Show 56 – Securing An Internet-Facing App – Part 1 – Host Hardening

An all-US cast gathers around the virtual whiteboard for a security discussion in Packet Pushers podcast show #56, recorded on August 1, 2011. Sysadmin, virtualization heavy, and blogger Bob Plankers joins Network Security Princess Mrs. Y, security industry veteran Daniel Powell, show regular and CCIE Tom Hollingsworth, and this week’s host Ethan Banks to discuss host hardening in this first of a series on securing Internet-facing applications.

First, The News:

Then, The Discussion:

  • Ancient attacks often still work.
  • Each OS has a unique hardening strategy.
  • Shutting down unneeded services is a best practice, but can impact other services.
  • Host-based firewalls – boon or bane?
  • Using a GUI to configure firewall services on a *NIX box is okay. We won’t tell if you don’t use vi.
  • Can we distinguish a host-based firewall from a network firewall appliance?
  • So…should we use both host-based firewalls and appliance firewalls at the same time?
  • Separating system privileges by user and process.
  • Security is no longer about one guy working by himself – that’s a dead idea.
  • How can you help an HTTP engine defend itself?
  • Is it possible to break out of a chrooted jailcell?
  • What impact to overall performance can host security add-ons cause?
  • Moats, walls, and guns are great…unless you leave the back door open.
  • Assuming our app will be broken into, what can we do ahead of time to keep damage to a minimum?
  • Patching: protecting against potential harm.
  • Detecting changes to hosts or applications using signatures and fingerprints.
  • How do you handle the flood of logging events that’s normal on any network?
  • Centralized syslogging: there must be only one.
  • How do you get back to normality once you’ve been pwned?
  • Does it make sense to restore to a normal state via a VMware snapshot?


Leave a Reply

Your email address will not be published. Required fields are marked *