sprint; due to a misconfiguration, IGP converted CIDR routes into classful nodes; misinformation spread through Sprint's network to ANS, MCI, UUNet and other NSPs, crashing routers through the suddenly doubled size of their routing tables.

What is the Federal Bureau of Investigation (FBI) and what do they have to do with information security?

FBI - Depending on the industry you are working in, you might be required to bring in the Federal Bureau of Investigation (FBI) upon detection of certain types of incidents; in other cases it might still be a good idea, depending on the severity or consequences of certain adverse activities you have been victimized by.

The SANS Top Twenty Internet Security Vulnerabilities list consists of the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited elements in UNIX and Linux environments. A living document, the list is updated as more critical threats and more current or convenient methods of protection are identified. This expert consensus is the successor to the Ten Most Critical Internet Security Vulnerabilities document released by the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI.

"Twists in Security for Law Enforcement" by Conrad Larkin deals with the additional computer security precautions that need to be addressed when it is a law enforcement agency that is being secured. In addition to an overview of basic computer security measures, the paper, using the Federal Bureau of Investigation (FBI) and its National Crime Information Center (NCIC) as its focus, examines various points of concern relating to security, the current ways of addressing these concerns as well as other possible means of meeting these needs.

"Federal Computer Crime Laws" by Maxim May, shedding light on Federal computer crime laws, including the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), the Communications Assistance for Law Enforcement Act (CALEA), the Cyber Security Enhancement Act (CSEA, passed together with the Homeland Security Act), the Digital Millennium Copyright Act (DMCA), and other laws used to prosecute computer crimes, such as the Economic Espionage Act (EEA).

"Echelon: The Danger of Communication in the 21st Century" by Chad Yancey discusses the danger of communication in the 21st century, exemplified by ECHELON as an example of capturing and deciphering international communications, as well as tools used by the FBI for what the author considers domestic spying.

"Information Warfare: An Analysis of the Threat of Cyberterrorism Towards the US Critical Infrastructure" by Shannon M. Lawson on information warfare, analyzes the threat of cyber-terrorism towards the U.S. critical infrastructure. The paper focuses on the information warfare capabilities of various terrorist groups, such as Hammas or al-Qaeda as well as analyzing the current U.S. posture towards cyber warfare and terrorism, concluding that the U.S. "cyber" infrastructure is vulnerable to cyber attacks.

"An Uneven Playing Field: The Advantages of the Cyber Criminal vs. Law Enforcement.and Some Practical Suggestions" by Torri Piper reviews the uneven playing field between cyber criminals and law enforcement. The paper provides observations of disparities between the criminals manipulating digital data and law enforcement seeking to capture them as well as suggestions as to how to give law enforcement a more level playing field.

"What is the Federal Government Doing to Improve the State of Information Security?" by Jason Hiney asks what the Federal government is doing to improve the state of information security. The paper, which maintains that the government is taking decisive action to improve the state of information security in the U.S., covers a variety of major themes including government-industry partnerships, co-operation with law enforcement abroad, government sponsored research and protecting the right privacy.

"The 2001 Patriot Act and Its Implications for the IT Security Professional" by Oscar W. Peterson III discusses the 2001 USA PATRIOT Act and its implications for the IT Security Professional (ITSP) and his/her work environment. The paper concludes that the USA PATRIOT Act and the government's emphasis on IT security will have a wide ranging impact on ITSPs, including their being expected to be more diligent in accurate record keeping, so as to be able to provide the government with information when necessary, and increased work load.

What is Gateway Architecture?

Gateway Architecture - A network point that acts as an entrance to another network should be architected in a way that minimizes risk. Both Swab and Heinrichs cover UNIX-based mail gateways utilizing AMaViS (A Mail Virus Scanner), Maarten Hartsuijker elaborates on securing a mail gateway, Karwisch takes an in-depth look at the auditing of corporate e-mail gateways, whereas Schario focuses on spam filtering at the gateway, and finally, on related topics, Mordijck discusses secure gateway router configuration, whereas Charlene Keltz explores split horizon DNS.

"SMTP Gateway Virus Filtering with Sendmail and AMaViS" by Keven Swab, describing SMTP gateway virus filtering with Sendmail and AMaViS, an open-source product acting as an interface between supported MTAs (Mail Transfer Agents), such as Sendmail, and one or more supported (command-line) virus scanning utilities.

"Stopping Viruses at a Unix Mail Gateway" by Thomas A. Heinrichs covers virus filtering at an UNIX mail gateway, using open source Sendmail on Linux as an example. Heinrichs discusses open source versus commercial options, and provides guidance on finding and choosing a UNIX-based virus scanner.

"Information Security Management System (7799) for an Internet Gateway" by Amarottam Shrestha develop an Information Security Management System (ISMS) to provide assurance that the Internet gateway meets the required security level to protect the Information resources of an organization's internal network. Shrestha uses a case study to demonstrate the Plan Do Check Act (PDCA) process based on AS/NZS 7799:2:2003 Information Security Management.

"Securing UNIX" by Maarten Hartsuijkeron securing UNIX for operating a secure mail gateway. After presentation of a description of the system, Hartsuijker performs a risk analysis, provides step-by-step guidance on the system, firewall and Postfix setup, discusses issues of ongoing maintenance and delineates various configuration checks.

"Auditing a Corporate E-mail Gateway Running Postfix on Linux: an Administrator's Perspective" by William Karwisch, on auditing a corporate e-mail gateway, based on a system running Postfix on Linux. This report of the audit of a corporate e-mail relay from an administrator's viewpoint divides the audit process into four sections. The first section describes the system, analyzes its risks, develops the high-level objectives of the audit, and researches current practice; the second section is the audit checklist. The third section documents the actual audit and analyzes the results; the fourth section is a summary of audit findings and the risks they pose, a description of system changes, results of retesting the system, and a justification of the final state of the system.

"Implementing a SPAM Filtering Gateway with Apache James" by Kraig P. Schario on implementing a spam filtering gateway with James, the Java Apache Mail Enterprise Server, developed by The Apache Software Foundation. In addition to covering RedHat Linux 9.0 and Windows 2000/XP installations, Schario explores performance and security considerations. Spam is quickly identified for end-user management, utilizing blacklists, whitelists, reverse DNS lookups, and a Bayesian filter.

"Disabling Unneeded Features and Services on Cisco Internet Gateway Routers" by Toon Mordijck describes the disabling of unneeded features and services on Cisco Internet gateway routers. Mordijck, in addition to providing a one-stop approach, strives to resolve contradictions between Cisco's "Improving Security on Cisco Routers" and their IOS Basic System Management Commands command reference.

"Sidewinder 5.1 Split DNS Architecture" by Charlene Keltz, featuring Sidewinder as an example for a split horizon DNS architecture.

Where can I find information on HIPAA Security Policies?

HIPAA Security Policies - The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) stipulates certain precautions covered entities must take to protect the protected health information (PHI). There are 18 information security standards in three areas that must be met to ensure compliance with the HIPAA Security Rule. The three areas are:

• Administrative Safeguards: documented policies and procedures for day-to-day operations; managing the conduct of employees with electronic protected health information (EPHI); and managing the selection, development, and use of security controls.
• Physical Safeguards: security measures meant to protect an organization's electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion.
• Technical Safeguards: security measures that specify how to use technology to protect EPHI, particularly controlling access to it.

"Understanding HIPAA Security Implications Of a Wireless LAN Subsystem Using the ISO/IEC 17799 ISMS Standard" by Frederick Hawkes details the planning and implementation of an Information Security Management System (ISMS) using Wireless LANs in an assisted living / extended care facility under the framework of ISO 17799. The paper explores possible security issues pertaining to privacy concerns and regulatory affairs such as the Health Insurance Portability and Accountability Act (HIPAA) that might arise as a result of the use of Wireless LANs in a healthcare environment.

"Disaster Recovery in Healthcare Organizations: The Impact of HIPAA Security" by James C. Murphy on the impact of HIPAA Security standards on disaster recovery planning notes a healthcare organization may still be in violation of HIPAA if its disaster recovery plan does not protect patient information in the event of a major disaster. Under the HIPAA Security standards, healthcare organizations must provide adequate backup of information and a properly conducted disaster recovery plan after a major disaster. The paper discusses ways to define, organize and place in proper sequence events specific to a distributed computing environment in order to facilitate an adequate disaster recovery plan .

"The HIPAA Final Security Standards and ISO/IEC 17799" by Sheldon Borkin compares two security standards, the U.S. HIPAA Security Final Standards and ISO/IEC 17799, an international information security standard. The paper concludes that while there are many comparable parts between the two standards, each has some requirements the other doesn't. However, noting that both standards require controls be based on risk assessment, Borkin details a strategy that would satisfy both security standards.

"HIPAA Compliance: Cost-Effective Solutions for the Technical Security Regulations" by Tautra Romig discusses cost-effective solutions to satisfy the Technical Security measures required by HIPAA, including using one solution to satisfy more than one requirement and the utilization of existing Windows NT and UNIX built-in mechanisms, which if enabled, will assist in achieving HIPAA compliance in Technical Security measures.

"Impact of HIPAA Security Rules on Healthcare Organizations" by Tim Ferrel examines the impact of HIPAA Security Rules in healthcare organizations, which were designed to protect and secure protected patient health information that is stored or transmitted electronically. The discussion includes topics such as certification, security configuration management, termination procedures and security awareness training.

Help me understand Security Threats & Vulnerabilities?

Security Threats & Vulnerabilities - The growing number of security threats and vulnerabilities makes a thorough risk assessment and implementation of best practices for mitigation indispensable in today's environment.

The SANS Top Twenty Internet Security Vulnerabilities list consists of the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited elements in UNIX and Linux environments. A living document, the list is updated as more critical threats and more current or convenient methods of protection are identified.

"802.11i (How we got here and where are we headed)" by Elio Perez focuses on the current IEEE 802.11i standard and its components concluding that the implementation of the standard will be slow due to the high cost of hardware replacements and the low technology spending cycle of organizations. The paper also discusses the significant steps IEEE has taken to restore the faith in the security of the 802.11 standard, following publication of threats to and vulnerabilities in earlier 802.11 standards and their respective implementations.

"Corporate Wireless LAN: Know the Risks and Best Practices to Mitigate them" by Danny Neoh offers corporate network administrators guidance on securing their wireless LAN (WLAN) in order to safeguard protected sensitive data. The paper focuses on the risks of wireless networks as well as methods to mitigate these risks. After a discussion of WLAN technology and its pros and cons, the various types of attacks on WLAN and the exploitable vulnerabilities in the 802.11 wireless security standards, the paper goes on to recommend a defensible in-depth method for securing a WLAN; such a method would include providing security measures and various layers, providing a proper wireless network security policy and auditing the network regularly.

"Maintaining a secure network" by Robert Droppleman analyzes the use of Network Intrusion Detection Systems (NIDS) in small businesses environments. After a discussion of the need for small businesses to keep business information and internal networks secure, the paper examines the usefulness, effectiveness and cost effectiveness of using NIDS in such an environment as a means of mitigating risks posed by security threats and vulnerabilities, concluding that while the NIDS does provide some network security protection, it does it imperfectly and at great costs, making its use unlikely in small businesses.

"Email Security Threats" by Pam Cocca on e-mail security focuses on what threats exist and proceeds to discuss various ways to help combat the problem. The paper considers the threat viruses, spam and phishing have on e-mail security and recommend various methods to assist in maintaining e-mail security including email security products and outsourcing e-mail security to an outsourced security provider.

What is a VLAN? - Virtual LAN (Local Area Network)

VLAN - Virtual LAN (Local Area Network), a logical, not physical, group of devices, defined by software, allowing the re-segment networks without physically rearranging the devices or network connections.

"Virtual LAN Security: weaknesses and countermeasures" by Steve A. Rouiller examines weaknesses in Virtual LAN (VLAN) security and discusses countermeasures to improve security in these areas. The paper is based heavily on the possibility of sending packets across different zones, which would render VLANs useless. A variety of possible attacks, exploiting the VLAN Trunking Protocol, Spanning Tree, Basic Hopping and Address Resolution Protocol, are discussed and tested, with suggestions on how to avoid such attacks.

"Implementing a Secure Internal Network" by Ken Creekmore provides how-to advice on designing and securing an internal network. The paper analysis the threats and risks involved in the configuration of several design scenarios and demonstrates how the design can be changed to eliminate or minimize the problems. In addition, comments are provided for each revised design.

"Building a secure Internet Data Center Network Infrastructure" by Chang Boon Lee provides best practice information on designing and implementing a secure network in an Internet Data Center, focusing primarily on telcos which provide Internet web hosting infrastructure to corporate customers. After an overview of the architecture, the paper gives details of specific modules, such as the ISP Conductivity Module, that make up the network design.

"Information Systems Security Architecture: A Novel Approach to Layered Protection: A Case Study" by George Farah demonstrate how to develop an information systems architecture in a complex environment with few security measures in place, establishing VLANs connecting all local and remote offices nationwide.

"Designing a Secure Local Area Network" by Daniel Oxenhandler examines several strategies for designing a secure LAN from the view point of the network architecture. The paper focuses on three main areas; the network topology, both physical and logical, securing the routers and switches and emerging and advanced techniques in network security such as Network Intrusion Detection Systems (NIDS).

"SAN Security - beyond segmentation" by Etienne De Burgh outlines various security issues that may occur when implementing a storage area network (SAN). The paper focuses on the current methods used to secure SANs, explaining problems that may occur when using these current approaches and investigating emerging technologies vendors are beginning to market that seek to address the concerns with earlier attempts at SAN security.

What is MPLS - (Multi-Protocol Label Switching)

MPLS - Multi-Protocol Label Switching is an IETF-defined protocol, used in IP traffic management, that integrates Layer 2 information about network links (bandwidth, latency, utilization) into Layer 3 (IP) in order to simplify and improve IP -packet exchange. This way, routers can pass on routing priorities to each other by means of a label and without a need to examine the packet and its header, saving the time required for the receiving device to look up the address for the next node. MPLS can also facilitate Quality of Service (QoS).

"What is a MPLS VPN anyway?" by Kelly DeGeest, discussing MPLS VPN technology as a alternative to Frame Relay and ATM networks, as well as dedicated telco lines, providing a good introduction and explaining its relationship to the Border Gateway Protocol (BGP).

"MPLS - VPN Services and Security" by Ravi Sinha takes a quick look at traditional IP routing and ATM in service provider networks, followed by a discussion of various aspects of MPLS, as well as the operation of VPNs in a MPLS environment. The author concludes that MPLS provides benefits that service providers need urgently in their networks, such as predictability, scalability and manageability, and considers a MPLS infrastructure an excellent choice for providing VPN services.

"Comparing BGP/MPLS and IPSec VPNs" by Gary Alterson compares BGP/MPLS and IPSec VPNs, assessing the security provided by both solutions and suggesting guidelines for network managers to assist in evaluating these two options. The following aspects should be considered: data confidentiality, data integrity, data availability, remote access, Internet access, and scalability. Alterson concludes that BGP/MPLS VPNs are more scaleable and provide better availability; IPSec VPNs provide for better data confidentiality and integrity; both types of VPN are difficult to configure, and poor implementation is a concern for either solution.

"Multiprotocol Label Switching Virtual Private Networks and the enterprise - Do they fit in the security model?" by Michael A. Stoos assesses whether MPLS VPN technology is the latest marketing ploy of the service providers or if it is a valid option for the enterprise within its security framework. Stoos determines what security is provided or not; looks at potential flaws as a VPN, as well as ways in which enterprise customers can take advantage of this technology.

"HOW-TO securely use SNMP on a BGP/MPLS VPN network" by Guillaume Tamboise, providing hands-on guidance on how to securely use SNMP on a BGP/MPLS VPN network. Service providers manage their MPLS network and possibly the Customer Edge (CE) routers via their Operations and Business Support System (OSS/BSS) devices, hosted behind some of their own CE routers, as well as value-added on-demand services hosted behind these CE routers on managed servers. All these components can be managed using SNMP; Tamboise explains how to make the components interact safely.