Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Apache Security", Ivan Ristic

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Apache Security", Ivan Ristic
Date: Mon, 22 Jan 2007 11:10:23 -0800 
BKAPASEC.RVW   20061119

"Apache Security", Ivan Ristic, 2005, 0-596-00724-8, U$34.95/C$48.95
%A   Ivan Ristic www.apachesecurity.net
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-00724-8
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$48.95 707-829-0515 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596007248/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0596007248/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596007248/robsladesin03-20
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   396 p.
%T   "Apache Security"

In the preface, the author states (along with remarks about the value
of books with which I heartily concur) that this work is intended to
provide system administrators, (Web application) programmers, system
architects, and Web security professionals "all the information one
needs to secure an Apache-based system."  It's a tall order.  In
addition to the details of Apache, "[s]ecurity concepts relevant for
discussion are introduced and described whenever necessary."  (The
specifics of Apache are given for the 1.x and 2.0.x branches of the
project.  Operating system examples use Linux.)

Chapter one sets out a brief but useful background to security, albeit
with some minor idiosyncracies in vocabulary.  (Threats are not listed
in the basic terms, and what is otherwise known as risk assessment is
described under the phrase "threat modelling."  Risk is not completely
ignored: a short section is entitled "Calculating Risk.") 
Installation and configuration, in chapter two, outlines a number of
measures to make the Web server more secure, and lists helpful
information such as those modules which are not strictly necessary and
may become a point of attack.  (The reasons for the extensive
discussion of the concept of "jail" or "chroot" may not be immediately
obvious to those not using Linux, but the details of the deliberation
should make the issues clearer.)  General instructions for
installation of PHP, the popular language for scripting Web
activities, is covered in chapter three, along with configuration
options and modification for more secure operations.  There are also
cross-references to other chapters for instructions on protection
against specific attacks.  Chapter four looks at SSL (Secure Sockets
Layer), starting with a basic but handy background in cryptography,
installation and configuration of OpenSSL, and finishing off with a
section on certificates and the necessary parts of a public key
infrastructure for running your own certificate authority.  Denial of
service (DoS) attacks are reviewed in chapter five, which examines the
possibilities for network attacks.  (No protection is suggested, since
these attacks are not strictly related to Apache.)  There is an
interesting mention of the ways you can create problems for yourself,
with a list of problems specific to Apache itself (there are controls
suggested for these latter two topics).

Chapter six notes the problems with sharing servers among multiple
users.  Noting that there is no single answer for these issues,
various options are analyzed.  The details on most of the alternatives
are left to the reader to explore, a reasonable position given the
complexity of the problem.  Fundamental concepts of access control are
described in chapter seven, along with standard Apache authentication
tools and single sign-on (SSO) choices.  Types of logs, custom
options, strategies for storing and monitoring audit information, and
external log and review tools are all part of chapter eight.  The
avoidance of network attacks in chapter five is somewhat inconsistent
in view of the fact that chapter nine surveys the infrastructure,
including system and network hardening.  Chapter ten lists various
general difficulties and attacks that are generically part of Web
applications, but does not address safeguards for most of them
(although it does reference many Web resources dealing with specific
topics and exploits).  Instructions and resources for performing a
penetration test or security review on yourself are contained in
chapter eleven.  Chapter twelve discusses some factors in intrusion
detection, has a bit of confusing editorial comment, but mostly
describes the author's mod_security application firewall.

Ristic basically fulfills his promise.  The minor faults with the book
do not detract from the fact that any Apache administrator or
developer will benefit, in terms of increased security, from the
information provided in this book.

copyright Robert M. Slade, 2006   BKAPASEC.RVW   20061119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
The test of a first-rate intelligence is the ability to hold two
opposed ideas in mind at the same time and still retain the
ability to function.                        - F. Scott Fitzgerald
             http://www.wileytoons.com/comics/1999/november/1127.jpg
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Apache Security", Ivan Ristic, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] REVIEW: "Security Sage's Guide to Hardening the Network Infrastructure", Steven Andres/Brian Kenyon, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Date:  [CISSP-D] Latest ISO 17799 / ISO 27001 Newsletter Released, laurahamp
Previous by Thread:  [CISSP-D] REVIEW: "Security Sage's Guide to Hardening the Network Infrastructure", Steven Andres/Brian Kenyon, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Thread:  [CISSP-D] Latest ISO 17799 / ISO 27001 Newsletter Released, laurahamp
Indexes:  [Date] [Thread] [Top] [All Lists]