Preventing server attacks can be a difficult job from scratch because it is not only the operating system you need to secure, but the applications that run on top of it and the network that surrounds the server. Locking down server operating systems (OS), applications, and networks can be a long process of trial and error; however, some excellent guides and websites can make your job easier. Table 13-4 lists links to websites and PDF documents to assist in securing networks, Linux, Solaris, and Windows systems. Table 13-4. Security GuidesSystem | Link |
---|
NSA: The 60 Minute Network Security Guide | http://www.nsa.gov/snac/support/sixty_minutes.pdf | NSA Security Recommendation Guides Cisco Router Guides | http://acs1.conxion.com/cisco/ | Windows Server 2003 Security Guide | http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx | NSA Guide to Securing Windows XP | http://nsa2.www.conxion.com/winxp/ | NSA Security Recommendation Guides Windows 2000 | http://nsa2.www.conxion.com/win2k/ | NSA Guide to Secure Configuration of Solaris 8 | http://nsa2.www.conxion.com/support/guides/sd-12.pdf | Linux Security HOW TO | http://www.tldp.org/HOWTO/Security-HOWTO/ | Securing Linux Production Systems | http://www.puschitz.com/SecuringLinux.shtml | FOCUS on Linux: Securing Linux Part One | http://www.securityfocus.com/infocus/1419 |
By searching the web, you can find literally hundreds of sites with tips and tricks on securing your system, so by no means treat Table 13-4 as a single one-stop shop for protecting your systems. Table 13-5 displays a general list of known attacks and recommendations to protect your environment. This works hand in hand with the official documents in Table 13-4. Table 13-5. Basic Prevention RecommendationsAttack Type | Recommendation |
---|
Password guessing | Implement strict password policies. | Worms and viruses | Install anti-virus software and keep it up-to-date. | Application flaws (buffer overflows) | Install and maintain the most current service packs and hot fixes. | External network attacks | Always install firewalls at the perimeter, then make sure the firewall is blocking necessary traffic. | Internal network attacks | Install a local firewall on the server to minimize access to it. | Internal/external network attacks | Install and manage a network based IDS system to monitor all traffic to and from the servers. | Ping (ICMP) sweeps | Disable ICMP on the servers to help hide them on your network. | Logging | Also enable local application logging wherever you can, such as logging server logins and disk access. Ensure you monitor the logs on a regular basis. Lastly save the log file off to another server and/or media such as tapes for long term analysis if ever required. | Server file system | Install file system integrity-checking programs such as Tripwire. This enables you to monitor unexpected changes to files and folders on the system. (See http://www.tripwire.com). | Physical access to the server room | Secure the server room and record entry and exit. Even implement cameras that monitor activity within the server room. Some companies use biometric or smart card technology for server room access, so keep these in mind. | Monitoring several servers at once | By using an enterprise product such as GFI or Microsoft Operation Manager (MOM), you can easily monitor dozens of server event logs and help resolve problems. | Backups | Keep your backup secure and log access to tapes. |
Now that you have secured your systems using these extensive checklists, it is time to apply even more security, if possible. You can accomplish this by adding anti-virus programs to the server to help detect and eliminate malicious software. Table 13-6 displays a list of some of the most big-name brands on the market today. Table 13-6. Anti-virus SoftwareAnti Virus Software | Link |
---|
PC-Cillin | http://uk.trendmicro-europe.com | BitDefender | http://www.bitdefender.com | AVG Anti-Virus Pro | http://www.grisoft.com/doc/1 | McAfee VirusScan | http://www.macafee.com | F-Secure | http://www.f-secure.com | Norton AntiVirus | http://www.symantec.com | F-Prot Antivirus | http://www.f-prot.com | eTrust EZ AntiVirus | http://www.etrust.com | Eset NOD32 | http://www.nod32.com | Panda | http://www.pandasoftware.com | Sophos | http://www.sophos.com |
Adding a personal firewall can also help to prevent external users and even internal LAN users from having free access to your server. Several firewall vendors are on the market, and even Microsoft has gotten into the game by adding a firewall to XP and Server 2003. Table 13-7 lists some possible firewall solutions with links to their home pages. Table 13-7. Firewall SoftwareFirewall Software | Link |
---|
ZoneAlarm Pro | http://www.zonelabs.com | Outpost Firewall Pro | http://www.outpost.uk.com | Norton Personal Firewall | http://www.symantec.com | Norman Personal Firewall | http://www.norman.com | SurfSecret Personal Firewall | http://www.surfsecret.com | BlackICE Protection | http://www.iss.net |
The last topic to mention when it comes to protection of computers is Cisco Security Agent (CSA). CSA provides protection to client and server machines in a way that most other applications do not. CSA goes beyond the standard of most secure software and provides detection and protection on a behavioral-based system that helps to prevent day zero attacks. Following are some of the basic features that CSA has to offer: Host intrusion prevention Spyware/adware protection Protection against buffer overflow attacks Distributed firewall capabilities Malicious mobile code protection Operating-system integrity assurance Application inventory Audit log-consolidation One interesting note that sets CSA apart from most anti-virus and firewall software solutions is that CSA executes from behavior-based and not signature-based detection. In other words, it does not need to be updated on a regular basis, because as abnormal behavior is observed on the host computer, such as when a virus is attacking your computer, CSA assists to prevent a successful attack. For more information on CSA, please see http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html. After you have created this locked-down, baseline environment, your job is only just beginning. Now it is time to start monitoring and testing. You cannot totally prevent hacking attempts, but now that you are security focused and have put the appropriate monitoring into action, you can at least detect most attempts. For example, even if you implement strong password policies on your servers, hackers can attempt to log in. However, monitoring the Event Log for failure and success ensures that you remain alert to the risk. Maintaining a handle on your entry points and when and by whom they are being exercised is important. |