Learning Objectives:
- Secure Web servers, communications and browsers
- Protect your Web
client to minimize risks from applets, scripts and viruses
- Exploit
the features of your Web server and operating system to tighten security
- Encrypt Web traffic using Secure Sockets Layer (SSL)
- Issue and manage
certificates for browser and server authentication
- Deploy proxy servers
as part of a firewall to protect your Web servers and users
Pre-Requisite:
This course benefits those involved in securing Web sites, including
Web developers, Webmasters, and security administrators. Experience with
Web servers, plus UNIX or Windows familiarity, is useful.
Hands-On-Training:
Throughout this course, extensive hands-on exercises provide you with
practical experience securing a Web site. Exercises include:
- Installing and configuring Microsoft IIS or Apache
- Securing your
Web browser
- Auditing and hardening server OS
- Configuring user authentication
- Using SSL to encrypt Web traffic
- Creating a certificate authority
(CA)
- Implementing a client certificate
- Configuring your Web server to
require client certificates
- Protecting browsers and servers with a
proxy-based firewall
- Flows
COURSE CONTENTS
INTRODUCTION TO WEB SECURITY
Web technologies
- The Web client/server architecture
- What does the Web server do?
- Transferring hypertext documents with
HTTP
- Dynamic content technologies
Basic information assurance issues
- Availability
- Authentication
- Privacy
- Integrity
SECURING THE WEB CLIENT
Threats and vulnerabilities
- Client information leakage
- How cookies work
- Assessing the threats from Java, JavaScript, VBScript
and ActiveX
- Hostile applets and viruses
Protecting your Web browser
- Disabling Java applets
- Turning off cookies
- Using an online virus checker
- Obtaining browser certificates
- Enabling and disabling signing authorities
CONFIGURING OPERATING SYSTEM AND NETWORK
SECURITY
Operating system security features
- Authenticating users
- File permissions and document roots
- Operating privileges for the
server
- Audit tools
Network security
- Preventing IP address spoofing
- Securing DNS servers
- Minimizing denial-of-service threats
ENHANCING WEB SERVER SECURITY
Controlling access
- Configuring user authentication on IIS and Apache
- Restricting access
based on hostname/IP address
- Enabling and configuring logging
- Dynamic configuration files
Extended site functionality
- Securing CGI script invocations
- Guidelines for secure Web programming
- Securing Web communications
with SSL
- Public key and private key encryption
- Storing and distributing keys
- Ensuring data integrity with message
digests
- Digitally signing data and documents
- Enabling the Secure Sockets
Layer (SSL)
- Obtaining and installing server certificates
ISSUING AND MANAGING CERTIFICATES
Why certificates are used
- Preventing eavesdropping with public key encryption
- Authenticating
clients and servers
- Utilizing the X.509 v3 Certificate format
Certificate authorities (CAs)
- Using a public certificate authority
- Non-authoritative certificates
- Chaining certificate authorities
- Classes of certificates
Trusting CAs in servers and browsers
- Importing CA certificates
- Running your own certificate server
- Choosing which CAs to trust
- Checking certificate revocation lists
PROTECTING DATA WITH FIREWALLS
Firewall technologies
- Components of a firewall
- What firewalls can and cannot do
- Using application proxies
Selecting firewall topology
- Providing "defense in depth"
- Siting the Web server
SECURITY MANAGEMENT
- Responding to security violations
Keeping up to date on new threats
| 
