3. Application examples policy

Password policy: They are one of the most important policies, because usually the passwords are the first and perhaps only way authentication, and therefore the only line of defense against attacks. They establish who the assigned password, what length should have, what format should follow, how to be communicated, and so on.

Access Control Policy: Specifies how users access the system, from where and how to authenticate. Examples:

All users must access the system using a program that allows a secure and encrypted communication.

Proper Use Policy: Specify what is considered appropriate or inappropriate use of the system by users as well as what is allowed and what is prohibited within the computer system.

It is strictly forbidden programs that attempt to guess passwords housed in the tables of users local machines or remote

Backs Policy: Specifies what information should be supported, with what frequency, what means of support used, how the information should be restored, where the backups should be stored, etc.. Examples:

The system administrator is responsible for making regular backups of information Every thirty days must be made a full backup of the system and each day should be supported all the files that were modified or created

The information should be stored backed into a safe place away from the work site

E-mail policy: Provides both appropriate and inappropriate use of email service, the rights and obligations you must fulfill and enforce the matter. Examples:

The user is the only person authorized to read your own post, unless he expressly authorized another person to do so, or that your account is involved in a computer security incident.

Physical Access Control

It is one of the main controls to restrict access to physical devices (servers and workstations) Components are often found:

Ensure the building .- Ensure all doors not essential for access from the outside requires a key or a card.

A security camera security camera system that allows monitoring of the entrances to the building can be an effective barrier and the recorded evidence of someone who crosses illegally.

Security guards Security guards .- to validate the input of all employees and visitors.

Padlocks .- Using computer hardware specialist restrict access to keyboards, monitors, mice and drivers.

Access Control Internal:

Basic Authentication based on Usernames and Passwords

Global Access Control.

What is it? The GACF can be used to establish access policies in a comprehensive way to Web servers using the configuration file in NCSA httpd servers and derivatives of it as the apache server, it is called access. configuration file located in the subdirectory configuration server.

You can also use the GACF to segregate public and private areas in line with the web server some criteria, and request a user name and password for access to private areas.

How is this done?

An example:

# Anyone in the group staff can reach the highest level of personal tree.

AuthType Basic

Only staff AuthName

AuthUserFile / usr / local / etc / httpd / userpw (full path of the password file)

AuthGroupFile / usr / local / etc / httpd / ourgroup

Require group staff

Local Access Control.

What is it? The LACF allows different access controls for directory or subdirectory of the tree, the file is usually called. Htaccess.

One can deny the use of potentially hazardous SSI which cause the server to execute commands from outside each time a page is accessed that contains, in the pages of the user.

You can prevent potential security problems caused by symbolic links.

How is this done?

An example:

An example: A file named. Htaccess in the subdirectory personal / executive.

AuthType Basic

AuthName Only Ana

AuthUserFile / usr / local / etc / httpd / userpw (full path of the password file)

AuthGroupFile / usr / local / etc / httpd / ourgroup

Requires user ana

This limits access to a single Executive Subdirectory user.

The problem is that basic authentication information exchanged between the browser and the server is not encrypted in any way. This figure not only encodes the authentication session. Anyone who can intercept and decode your session may use the information to access their material. To solve this problem the method Autentication Digest. has been introduced.

Advanced Authentication:

IP addresses

What it is: In the context of programming in cgi-bin, each request for a document by a browser or other application for the intranet contains the IP address of the computer that made the request, which it could be used by any another person for purposes harmful to the institution.

How is this done?

order deny, allow

deny from all

allow from personal.mycompany.com

allow from 132.1.250

The problem here is that some offenders in the network can configure their computers to pretend to be someone you know.

For additional security is necessary to enable compile-DMAXIMUM_DNS while the server software. (HostnameLookups in Apache 1.1 does the same). the server makes a reverse lookup on the client IP address for your name, the name after it is received, the server asks the DNS for your IP address, if different access is denied.

Combined authentication

How is this done?

AuthType Basic

Only staff AuthName

AuthUserFile / usr / local / etc / httpd / userpw (full path of the password file)

AuthGroupFile / usr / local / etc / httpd / ourgroup

order deny, allow

deny from all

allow from personal.mycompany.com

allow from 132.1.250

Require group staff

Other methods of authentication:

Hash Functions

What is it?

Using the password you typed, the browser creates a string using the password and other information including AuthRealm (authentication domain) and passes through the MD5 function. This string is then passed through the network to the server, which takes the information stored in the archive. Htpasswd to create the same chain and pass through the MD5 function and then compare the results, so it is not possible get the password because the password is not being sent.

Under MD5 requires information stored in the archive. Htpasswd and you can not use the crypt () on it. While using the MD5 function on the password before storing, if the code is stored, and a little knowledge, you can create a program to use instead of the password and work.

The solution is to file permissions

How is this done?

Syntax.

AuthDigestFile / u / web / .htdigest stantdar

AuthTypeDigest

AuthDigestFile The new guideline is one that takes two arguments, the full path of the file in which data from the Digest authentication feature are stored and the file format is usually standard.

To indicate that a directory is protected with MD5, it specifies a type of Digest Authentication.

External Access Control.

Firewalls

What is their purpose?

They are a very effective form of security in networks. Try to prevent attacks from external users to the internal network. Have multiple purposes:

1. Restrict entry to users.

2. Prevent attacks.

3. Restrict user permissions to points well controlled.

The firewall determines which network services can be accessed within it by those outside, ie, who can use network resources belonging to the organization. For a firewall to be effective, all traffic information via the Internet must pass through it where the information may be inspected. The firewall may only permit the passage of traffic, and the same may be immune to penetration, unfortunately, this system could not offer any protection once the offender is transferred or remain in this environment.

A firewall is vulnerable, it does not protect the people who are within the internal network, it works best if complemented with an internal defense.

5. Security of dial-up modems.

The first line of defense is to keep the phone out of reach of unauthorized persons, ie not publish it, not listed in the systems, etc..

You can also add a valid password modem that is separate and distinct from the login system to keep away anyone who does not know, with the command dpasswd in / etc / d_passwd, this can be done .

Modems with BACK: Do not immediately establish a connection when receiving a call, request login information. Then cut the modem connection, and if the information is correct again call the authorized user to a number stored in the system.

There are modems for encrypting the information sent and received.

There are modems quiet, which did not send the signal characteristic of "connection established" until they have completed the login, this will help prevent those engaged in the search for sequences of numbers of computers.

Secure Transactions

When using encryption, information sent by clients (usernames, passwords, confidential information.) Through a form can be transmitted safely to and from the web server.

There are two main ways to make transactions safer

Supports S-http:

Encryption to ensure privacy.

Authentication for the clients and servers

Digital signatures for verification and non-repudiation.

Your can control access and privacy to better allocate appropriate security for each transaction between the server and clients. Possible improvements may include:

Signature

Encryption

The improvement to be applied depends on the amount of security required. Can be applied to security improvements in the following ways:

When you specify attributes in the S-http hyperlinks

Insurance client browsers need to know when encrypting or signing a document, so that the presence of shttp protocol: / / alert to a client for all requests using this link should conform security enhancements included in the league. The following mechanism is used to specify security attributes in hyperlinks.

Cryptographic Options: CRIPTOPTS specify the security enhancements that a customer can or must apply for an injunction, and tells the client which encryption algorithms the server supports.

Distinguished Name: A DN identifies a public key server. The client uses a distinguished name of the server to select the appropriate key to encrypt messages it sends to the server.

When you specify commands in the region configuration file.

Are used to control the server responses to customer requirements. Commands:

Require shttp: This command may specify one or more of the following improvements: Encrypt, signatures and authentication.

Require Encryption: This is used so that all requirements are encrypted under either S-HTTP, SSL or PCT. Use this command when you wish to receive any requests under the protocol.

Enhance shttp: This command can implement any of the following improvements: Sign, Encrypt, Authenticate.

SSL

To establish a secure communications using SSL will have to follow a few steps. First you must make an application for security. After you have done, there should be parameters to be used for SSL. This part is known as

SSL Handshake:

During the hanshake met several purposes. It's authentication server and optionally the client, it is determined that encryption algorithms will be used and generates a secret key for use during the subsequent exchange of messages over SSL communication.

Data exchange:

Now that it has established a secure SSL channel, it is possible to exchange data. When the server or the client wishes to send a message to another, generate a digest (hash algorithm using a one-way agreed during the handshake), and the encrypted message digest and sends each message is verified using the digest.

Completion of an SSL session:

When the customer leaves an SSL session, usually the application displays a message warning that the communication is not secure and confirms that the customer actually wants to leave the SSL session.

Virus

Sources of risk from viruses.

Viruses can be entered into the system by an external device (diskettes) or through the network (e-mails) without direct intervention of the attacker.

They have different purposes, only infect, alter data, deleting data, showing only some messages, but the sole purpose is to propagate.

Main modules can be distinguished from a computer virus:

Playback Module

Attack Module

Defense Module

How do I protect them?

Users should be aware that symptoms can be observed on a computer that is suspected of being infected:

Slower processing operations

Programs take longer to load

The programs begin at times to have access to the drive or hard disk

Decrease the available space on the hard disk and RAM on constant or sudden.

Emergence of memory-resident programs strangers.

The first preventive measure is to have an antivirus system and use it correctly. The only way that a blockade is effective for a virus to be used with certain rules and procedures, which should verify the following:

A system disk, write-protected and virus-free.

Or at least an updated antivirus program.

A source of information about specific viruses.

A support program of critical areas

List of places to go.

A protection system or resident.

Have backups.

and review all new disks before using them.

or review all the disks that have been provided.

Review or any programs that are obtained via network.

Regularly review or computer.

or procedure to review or disinfect your computer

or procedure to disinfect the boot sector

or procedure to restore the backups.

or procedures for formatting hard drives if they are infected.

Report any authority or infection.

By combining these methods as appropriate, provides the best and most complete security.

Amount of security to implement.