11. What is taint? Answers

1. Microsoft Internet Information Services and Apache serve over 90 percent of the public

Internet.

2. The bugs in the operating system or web server software are the most threatening security

problems for public web servers.

3. Closed source and open source operating systems are about equally secure.

4. Apache is both theoretically and operationally more secure than IIS.

5. Websites should only be deployed on dedicated web servers, because general purpose

servers are more likely to be exploited, and you could loose valuable information stored by other services if you run public websites on them. 6. Bugs are most likely found in sections of programs that implement rarely used or esoteric features.

7. SSL encrypts web data flowing between the browser and the server.

8. You can secure intranet servers by placing them inside a VPN and not making them

public.

9. The universal encrypted authentication mechanism is using SSL to secure basic

authentication. 10. Configure Apache by editing the etchttpdconfhttpd.conf file. 11. In Perl, taint is a marker that indicates that data has been typed in by a user and should not be trusted. Terms to Know • bugs • lockdown programs • reverse proxy • taint • Top Level Domain Names TLDs • virtual directory • virtual host • web enabled

Chapter 14: E-mail Security

Overview All modern businesses require Internet e-mail of one form or another. E-mail is the first truly new method of communication to come along since the invention of the telephone, and its effect on business efficiency has been just as dramatic as its vocal predecessor. electronic mail e-mail A queued message delivery system that allows users to transmit relatively short text messages to other users over the Internet. The messages wait in a mail queue until they are downloaded and read by the ultimate recipient. As with all public services, running an SMTP service entails the risk that the service itself could be exploited to run arbitrary code on the mail server. In fact, this has occurred with every major e-mail server system, including Sendmail, Exchange, and Lotus Notes. The only solution to this problem is to keep e-mail servers in your DMZ or outside your firewall so that if they’re exploited, they don’t allow further access to the interior of your network. E-mail servers must stay up-to-date on server software and security patches to prevent exploits related to bugs. Simple Mail Transfer Protocol SMTP The Internet protocol that controls the transmission of e-mail between servers. SMTP is also used to transmit e-mail from clients to servers but usually not to receive it, because SMTP requires recipient machines to be online at all times. Sendmail The most popular e-mail service, Sendmail is open-source and was originally part of the BSD. Many commercial e-mail services are based on Sendmail. Exchange Microsoft’s e-mail and messaging server. Exchange was originally designed for private interoffice messaging, with Internet functionality provided as an add-on. It uses the proprietary Microsoft MAPI protocol for exchanging mail between Exchange servers and clients, SMTP for transmitting e-mail on the public Internet, and can be configured to allow POP3, IMAP, and WebMail access as well. E-mail Encryption and Authentication The only way to make e-mail truly secure is to encrypt it. Encryption protects against sniffing, accidental misdirection, loss of attached document security, and even forgery. Warning E-mail encryption foils all attempts to strip attachments or scan for viruses, because the e-mail server cannot decrypt the mail to check it. Be certain that you only receive encrypted mail from trusted sources. All e-mail encryption methods use public key encryption to secure messages. To establish secure e-mail, your e-mail encryption package will create a private key for you and a public key that you can send to those who need to receive secure e-mail from you. Note This chapter discusses public e-mail security methods. Numerous methods exist to secure private e-mail services within a single organization, but these proprietary systems cannot be effectively used on the public Internet because they only work with e-mail servers of the exact same type. Private mail system security is rarely important since purely private e-mail systems cannot be attacked from the Internet, so server-to-server encryption systems have little real value.