Chapter 18: Host and Application Security
Endpoint protection
Antivirus
Anti-malware
EDR: Endpoint detection and response
DLP: Data Lost Prevention
Cloud
USB
Next-generation firewall (NGFW)
Host-based firewall
IDS / IPS
Signature-based
Heuristic
Anomaly
Inline vs. Passive
In-band vs. Out-of-band
Detection and notification vs. detection and prevention
Snort
Host-based intrusion prevention system (HIPS)
Host-based intrusion detection system (HIDS)
Network-based vs host-based
False positive
False negative
Boot integrity
Boot security
Unified Extensible Firmware Interface (UEFI)
Measured boot
Boot attestation
Database
Tokenization
Salting
Hashing
Application security
Input validations
Secure cookies
Hypertext Transfer Protocol (HTTP) headers
Code signing
Allow list
Block list/deny list
Secure coding practices
Static code analysis
Manual code review
Dynamic code analysis
Fuzzing
Hardening
Open ports and services
Registry
Disk encryption
OS
Patch management
Third-party updates
Auto-update
–> See “Hardening Servers” below for individual services.
Self-encrypting drive (SED)/full-disk encryption (FDE)
Opal
Hardware root of trust
Trusted Platform Module (TPM)
Sandboxing
Hardening Servers and Services
You are personally responsible for staying current with vulnerabilities. Subscribe to security bulletins such as Shavlik Technologies [[email protected]].
-
-
- Tightly configure ACLs.
- Delete sample files.
- Delete sample scripts!
- Delete unused or obsolete scripts and software.
- Use IPSec, SSL (port 22, TCP and UDP) or HTTPS to encrypt sensitive traffic.
-
Web Servers
Web servers (HTTP, port 80, TCP and UDP) should provide only this service.
Web servers should live in a DMZ, not inside a network’s main firewall.
Use HTTPS or Secure HTTP (port 443 TCP) to encrypt sensitive traffic.
Email Servers
E-mail servers should live in a DMZ, not inside a network’s main firewall.
E-mail servers (POP, port 110, SMTP, port 25) should provide only this service.
E-mail system administrators must know what an “open relay” is, and must make sure their server is not an open relay.
Visit http://www.abuse.net/relay.html and enter the name of your email server, and click “Test for relay” for independent verification.
FTP Servers
Old-fashioned FTP is highly vulnerable because it passes login names and passwords as unencrypted traffic.
Use Passive FTP rather than the older Active FTP, because Active FTP forces the client to act like a server!
https://stackoverflow.com/questions/1699145/what-is-the-difference-between-active-and-passive-ftp
Turn off Anonymous Login unless it is critical to provide it.
Set the ACL to read-only whenever possible.
Limit the number of login attempts.
Limit the number of sessions.
DNS Servers
DNS servers are the most potentially toxic servers on the Internet.
DNS servers update each other through Zone Transfers, which is a major vulnerability.
DNS servers can be attacked by cache poisoning.
-
-
- Prevent this by closing port 53 (used for zone transfers), or
- Rejecting inbound connections on port 53, or
- Explicitly designating which servers are trusted to receive zone transfers, or
- Using DNSSEC for trusted, verified zone transfers.
-
File and Print Servers
Require authentication for access.
Let users pause or cancel only their own print jobs.
Give users ACL permissions to their own folders and files, but no others.
Whenever possible, allow only read-only access to public folders.
Give read and write access only for group folders.
Be very cautious with execute permissions for folders:
-
-
-
- In Windows, denying execute will prevent software execution
- In Linux, denying execute will prevent browsing and listing
-
-
DHCP Servers
Disable this service unless you specifically need it.
Keep DHCP servers patched.
Enable DHCP Snooping to exclude unauthorized DHCP servers.