levselector.com New York
home > Security Email

On this site:
main sites
routers, firewalls, proxy
java security
user management

Main Sites home - top of the page - email

For big companies issues of security is very important.
They use specialists in things like SSL, Certificates, Public/Private keys, encryption

www.rsa.com - one of the best sites on security. Start with www.rsa.com/about/ , then read FAQ
www.w3.org/Security/Faq/ - The World Wide Web Security FAQ by Lincoln D. Stein
http://astalavista.box.sk/ - search engine for security-related topics
www.verisign.com/ - Verisign
www.infosecuritymag.com - Information Security Magazine
www.securityspace.com/sspace - Security Space site

Practical Unix & Internet Security by Simson Garfinkel and Gene Spafford (O'Reilly, 2nd ed., 1996)
Web security & Commerce by Simson Garfinkel and Gene Spafford (O'Reilly, 1997)
Web Security: A Step-by-Step Reference Guide by Lincoln D. Stein (1998)
SSL and TLS Essentials: Securing the Web by Stephen A. Thomas
Web Proxy Servers (Web Infrastructure Series) by Ari Luotonen
Building Internet Firewalls (O'Reilly) by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman, Deborah Russell

Java Security by Scott Oaks (O'Reilly), 1998
Securing Java: Getting Down to Business with Mobile Code, by Gary McGraw, Edward W. Felten, 2nd Ed., 1999
Inside Java 2 Platform Security: Architecture, API Design, and Implementation, by Li Gong (1999)

SSL, TLS, https,  home - top of the page - email

SSL is an implementation of Netscape's Secure Socket Layer that allow secure connections over insecure networks, e.g. to transmit credit card numbers to web based forms.
home.netscape.com/eng/ssl3/ - current version of SSL
home.netscape.com/eng/ssl3/ssl-toc.html - html docs

TLS is the Transport Layer Security protocol. It is effectively SSL 3.1.

HTTPS (Secure Hypertext Transfer Protocol) is really just the use of SSL as a sublayer under its regular HTTP application layering.  HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.  SSL uses a 40-bit key size for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange.

When browser sends request to https://something - this request (and response) will be encrypted.

www.openssl.org/ OpenSSL Project is a collaborative effort to develop an Open Source toolkit implementing the SSL and TLS protocols as well as a full-strength general purpose cryptography library.  Project is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson.

www.ssl.com - some good info

Routers, Firewalls, Proxy home - top of the page - email

To get a minimum understanding of routers and firewalls, check out these 2 sites:


Proxy Servers:
A Proxy Server is usually an extensible firewall and content cache server, providing Internet security while improving network response time and efficiency.
A Proxy Server includes Firewall and Proxy Cashing.
serverwatch.internet.com/proxyservers.html - Review of more than 25 Proxy Servers on Serverwatch.

docs.iplanet.com/docs/manuals/proxy.html - iPlanet (Netscape) proxy server docs
docs.iplanet.com/docs/manuals/proxy.html - iPlanet (Netscape) proxy server docs in HTML
www.aplawrence.com/Reviews/proxyserv.shtml - Tony Lawrence review of Netscape Proxy Server

www.squid-cache.org/ - "Squid Web Proxy Cache"
www.aplawrence.com/Reviews/squid.shtml - Tony Lawrence review of Squid (caching proxy server)

www.microsoft.com/directaccess/products/proxy/ - MS Proxy Server
www.microsoft.com/technet/Proxy/tools/prx2rel.asp - MS Proxy Server

Java security home - top of the page - email

www.oreilly.com/catalog/javasec/chapter/ch01.html - first chapter from Java Security by Scott Oaks
java.sun.com/security/ - JavaTM Security API
www.infosyssec.org/infosyssec/java1.htm - java security portal
www.eli.sdsu.edu/courses/spring99/cs696/notes/security/security.html - Java Security model:
SecurityManager, Permissions (Default, Socket, File), Property Expansion in Policy Files, CodeBase, Determining Permissions, Privileged Blocks, Encryption, Signing Java jar files, signedBy, Policy File
http://www.zope.org/Members/jim/ZopeSecurity/JavaSecurityModel - - summary of Java Security model:
Java's security model is based on classes, Permissions, Policies, and programmer-performed run-time permission checks.

Permissions - abstract objects. They are defined by a permission class and 0 or more string parameters.
    java.io.FilePermission("myfile", "read,write")
Permissions can imply other permissions.

Policies - define which classes have which permissions. Policies do not express what permissions are needed to use a class. Policies seem to be global settings. There doesn't seem to be any notion of server apps that provide different policies for different human users.  Policies are assigned to classes based either on class location or on the class provider (owner) as expressed through a cryptographic signature, where the signature is contained in a .jar file.

Defining what permissions are needed to perform actions. This is done through explicit checks in Java code. When a bit of code wants to perform some action that should be protected, the code makes an explicit call to check whether the calling classes have the necessary permission:

      SecurityManager security = System.getSecurityManager();
      if (security != null) {
          FilePermission perm = new FilePermission("path/file", "read");
www.roaster.com/news/topics/225.html - Java Security model - articles
www.javaworld.com/javaworld/jw-11-1997/jw-11-hood.html - javaworld article "Java security: How to install the security manager and customize your security policy".
http://www.szptt.net.cn/9810dnwl/new/jdk1.2/ch03/ch03.htm - The Extended Java Security Model (from Java 1.2 Unleashed)
http://www.artima.com/underthehood/overviewsecurity.html - Java's Security Architecture, An overview of the JVM's security model and a look at its built-in safety features by Bill Venners
http://www.infosys.tuwien.ac.at/Teaching/Finished/MastersTheses/JSEF/node7.html - Dimploma "A flexible and extensible
security framework for Java code" by Clemens Kerer

User Management home - top of the page - email


www.netegrity.com/ - Netegrity - secure portal solution
     www.netegrity.com/products/siteminder.html -  SiteMinder® by Netegrity - SiteMinder is an e-commerce infrastructure solution that provides secure portal management capabilities.
     www.netegrity.com/products/dms.html - Delegated Management Services - How do global enterprises, e-marketplaces and application service providers securely manage millions of distributed users?
     www.netegrity.com/products/affiliates.html - security management to include multiple partners or suppliers (extends single sign-on and personalization to provide a seamless connection between main portals and affiliate sites).

misc home - top of the page - email

www.ciac.org/   -  DOE (US Dept. Of Energy) security advisory site
www.ssh.com/  -  ssh - encripted substitute for telnet, rcp, rlogin, etc.
www.vandyke.com/ - secure telnet (SecureCRT) and secure FTP (SecureFX), and secure VShell server for MS Windows.