Catalogue


Web security : a step-by-step reference guide /
Lincoln D. Stein.
imprint
Reading, Mass. : Addison-Wesley, c1998.
description
x, 436 p. : ill. ; 24 cm.
ISBN
0201634899 (alk. paper)
format(s)
Book
Holdings
More Details
imprint
Reading, Mass. : Addison-Wesley, c1998.
isbn
0201634899 (alk. paper)
catalogue key
1929458
 
Includes bibliographical references (p. 421-422) and index.
A Look Inside
Excerpts
Introduction or Preface
This is the "how not to shoot yourself in the foot" book about Web security. Enough theory to be interesting, but not so much that it gets dry and academic. Enough war stories to be fun, but not so many that they overwhelm the rest. No political agenda. No favoritism. You'll find here nothing but practical, commonsense advice for sidestepping the hoard of little gotchas that currently plague the Web, plus you'll find a framework for deciding for yourself how to handle all the gotchas that are yet to be.Who is this book for? The first third of the book deals with problems that are relevant to anyone who uses the Web: privacy threats, the potential of the Web to spread viruses and other malicious software, the practice and pitfalls of electronic commerce. The remainder gives advice directed to Webmasters, system administrators, system security officers, and others who worry that their organizations' Web sites might be broken into or that their local area network can be compromised by nasty stuff brought in by their employees' Web surfing. If you already run a Web site, you'll want to read this book through. If you're a casual Web surfer, read the first part now and save the rest for later. If current trends continue, everyone will have a Web site and will have to worry about keeping it safe.Web Security: A Step-by-Step Reference Guidebegan life about two years ago as the World Wide Web Security FAQ. I was concerned that new Web sites were going up at an amazing rate, with little appreciation for the security implications. I was dismayed that much of the advice being dispensed was incomplete or simply misinformed. So I put together 30 or so frequently asked questions (with answers) to advise Webmasters on how to keep their sites safe from attack by unwanted intruders, and I posted it on my Web site. Over a period of months, the FAQ grew considerably as readers mailed in requests for more information, suggestions, and in some cases contributed their own questions and answers. To the original sections on server-side security, I added sections dealing with client-side (browser) security, privacy issues, sections on cryptography and digital money, and an ever-growing list of security holes in specific pieces of software. In 1996, the first of an epidemic of Web site break-ins shook the Web; in its aftermath, the number of "hits" on the FAQ grew tremendously. The FAQ is now mirrored on five continents and has been translated into Russian, Italian, and Chinese.When my editor initially suggested I turn the FAQ into a book, I was skeptical. First of all, the information was already on line. Second, the Web is changing so rapidly that any book on security issues is out of date by the time it hits the shelves. Finally, the whole FAQ was less than 50 typeset pages and I was dubious that it could be bulked up into a full-length book. To the first two objections, my editor responded that printed books and the Web are complementary. Printed books provide depth and comprehensiveness. The Web provides vast breadth and information that is always (we hope) up to date. As for my last objection, the weighty answer to that is in your hands. AcknowledgmentsI am grateful to everyone who helped during the conception, research, writing, and production of this book. Bob Bagwill, Jim Carroll, Tom Christiansen, Ian Redfern, Laura Pearlman, Bob Denny, and countless others contributed substantially to the WWW Security FAQ. Their insight and understanding has enriched the FAQ and this book, as well. Many thanks to Lewis Geer at Microsoft Corporation, who helped me sort out the ins and outs of Internet Explorer and active content, and to Brian Kendig at Netscape Corporation, who performed a similar role with Java and JavaScript. My warmest thanks also to my technical reviewers Mike Stok, Tom Markham, and Fred Douglis, each of whom came through with many helpful corrections and suggestions, in record time.
Introduction or Preface
This is the "how not to shoot yourself in the foot" book about Web security. Enough theory to be interesting, but not so much that it gets dry and academic. Enough war stories to be fun, but not so many that they overwhelm the rest. No political agenda. No favoritism. You''ll find here nothing but practical, commonsense advice for sidestepping the hoard of little gotchas that currently plague the Web, plus you''ll find a framework for deciding for yourself how to handle all the gotchas that are yet to be. Who is this book for? The first third of the book deals with problems that are relevant to anyone who uses the Web: privacy threats, the potential of the Web to spread viruses and other malicious software, the practice and pitfalls of electronic commerce. The remainder gives advice directed to Webmasters, system administrators, system security officers, and others who worry that their organizations'' Web sites might be broken into or that their local area network can be compromised by nasty stuff brought in by their employees'' Web surfing. If you already run a Web site, you''ll want to read this book through. If you''re a casual Web surfer, read the first part now and save the rest for later. If current trends continue, everyone will have a Web site and will have to worry about keeping it safe. Web Security: A Step-by-Step Reference Guidebegan life about two years ago as the World Wide Web Security FAQ. I was concerned that new Web sites were going up at an amazing rate, with little appreciation for the security implications. I was dismayed that much of the advice being dispensed was incomplete or simply misinformed. So I put together 30 or so frequently asked questions (with answers) to advise Webmasters on how to keep their sites safe from attack by unwanted intruders, and I posted it on my Web site. Over a period of months, the FAQ grew considerably as readers mailed in requests for more information, suggestions, and in some cases contributed their own questions and answers. To the original sections on server-side security, I added sections dealing with client-side (browser) security, privacy issues, sections on cryptography and digital money, and an ever-growing list of security holes in specific pieces of software. In 1996, the first of an epidemic of Web site break-ins shook the Web; in its aftermath, the number of "hits" on the FAQ grew tremendously. The FAQ is now mirrored on five continents and has been translated into Russian, Italian, and Chinese. When my editor initially suggested I turn the FAQ into a book, I was skeptical. First of all, the information was already on line. Second, the Web is changing so rapidly that any book on security issues is out of date by the time it hits the shelves. Finally, the whole FAQ was less than 50 typeset pages and I was dubious that it could be bulked up into a full-length book. To the first two objections, my editor responded that printed books and the Web are complementary. Printed books provide depth and comprehensiveness. The Web provides vast breadth and information that is always (we hope) up to date. As for my last objection, the weighty answer to that is in your hands. Acknowledgments I am grateful to everyone who helped during the conception, research, writing, and production of this book. Bob Bagwill, Jim Carroll, Tom Christiansen, Ian Redfern, Laura Pearlman, Bob Denny, and countless others contributed substantially to the WWW Security FAQ. Their insight and understanding has enriched the FAQ and this book, as well. Many thanks to Lewis Geer at Microsoft Corporation, who helped me sort out the ins and outs of Internet Explorer and active content, and to Brian Kendig at Netscape Corporation, who performed a similar role with Java and JavaScript. My warmest thanks also to my technical reviewers Mike Stok, Tom Markham, and Fred Douglis, each of whom came through with many helpful corrections and suggestions, in record time. At the MIT Genome Center, many thanks to Lois Bennett and Susan Alderman, two tirelessly cheerful system administrators who never seemed to mind my turning the Web site and LAN into a laboratory bench for every new scheme I wanted to try out. I gravely promise to them that I will never again rip out all the server software and replace it with "new and improved" code at the start of a four-day weekend. At Addison Wesley Longman, I am indebted to Carol Long, my first editor and the one who convinced me to launch this project, to Karen Gettman, who took over the project when Carol''s career took her elsewhere, and to Mary Harrington, who kept everything from unraveling during the transition. Thanks also to Marilyn Rash, who coordinated the production effort. Last, many thanks to Jean Siao, who blinked not an eye as her Macintosh was slowly swallowed by tangled mats of network cabling and spare parts. Yes, you can play SimCity now without fear of electrocution. Nanjing August 1997 0201634899P04062001
First Chapter

This is the "how not to shoot yourself in the foot" book about Web security. Enough theory to be interesting, but not so much that it gets dry and academic. Enough war stories to be fun, but not so many that they overwhelm the rest. No political agenda. No favoritism. You'll find here nothing but practical, commonsense advice for sidestepping the hoard of little gotchas that currently plague the Web, plus you'll find a framework for deciding for yourself how to handle all the gotchas that are yet to be.

Who is this book for? The first third of the book deals with problems that are relevant to anyone who uses the Web: privacy threats, the potential of the Web to spread viruses and other malicious software, the practice and pitfalls of electronic commerce. The remainder gives advice directed to Webmasters, system administrators, system security officers, and others who worry that their organizations' Web sites might be broken into or that their local area network can be compromised by nasty stuff brought in by their employees' Web surfing. If you already run a Web site, you'll want to read this book through. If you're a casual Web surfer, read the first part now and save the rest for later. If current trends continue, everyone will have a Web site and will have to worry about keeping it safe.

Web Security: A Step-by-Step Reference Guidebegan life about two years ago as the World Wide Web Security FAQ. I was concerned that new Web sites were going up at an amazing rate, with little appreciation for the security implications. I was dismayed that much of the advice being dispensed was incomplete or simply misinformed. So I put together 30 or so frequently asked questions (with answers) to advise Webmasters on how to keep their sites safe from attack by unwanted intruders, and I posted it on my Web site. Over a period of months, the FAQ grew considerably as readers mailed in requests for more information, suggestions, and in some cases contributed their own questions and answers. To the original sections on server-side security, I added sections dealing with client-side (browser) security, privacy issues, sections on cryptography and digital money, and an ever-growing list of security holes in specific pieces of software. In 1996, the first of an epidemic of Web site break-ins shook the Web; in its aftermath, the number of "hits" on the FAQ grew tremendously. The FAQ is now mirrored on five continents and has been translated into Russian, Italian, and Chinese.

When my editor initially suggested I turn the FAQ into a book, I was skeptical. First of all, the information was already on line. Second, the Web is changing so rapidly that any book on security issues is out of date by the time it hits the shelves. Finally, the whole FAQ was less than 50 typeset pages and I was dubious that it could be bulked up into a full-length book. To the first two objections, my editor responded that printed books and the Web are complementary. Printed books provide depth and comprehensiveness. The Web provides vast breadth and information that is always (we hope) up to date. As for my last objection, the weighty answer to that is in your hands.

Acknowledgments

I am grateful to everyone who helped during the conception, research, writing, and production of this book. Bob Bagwill, Jim Carroll, Tom Christiansen, Ian Redfern, Laura Pearlman, Bob Denny, and countless others contributed substantially to the WWW Security FAQ. Their insight and understanding has enriched the FAQ and this book, as well. Many thanks to Lewis Geer at Microsoft Corporation, who helped me sort out the ins and outs of Internet Explorer and active content, and to Brian Kendig at Netscape Corporation, who performed a similar role with Java and JavaScript. My warmest thanks also to my technical reviewers Mike Stok, Tom Markham, and Fred Douglis, each of whom came through with many helpful corrections and suggestions, in record time.

At the MIT Genome Center, many thanks to Lois Bennett and Susan Alderman, two tirelessly cheerful system administrators who never seemed to mind my turning the Web site and LAN into a laboratory bench for every new scheme I wanted to try out. I gravely promise to them that I will never again rip out all the server software and replace it with "new and improved" code at the start of a four-day weekend.

At Addison Wesley Longman, I am indebted to Carol Long, my first editor and the one who convinced me to launch this project, to Karen Gettman, who took over the project when Carol's career took her elsewhere, and to Mary Harrington, who kept everything from unraveling during the transition. Thanks also to Marilyn Rash, who coordinated the production effort.

Last, many thanks to Jean Siao, who blinked not an eye as her Macintosh was slowly swallowed by tangled mats of network cabling and spare parts. Yes, you can play SimCity now without fear of electrocution.

Nanjing
August 1997

0201634899P04062001
Reviews
This item was reviewed in:
SciTech Book News, June 1998
To find out how to look for other reviews, please see our guides to finding book reviews in the Sciences or Social Sciences and Humanities.
Summaries
Main Description
Web Securityapproaches the topic from three different points of view-protecting the end user's confidentiality and the integrity of his machine, protecting the Web site from intrusion and sabotage, and protecting both from third-party eavesdropping and tampering. In the book you will learn about monitoring and log tools; controlling access with passwords, client certificates, and advanced login protocols; remote authoring; and firewalls. In addition, the author offers practical advice on configuring operating systems securely and eliminating unnecessary features that increase vulnerability. He also shows you how to avoid denial-of-service attacks and prevent LAN break-ins through the Web server. Lincoln Stein, keeper of the official Web Security FAQ, helps you analyze and evaluate the risks that threaten your site and the privacy of your clients, and provides concrete, step-by-step solutions, checklists of do's and don'ts, on-line and off-line resources, and hardware and software tools that guard your site against security breaches.
Main Description
Web Security approaches the topic from three different points of view & --protecting the end user's confidentiality and the integrity of his machine, protecting the Web site from intrusion and sabotage, and protecting both from third-party eavesdropping and tampering. in the book you will learn about monitoring and log tools; controlling access with passwords, client certificates, and advanced login protocols; remote authoring; and firewalls. in addition, the author offers practical advice on configuring operating systems securely and eliminating unnecessary features that increase vulnerability. He also shows you how to avoid denial-of-service attacks and prevent LAN break-ins through the Web server. Lincoln Stein, keeper of the official Web Security FAQ, helps you analyze and evaluate the risks that threaten your site and the privacy of your clients, and provides concrete, step-by-step solutions, checklists of do's and don'ts, on-line and off-line resources, and hardware and software tools that guard your site against security breaches.
Bowker Data Service Summary
Stein presents a practical reference which includes checklists to help evaluate the security level of a Web site. Appendices include complete resource listings of security vendors and tools, firewall solutions and resellers.
Back Cover Copy
Written for Web site administrators, developers, and end users, this book is a readable, real-world guide to securing your Web site with the latest in security technology, techniques, and tools. Lincoln D. Stein, keeper of the official Web Security FAQ, addresses your most pressing concerns and tells you exactly what you need to know to make your site more secure. He offers concise explanations of essential theory; helps you analyze and evaluate the risks that threaten your site and the privacy of your clients; and provides concrete, step-by-step solutions, checklists of do's and don'ts, on-line and off-line resources, and hardware and software tools that guard your site against security breaches.Web Securityapproaches the topic from three different points of view--protecting the end user's confidentiality and the integrity of his or her machine, protecting the Web site from intrusion and sabotage, and protecting both from third-party eavesdropping and tampering.You will learn about securing credit card transactions with the SET protocol document encryption with the SSL protocol how to guard end users against the dangers of active content and cookies monitoring and log tools controlling access with passwords, client certificates, and advanced login protocols remote authoring firewallsIn addition, the book offers practical advice on configuring the operating system securely and eliminating unnecessary features that increase vulnerability. CGI scripts introduce many of the security problems that plague the Web, and this book shows how to avoid these breaches with safe CGI-scripting techniques. You will also learn how to avoid denial-of-service attacks and prevent LAN break-ins through the Web server.After reading this book, you will have the practical knowledge you need to ensure that your Web site, and your clients' interests, are safe from attack. 0201634899B04062001
Back Cover Copy
Written for Web site administrators, developers, and end users, this book is a readable, real-world guide to securing your Web site with the latest in security technology, techniques, and tools. Lincoln D. Stein, keeper of the official Web Security FAQ, addresses your most pressing concerns and tells you exactly what you need to know to make your site more secure. He offers concise explanations of essential theory; helps you analyze and evaluate the risks that threaten your site and the privacy of your clients; and provides concrete, step-by-step solutions, checklists of do's and don'ts, on-line and off-line resources, and hardware and software tools that guard your site against security breaches.Web Security approaches the topic from three different points of view--protecting the end user's confidentiality and the integrity of his or her machine, protecting the Web site from intrusion and sabotage, and protecting both from third-party eavesdropping and tampering.You will learn about--securing credit card transactions with the SET protocol-document encryption with the SSL protocol-how to guard end users against the dangers of active content and cookies-monitoring and log tools-controlling access with passwords, client certificates, and advanced login protocols-remote authoring-firewallsIn addition, the book offers practical advice on configuring the operating system securely and eliminating unnecessary features that increase vulnerability. CGI scripts introduce many of the security problems that plague the Web, and this book shows how to avoid these breaches with safe CGI-scripting techniques. You will also learn how to avoid denial-of-service attacks and prevent LAN break-ins through the Web server.After reading this book, you will have the practical knowledge you need to ensure that your Web site, and your clients' interests, are safe from attack.0201634899B04062001
Long Description
Web Security eschews lengthy discussions of security theory in favor of a practical step-by-step approach. Each section is built around a "checklist" of items that readers can use to evaluate the security of their existing Web site and take action to improve it. In addition to protecting against intruders, readers will learn how to protect a Web site from other hostile Web sites. Readers will learn which resources require protection, and how they may currently be at risk. Stein explains basic strategies for protecting an existing Web site with as little cost and disruption as possible. Also covered are the risks and security solutions associated with implementing Internet services on a Web site - including http, conferencing, email, ftp, and news gateways.
Back Cover Copy
Written for Web site administrators, developers, and end users, this book is a readable, real-world guide to securing your Web site with the latest in security technology, techniques, and tools. Lincoln D. Stein, keeper of the official Web Security FAQ, addresses your most pressing concerns and tells you exactly what you need to know to make your site more secure. He offers concise explanations of essential theory; helps you analyze and evaluate the risks that threaten your site and the privacy of your clients; and provides concrete, step-by-step solutions, checklists of do's and don'ts, on-line and off-line resources, and hardware and software tools that guard your site against security breaches. Web Security approaches the topic from three different points of view--protecting the end user's confidentiality and the integrity of his or her machine, protecting the Web site from intrusion and sabotage, and protecting both from third-party eavesdropping and tampering. You will learn about securing credit card transactions with the SET protocol document encryption with the SSL protocol how to guard end users against the dangers of active content and cookies monitoring and log tools controlling access with passwords, client certificates, and advanced login protocols remote authoring firewalls In addition, the book offers practical advice on configuring the operating system securely and eliminating unnecessary features that increase vulnerability. CGI scripts introduce many of the security problems that plague the Web, and this book shows how to avoid these breaches with safe CGI-scripting techniques. You will also learn how to avoid denial-of-service attacks and prevent LAN break-ins through the Web server. After reading this book, you will have the practical knowledge you need to ensure that your Web site, and your clients' interests, are safe from attack. 0201634899B04062001
Main Description
Web Security approaches the topic from three different points of view & amp;--protecting the end user's confidentiality and the integrity of his machine, protecting the Web site from intrusion and sabotage, and protecting both from third-party eavesdropping and tampering. In the book you will learn about monitoring and log tools; controlling access with passwords, client certificates, and advanced login protocols; remote authoring; and firewalls. In addition, the author offers practical advice on configuring operating systems securely and eliminating unnecessary features that increase vulnerability. He also shows you how to avoid denial-of-service attacks and prevent LAN break-ins through the Web server. Lincoln Stein, keeper of the official Web Security FAQ, helps you analyze and evaluate the risks that threaten your site and the privacy of your clients, and provides concrete, step-by-step solutions, checklists of do's and don'ts, on-line and off-line resources, and hardware and software tools that guard your site against security breaches.
Back Cover Copy
Written for Web site administrators, developers, and end users, this book is a readable, real-world guide to securing your Web site with the latest in security technology, techniques, and tools. Lincoln D. Stein, keeper of the official Web Security FAQ, addresses your most pressing concerns and tells you exactly what you need to know to make your site more secure. He offers concise explanations of essential theory; helps you analyze and evaluate the risks that threaten your site and the privacy of your clients; and provides concrete, step-by-step solutions, checklists of do's and don'ts, on-line and off-line resources, and hardware and software tools that guard your site against security breaches. Web Securityapproaches the topic from three different points of view--protecting the end user's confidentiality and the integrity of his or her machine, protecting the Web site from intrusion and sabotage, and protecting both from third-party eavesdropping and tampering. You will learn about securing credit card transactions with the SET protocol document encryption with the SSL protocol how to guard end users against the dangers of active content and cookies monitoring and log tools controlling access with passwords, client certificates, and advanced login protocols remote authoring firewalls In addition, the book offers practical advice on configuring the operating system securely and eliminating unnecessary features that increase vulnerability. CGI scripts introduce many of the security problems that plague the Web, and this book shows how to avoid these breaches with safe CGI-scripting techniques. You will also learn how to avoid denial-of-service attacks and prevent LAN break-ins through the Web server. After reading this book, you will have the practical knowledge you need to ensure that your Web site, and your clients' interests, are safe from attack. 0201634899B04062001
Table of Contents
Preface
What Is Web Security?
The Three Parts of Web Security
Risks
The Layout of This Book
Document Confidentiality
Basic Cryptography
How Cryptography Works
Symmetric Cryptography
Public Key Cryptography
Online Resources
Printed Resources
SSL, SET, and Digital Payment Systems
Secure Sockets Layer
SET and Other Digital Payment Systems
Checklist
Online Resources
SET and Other Digital Money Systems
Client-Side Security
Using SSL
SSL at Work
Personal Certificates
Checklist
Online Resources
Printed Resources
Active Content
Bad by Design or Bad by Accident?
Traditional Threats
Helper Applications and Plug-Ins
Java
ActiveX
JavaScript and VBScript
The Browser as a Security Hole
Exotic Technologies
What Can You Do?
Changing Active Content Settings
Checklist
Resources
Web Privacy
What Web Surfing Reveals
Server Logs
Cookies
PICS
Advice for Users
Advice for Webmasters
Policy Initiatives
Checklist
Resources
Server-Side Security
Server Security
Why Are Websites Vulnerable?
Frequently Asked Questions about Web Server Security
Overview: Steps to Securing a Website
Online Resources
UNIX Web Servers
Hardening a UNIX Web Server
Configuring the Web Server
Monitoring Logs
Monitor the Integrity of System Files and Binaries
Back Up Your System
Checklist
Online Resources
Printed Resources
Windows NT Web Servers
NT Security Concepts
Windows NT Security Risks
Securing a Windows NT Web Server
Configuring the Web Server
Checklist
Online Resources
Printed Resources
Access Control
Types of Access Control
Access Control Based on IP Address or Host Name
Access Control Based on User Name and Password
Other Types of Access Control
Access Control and CGI Scripts
Checklist
Online Resources
Encryption and Certificate-Based Access Control
SSL-Enabled Web Servers
Using Client Certificates for Access Control
Using Client Certificates for Web Server Access Control
Becoming Your Own Certifying Authority
Final Words
Checklist
Online Resources
Printed Resources
Safe CGI Scripting
Introduction to CGI Scripts and Server Modules
Common Failure Modes
Other Advice
Safe Scripting in Perl
CGI Wrappers
Checklist
Online Resources
Printed Resources
Remote Authoring and Administration
Degrees of Trust
Controlling Access to the Web Server Host
Remote Authoring Via FTP
Microsoft FrontPage
The HTTP PUT Protocol
An Upload Staging Area
Administering the Web Server Remotely
Access to the Server for Web Developers
Checklist
Online Resources
Printed
Table of Contents provided by Publisher. All Rights Reserved.

This information is provided by a service that aggregates data from review sources and other sources that are often consulted by libraries, and readers. The University does not edit this information and merely includes it as a convenience for users. It does not warrant that reviews are accurate. As with any review users should approach reviews critically and where deemed necessary should consult multiple review sources. Any concerns or questions about particular reviews should be directed to the reviewer and/or publisher.

  link to old catalogue

Report a problem