Implementing Web Security

Implementing Web Security

Course Code : 101

Workshop : Training

Duration : 4 Days

COURSE OUTLINE

The exploding use of Web technologies for corporate intranets and Internet sites has escalated information assurance risks to corporate data. It is imperative that Web professionals are trained in techniques to effectively protect their sites from internal and external threats. After completing this course, you will be able to learn the following:

· Secure Web servers, communications and browsers

· Protect your Web client to minimize risks from applets, scripts and viruses

· Exploit the features of your Web server and operating system to tighten security

· Encrypt Web traffic using Secure Sockets Layer (SSL)

· Issue and manage certificates for browser and server authentication

· Deploy proxy servers as part of a firewall to protect your Web servers and users

COURSE OBJECTIVES

In this course, you gain extensive hands-on experience securing Web communications and Web sites. You learn the common vulnerabilities of Web sites, as well as how to carry out secure communications across unsecured networks.

TARGET AUDIENCE

This course is beneficial for the professionals involved in securing Web sites, including Web developers, Webmasters, and security administrators. Experience with Web servers, plus UNIX or Windows familiarity, is useful.

 

 

 

 

COURSE CONTENTS

INTRODUCTION TO WEB SECURITY

Web technologies

· The Web client/server architecture

· What does the Web server do?

· Transferring hypertext documents with HTTP

· Dynamic content technologies

Basic information assurance issues

· Availability

· Authentication

· Privacy

· Integrity

·

SECURING THE WEB CLIENT

Threats and vulnerabilities

· Client information leakage

· How cookies work

· Assessing the threats from Java, JavaScript, VBScript and ActiveX

· Hostile applets and viruses

Protecting your Web browser

· Disabling Java applets

· Turning off cookies

· Using an online virus checker

· Obtaining browser certificates

· Enabling and disabling signing authorities

·

CONFIGURING OPERATING SYSTEM AND NETWORK SECURITY

Operating system security features

· Authenticating users

· File permissions and document roots

· Operating privileges for the server

· Audit tools

Network security

· Preventing IP address spoofing

· Securing DNS servers

· Minimizing denial-of-service threats

ENHANCING WEB SERVER SECURITY

Controlling access

· Configuring user authentication on IIS and Apache

· Restricting access based on hostname/IP address

· Enabling and configuring logging

· Dynamic configuration files

Extended site functionality

· Securing CGI script invocations

· Guidelines for secure Web programming

Securing Web communications with SSL

· Public key and private key encryption

· Storing and distributing keys

· Ensuring data integrity with message digests

· Digitally signing data and documents

· Enabling the Secure Sockets Layer (SSL)

· Obtaining and installing server certificates

·

ISSUING AND MANAGING CERTIFICATES

Why certificates are used

· Preventing eavesdropping with public key encryption

· Authenticating clients and servers

· Utilizing the X.509 v3 Certificate format

Certificate authorities (CAs)

· Using a public certificate authority

· Non-authoritative certificates

· Chaining certificate authorities

· Classes of certificates

Trusting CAs in servers and browsers

· Importing CA certificates

· Running your own certificate server

· Choosing which CAs to trust

· Checking certificate revocation lists

PROTECTING DATA WITH FIREWALLS

Firewall technologies

· Components of a firewall

· What firewalls can and cannot do

· Using application proxies

Selecting firewall topology

· Providing "defense in depth"

· Siting the Web server

·

SECURITY MANAGEMENT

Responding to security violations

Keeping up to date on new threats