Ngày nay vấn đề bảo mật đã trở thành những chủ đề nóng nhất trên Internet. Với tốc độ phát triển cực nhanh của mạng toàn cầu đã đem lại những lợi ích về mặt kinh tế và xã hội không thể phủ nhận. Chính những lợi thế đó đã là nơi lý tưởng để tội phạm, hacker sử dụng khai thác với nhiều mục đích khác nhau.
Để giúp các bạn có thêm thông tin và kiến thức Quản Trị Mạng xin trân trọng giới thiệu các giải pháp, hướng dẫn bảo mật của Trung tâm bảo mật và cứu hộ toàn cầu - Cert.org. Bài viết gồm rất nhiều nội dung do đó chúng tôi không thể tiến hành biên dịch ra tiếng Việt được mong các bạn thông cảm.
CERT® Security Improvement Modules
Each CERT Security Improvement module addresses an important but narrowly defined problem in network security. It provides guidance to help organizations improve the security of their networked computer systems.
The CERT security practices have been compiled in The CERT® Guide to System and Network Security Practices, published by Addison-Wesley and available at walk-in and online bookstores. Using a practical, phased approach, the book shows administrators how to protect systems and networks against malicious and inadvertent compromise based on security incidents reported to the CERT/CC.
Each module page links to a series of practices and implementations. Practices describe the choices and issues that must be addressed to solve a network security problem. Implementations describe tasks that implement recommendations described in the practices. Please note that these implementations should be considered examples; they have not been updated to reflect current versions of operating systems or current vulnerabilities. For more information about modules, read the section about module structure.
Modules
- Outsourcing Managed Security Services
- Securing Desktop Workstations
- Responding to Intrusions
- Securing Network Servers
- Deploying Firewalls
- Securing Public Web Servers
- Detecting Signs of Intrusion
Bạn tải toàn bộ tài liệu trên tại đây.
HTML versions of the modules are available from the CERT web site. PDF and Postscript versions of the modules are available from the SEI web site. For the PDF and Postscript versions, click on the icons next to the module names. The currently available modules are:
Practices
- Harden and secure your systems by establishing secure configurations
- Considerations for Vulnerability Assessment as a Managed Security Service
- Prepare for intrusions by getting ready for detection and response
- Detect intrusions quickly
- Respond to intrusions to minimize damage
- Improve your security to help protect against future attacks
We also have practices relating to outsourcing managed security services. They are listed under the heading
Practices related to outsourcing managed security services
Practices about hardening and securing systems
- Develop a computer deployment plan that includes security issues
- Include explicit security requirements when selecting servers
- Keep operating systems and applications software up to date
- Offer only essential network services and operating system services on the server host machine
- Configure computers for user authentication
- Configure computer operating systems with appropriate object, device, and file access controls
- Configure computers for file backups
- Protect computers from viruses and similar programmed threats
- Configure computers for secure remote administration
- Allow only appropriate physical access to computers
- Configure network service clients to enhance security
- Configure multiple computers using a tested model configuration and a secure replication procedure
- Develop and promulgate an acceptable use policy for workstations
- Configure computers to provide only selected network services
- Isolate the Web server from public networks and your organization's internal networks
- Configure the Web server with appropriate object, device and file access controls
- Identify and enable Web-server-specific logging mechanisms
- Consider security implications before selecting programs, scripts, and plug-ins for your web server
- Configure the web server to minimize the functionality of programs, scripts, and plug-ins
- Configure the Web server to use authentication and encryption technologies, where required
- Maintain the authoritative copy of your Web site content on a secure host
- Protect your Web server against common attacks
- Design the firewall system
- Acquire firewall hardware and software
- Acquire firewall documentation, training, and support
- Install firewall hardware and software
- Configure IP routing
- Configure firewall packet filtering
- Configure firewall logging and alert mechanisms
- Test the firewall system
- Install the firewall system
- Phase the firewall system into operation
Practices about preparing to detect and respond to intrusions
Establish a policy and procedures that prepare your organization to detect signs of intrusion
Identify data that characterize systems and aid in detecting signs of suspicious behavior
Manage logging and other data collection mechanisms
Establish policies and procedures for responding to intrusions
Prepare to respond to intrusions
Practices about detecting intrusions
Ensure that the software used to examine systems has not been compromised
Monitor and inspect network activities for unexpected behavior
Monitor and inspect system activities for unexpected behavior
Inspect files and directories for unexpected changes
Investigate unauthorized hardware attached to your organization's network
Inspect physical resources for signs of unauthorized access
Review reports by users and external contacts about suspicious and unexpected behavior
Take appropriate actions upon discovering unauthorized, unexpected, or suspicious activity
Practices about responding to intrusions
Analyze all available information to characterize an intrusion
Communicate with all parties that need to be made aware of an intrusion and its progress
Collect and protect information associated with an intrusion
Apply short-term solutions to contain an intrusion
Eliminate all means of intruder access
Return systems to normal operation
Identify and implement security lessons learned
Practices about improving system security
Take appropriate actions upon discovering unauthorized, unexpected, or suspicious activity
Identify and implement security lessons learned
Practices related to outsourcing managed security services
Content Guidance for an MSS Request for Proposal
Guidance for Evaluating an MSS Proposal
Content Guidance for an MSS Service Level Agreement
Transitioning to MSS
Managing an Ongoing MSS Provider Relationship
Terminating an MSS Provider Relationship
Considerations for Network Boundary Protection as Managed Security Services
The practices are grouped into five general steps, listed below. They are illustrated in the diagram "Security Knowledge in Practice." Please note that the implementations referenced in these practices should be considered examples; they have not been updated to reflect current versions of operating systems or current vulnerabilities.
Implementations (archive)
We developed these implementations to provide details for how users could complete steps discussed in CERT security practices for specific operating systems. However, these implementations should be considered examples; they have not been updated to reflect current versions of operating systems or current vulnerabilities. We recommend that you visit vendor web sites for current information and guidance about securing your operating system.
General
Process analysis checklist
Examples of contract language for terms and conditions or statements of work
Maintaining currency by periodically reviewing public and vendor information sources
Identifying tools that aid in detecting signs of intrusion
Establishing and maintaining a physical inventory of your computing equipment
UNIX
Using MD5 to verify the integrity of file contents
Using Tripwire to verify the integrity of directories and files on systems running Solaris 2.x
Inspecting your Solaris system and network logs for evidence of intrusions
Inspecting the logs produced by the TCP wrapper program on a Solaris 2.x system
Using the ps program to examine processes for signs of intrusive activity
Configuring Sun Solaris as a Web server
Configuring NCSA httpd and Web-server content directories on a Sun Solaris 2.5.1 host
Enabling process accounting on systems running Solaris 2.x
Installing, configuring, and using tcp wrapper to log unauthorized connection attempts on systems running Solaris 2.x
Configuring and using syslogd to collect logging messages on systems running Solaris 2.x
Using newsyslog to rotate files containing logging messages on systems running Solaris 2.x
Installing, configuring, and using logdaemon to log unauthorized login attempts on systems running Solaris 2.x
Installing, configuring, and using logdaemon to log unauthorized connection attempts to rshd and rlogind on systems running Solaris 2.x
Understanding system log files on a Solaris 2.x operating system
Installing, configuring, and using swatch to analyze log messages on systems running Solaris 2.x
Installing, configuring, and using logsurfer on systems running Solaris 2.x
Configuring and installing lsof 4.50 on systems running Solaris 2.x
Configuring and installing top 3.5 on systems running Solaris 2.x
Installing, Configuring, and using npasswd to improve password quality on systems running Solaris 2.x
Installing and configuring sps to examine processes on systems running Solaris 2.x
Installing and securing Solaris 2.6 servers
Installing, configuring, and operating the secure shell (SSH) on systems running Solaris 2.x
Characterizing files and directories with native tools on Solaris 2.X
Detecting changes in files and directories with native tools on Solaris 2.X
Installing and operating lastcomm on systems running Solaris 2.x
Installing, configuring, and using spar 1.3 on systems running Solaris 2.x
Installing and operating tcpdump 3.5.x on systems running Solaris 2.x
Installing, configuring, and using argus to monitor systems running Solaris 2.x
Using newarguslog to rotate log files on systems running Solaris 2.x
Installing libpcap to support network packet tools on systems sunning Solaris 2.x
Writing rules and understanding alerts for Snort, a network intrusion detection system
Disabling network services on systems running Solaris 2.x
Installing noshell to support the detection of access to disabled accounts on systems running Solaris 2.x.
Disabling user accounts on systems running Solaris 2.x
Installing OpenSSL to ensure availability of cryptographic libraries on systems running Solaris 2.x.
Installing and Operating ssldump 0.9 Beta 1 on systems running Solaris 2.x.
Installing The Coroner's Toolkit and using the mactime utility.
Using The Coroner's Toolkit: Harvesting information with grave-robber.
Using The Coroner's Toolkit: Rescuing files with lazarus.
NT
Using RDISK /S to create an Emergency Repair Disk for Windows NT 4.0
Using SYSKEY to protect the password data for Windows NT 4.0
Selecting audit events for directories and files on Windows NT 4.0 systems
Selecting audit events for Windows NT 4.0 registry keys
Restricting access to the %SYSTEMROOT%\repair directory for Windows NT 4.0
Setting up a logon banner on Windows NT 4.0
Configuring a Windows NT 4.0 system to shut down automatically when writing to an event log fails
Enabling auditing of Windows NT 4.0 printer events
Selecting Windows NT 4.0 event log settings
Selecting Audit Policy Settings on Windows NT 4.0 Workstations
Selecting Audit Policy Settings on Windows NT 4.0 Servers
Basic Windows NT 4.0 Security Implementations
Preparing for the initial installation of Windows NT 4.0 systems
Securing Windows NT 4.0 workstation during initial installation
Securing a stand-alone Windows NT 4.0 Server during initial installation
Securing a Windows NT 4.0 Server as Primary Domain Controller during initial installation
Securing a Windows NT 4.0 Server as Backup Domain Controller during initial installation
Other technologies
Inspecting the logs produced by the Apache Web server
Inspecting the logs produced by the NCSA Web server
Intended audience
The modules are written for system and network administrators. These are the people whose day-to-day activities include installation, configuration, and maintenance of the computers and networks.
Module structure
Each module has three kinds of components:
The executive summary describes the problem and outlines a general approach to its solution.
CERT security practices present the problem solution in detail. Each practice includes a brief description (what to do), the specific security problem or vulnerability that the practice addresses (why do it), and one or more methods (steps) for executing the practice (where, when, and how to do it). Each executive summary contains links to all the relevant practices.
Implementation details provide additional information on how to perform a practice for a specific technology; for example, Sun, Solaris, UNIX, Windows, and NT. In most cases, practices are independent of particular technologies and are applicable to all organizations. How an organization adopts and implements the practices, however, often depends on the specific networking and computing technologies it uses. The practices contain links to available technology-specific implementation details. Please note that these implementations should be considered examples; they have not been updated to reflect current versions of operating systems or current vulnerabilities.
Formats
Modules are published in three formats:
Title: World Wide Web (HTML), suitable for online reading with a Web browser
Portable Document Format (PDF), suitable for printing or online viewing with an appropriate viewer or Web browser plug-in
PostScript, suitable for printing
The PDF and PostScript icons will appear after the module title in the list above when these formats become available.