![Different components of OSSIM to their customers for analyzing security events and generating comprehensive security reports. Whereas we used diverse open source security software in different layers of the project, first we need to aggregate and analyze all generated events by them and then archive these events in a database to refer them any time it is necessary. One of the best open source products for this task is OSSIM [44]. It is an open source and powerful software for management of information security in different systems. Its goal is to provide a comprehensive set of elements to make a detailed view over security aspects of each network component and hosts. Fig. 5 shows main ingredients of OSSIM. As you see in Fig. 5, OSSOM is composed of 4 major elements. Management server is the first one that it should centralize all received events from different agents. Actually the principle task of this server is collecting, normalizing and analyzing of all generated events by other project elements. Second main components are sensors (agents) which deployed in the network to monitor and send suspicious activities to management server. Syslog and Syslog-ng [45] software were used in server hosts as sensors. Also, Snort sensors were used to collect various security events and notifications. After processing, collected information would be stored in OSSIM database, which is the third major component of OSSIM. This database is a SQL database to store all events and helpful information for administration and maintenance of security monitoring system. In the occurrence of security attacks or for forensic investigation, stored information in database can be so useful to solve the problems. The last part of OSSIM is its frontend interface that is a web console for monitoring and management of different sensors and system components. By means of this web user interface, security administrator can monitor all system activities centrally and make momentous and sensible decisions for unexpected situations. Also, this interface would be used for searching a specific string or information in OSSIM database and generation of diverse reports. Note that OSSIM role in this project was just correlation and monitoring of security events. For monitoring functionality of other elements and services of the project, another dedicated monitoring server was considered in management zone as you can see it in Fig. 3.](https://www.researchgate.net/profile/Dawood-Sajjadi/publication/241635943/figure/fig1/AS:668983657242632@1536509541354/Different-components-of-OSSIM-to-their-customers-for-analyzing-security-events-and_Q320.jpg)
Content uploaded by Dawood Sajjadi
Author content
All content in this area was uploaded by Dawood Sajjadi on Mar 15, 2018
Content may be subject to copyright.
New Secure and Low-Cost Design for Defense in Depth Implementation
Using Open Source Software
Seyed Dawood Sajjadi Torshizi
Computer & Communication
Systems Engineering Dept.,
Universiti Putra Malaysia, 43300
UPM Serdang, Selangor.
Email: s.d.sajjadi@gmail.com
Samad Rostampour
Computer Engineering Dept.,
Islamic Azad University,
Ahvaz Branch,
Ahvaz, Iran
Email: samadahwaz@yahoo.com
Maryam Tanha
Computer and Communication
Systems Engineering Dept.,
Universiti Putra Malaysia, 43300
UPM Serdang, Selangor.
Email: mary.tanha@gmail.com
Abstract - In this paper, we propose a new design with high-level
security and low-cost implementation for different network
topologies. Achieving both factors at the same time is a
challenging work for network experts, especially when they want
to apply defense in depth strategy in various components of their
networks. Offered scenario has been done for one of the most
visited web sites in an Iranian organization with more than
15,000 concurrent web users that all of them reliably and
smoothly were served. Also, defense in depth strategy has been
used to provide sufficient level of security in diverse components
of the project. All applied security solutions in this project were
based on open source [1] tools that results in saving a tangible
cost by the prevention of purchasing commercial options. We will
describe project big map, acquired results and all main
components with their functions in this paper.
Keywords- Open Source; Firewall; IDS; DMZ; Linux; Cisco
I. INTRODUCTION
Today, most organizations and vendors are trying to present
their services, with the best quality and reliability in the web by
using multifarious software and platforms to gain their visitors’
satisfaction. Meanwhile, companies should consider all
security requirements of their web sites and provide proper
security solutions for them to prevent penetrations and data
manipulation in their web sites. Although using of commercial
security solutions provides a relative secure environment for
them, it has extra costs for their devices and updates. These
costs set up serious barricades against companies to develop a
reliable platform for their web customers and visitors. Open
source world can provide great and efficient solutions with no
software and license cost for these companies and also anyone
who wishes to make a dependable high visited web site.
This project has been defined by a governmental
organization and its final goal was gathering of economical
information of more than 17,000,000 families [2]. Design and
implementation of different aspects of this project was a big
work but in this paper, we just focused on security provisioning
of the project that was done based on defense in depth strategy.
To follow this strategy, there are various commercial security
total solution options, but due to considerable license costs,
existence of some prohibitions against making these choices
and fear of espionage activities, it was decided to use open
source software for design and implementation of it. Two tiers
application architecture [3] was used in the project and the
application code was developed for web/application and
database tiers. Also because of huge amount of users’ requests,
a load balancer was used to balance those requests among
different web/application and database servers. Due to project
sensitivity and importance of availability aspect in the selected
strategy, we considered redundancy in all project sections.
Limited sorts of related works have been done for
implementation of defense in depth strategy based on open
source tools and the investigation of security concerns of open
source software in enterprise solutions [4,5]. Mentioned works
are limited to usage of just a few well known open source tools
and there is no point about other varieties of security open
source software. In this paper, we pointed out to various open
source tools and techniques that can be applied for creation of a
secure environment for proposing different reliable services.
Our contributions in this paper can be considered as follows:
• The recognition of technical problems in the design of
defense in depth strategy based on open source software.
• Introducing the latest open source tools and products for
rectifying implementation issues as well as proposing the
design guidelines and road map.
In the next sections, first we will talk about selected strategy
and then securing diverse sections of project by means of
suitable open source tools will be discussed.
II. MATERIALS AND METHODS
A. Defense in Depth Strategy
Defense in depth strategy has been developed by the
National Security Agency (NSA) [6] to provide multiple layers
of security mechanisms focusing on people, technology and
operations (including physical security) in order to achieve
robust information assurance. In fact, it is the practice of
layering defenses to provide additional protection against
perceived threats. This practice creates multiple barriers
between an attacker and critical information resources that
restricts direct access to such systems and prevents easy
reconnaissance of networks [7].
An important principle of defense in depth strategy is
achieving information assurance that requires focus on people,
technology and operations. The first item has the key role in
this procedure; hence always achieving information assurance
would begin with a senior level management commitment that
defines effective information assurance policies and processes.
Assignment of responsibilities, commitment of resources and
training of critical personnel are main parts of this item.
2011 IEEE Student Conference on Research and Development
978-1-4673-0102-2/11/$26.00 ©2011 IEEE
448
Figure 1. Components of defense in depth strategy
Figure 2. Defense in Depth strategy (General Overview)
Actually, this item includes the establishment of personnel
security measures to control and monitor access to facilities
and critical elements of the information technology
environment [8]. Today, a wide range of technologies as the
second primary item of selected strategy are available to
provide information assurance services for detection of
malicious activities. To ensure the deployment of relevant and
right technologies, each organization should deploy effective
policy and processes for applying chosen technologies.
Fig.1 shows these three steps of defense in depth strategy.
Concentration of this paper is just on the second primary part
of the selected strategy and that is choosing right technologies
for design and implementation of different security aspects of
the project [9]. Fig. 2 as a simple flow of defense in depth
strategy was presented by Cisco Company [10] that
demonstrates this flow from Application layer to policies and
procedures. In the next sections we will discuss about
techniques and open source tools that were applied to
implement key parts of this strategy.
B. Security Provisioning
According to the selected strategy and to achieve a
comprehensive plan for security architecture of the project, we
divided this section into four separated parts: Network
Security, Host Security, Application Security and Security
Monitoring. Fig. 3 represents different main components of the
project. In the following subsections, we will talk about each
part with more details.
Figure 3. Big picture of the project
1) Network Security
At the first layer of defense, the security of edge network
needs to be taken into account. To provide network security at
the edge layer, employing a network firewall in this section is
inevitable. Usually, before entering this step, hardening of edge
router should be considered carefully through disabling
unnecessary router services and the definition of proper Access
Control Lists (ACLs) for it. Then we must use a stateful
firewall [11] to inspect all incoming and outgoing traffic at this
layer. Preferably, this security device also can act as a Network
Intrusion Detection System (NIDS) with rule update capability.
As it is shown in Fig. 3, we applied two Linux machines with
iptables [12] and Snort software [13] to prepare these
requirements. Iptables as the most powerful open source
firewall has been used in many commercial software and
hardware firewalls as the filtering engine. Moreover, it is a
stateful firewall that can inspect even network packets in
application level e.g. by activating “String Match Support”
capability in Linux kernel, iptables enables to check packets
contents for a specific string (such as banned words list or
malicious files) [14]. Besides iptables, Snort as the most
deployed open source Intrusion Detection System (IDS) [15]
technology by Sourcefire, is a complementary component in
this layer. In fact, in this network layer, Snort works as a
Network Intrusion Detection System (NIDS) to monitor and
inspect all incoming and outgoing connections.
Combination of signature, protocol, and anomaly based
inspection with having nearly 400,000 registered users, has
made Snort as a de facto standard for IDS technology [16].
For keeping up to date Snort Intrusion engine, it is necessary to
subscribe in Sourcfire vulnerability research team (VRT) [17].
In this way, we can get the latest Sourcefire VRT certified rules
to monitor and inspect all network activities through Snort
engine.
Actually, iptables and Snort procured a robust security
gateway in the edge layer of proposed architecture. For
integration of these elements to create a prevention system,
449
FWSnort [18] software module as a snort component was used.
FWSnort parses the defined Snort rules and builds equivalent
iptables rule set to protect network against malicious traffic. As
demonstrated in Fig. 3, proposed security gateway mechanism
also is serving all network connections in core layer and it
makes its role more imperative and critical. So to provide more
reliability in this layer, two machines were used to work
together in Active/Standby mode. In case of failure of the main
Firewall/NIDS, the second one would be operational in the
network. The availability mechanism was implemented by
using Virtual Router Redundancy Protocol (VRRP) [19] and
developing Linux BASH script [20] to make sure of
availability and perfect functionality of both security gateways.
According to VRRP functionality, both devices have a
common virtual IP address that edge router communicates
them through it. So, we have separated links from the border
router to each Linux Firewall/NIDS and also both Linux
machines have a dedicated link to each other for transferring
the information of VRRP protocol and BASH script.
As the final function for security components of edge layer,
distribution of user’s requests was delegated to these elements.
Due to the huge volume of incoming web requests to access
project web site, it was necessary to use a load balancing
mechanism to divert requests to proper web servers based on
specified priorities. In addition to load balancing of incoming
requests among available web servers, using a load balancer in
this layer can mitigate new generation of web attacks such as
low rate HTTP Denial of Service (DoS) attacks [21]. The main
purpose of this attack type is consumption of web server
resources through sending too many incomplete web request
e.g. deficient GET requests (Slowloris) [22]. Network firewalls
and NIDS in many cases consider these traffic types as a valid
traffic because these are just incomplete HTTP requests, but
actually these requests are trying to tie up web server and
prevent it from serving valid user’s requests. One of the best
solutions to protect web servers against this threat is using load
balancers to direct incoming connections to web servers.
HAProxy [23] as another open source web proxy solution was
chosen for this section that was configured as a standalone
daemon in Linux firewall systems.
The Linux distribution that has been used in Firewall/NIDS
machines is based on SuSE Linux [24] and all mentioned open
source tools were installed and configured under this operating
system. Three major functions of Linux security gateways
consist of Layer 4 Firewall, Network IDS and Load Balancer
are shown in Fig. 3.
After installation of network security gateways, it is of great
importance to consider all security and availability concerns in
other network elements. Two Cisco switches (3750-E) [25]
were dedicated to packet switching in core and access layer.
Various traffic types were differentiated through defining 3
specific Virtual LANs (VLAN) [26] in mentioned switches that
each of them made an isolated network security zone. For
instance, web servers were located in Demilitarized Zone
(DMZ) and are accessible for all Internet users, but database
servers were placed in High Security Zone (HSZ) that only
accessible by web servers in DMZ and Management zone.
Two Cisco switches were used to provide more availability
in core/access layer. Availability between switches was
obtained through Spanning Tree Protocol (STP) [27] that as
well as provisioning a loop free network, it enables automatic
backup paths to network switches when an active link fails. As
you can see in Fig. 3, similar to network firewall, a specific
link was considered to exchange STP packets between 2
network switches.
A mesh structure was used among Linux firewalls and
switches to make more network reliability possible. In the
event of firewalls or network switches failure, redundant path
would be replaced to keep user’s session connectivity through
available ones. Main paths have been shown with blue color
and redundant ones are in red color in Fig. 3. Also, each path
consists of 3 lines that each one indicates a dedicated VLAN
for specific zone (Web/Application Zone, Database Zone and
Management Zone).
To extend availability and reliability into servers in access
layer, each server should have at least two separate network
adapters that would connect each server to one network switch.
This was achieved through loading Linux bonding module [28]
in Linux kernel and making a bonding virtual interface for each
server on its operating system. By means of this virtual
interface both network adapters of each server (that were
connected to both switches) would be accessible with a single
IP address. Also it should be noted that, based on offered
design and defined zones, any time each server from one zone
tried to connect to another server of the other zone, requested
and returned traffics had been passed and processed through
Linux firewall.
To increase security in this layer, we also applied port
security [29] and Dynamic ARP Inspection (DAI) [30]
techniques in network switches to prevent host compromising
problems that might be confronted with in defined security
zones. These techniques will make the network switches and
servers immune from multiple layer 2 attacks such as
MAC/ARP Spoofing, DHCP Snooping and CAM Table
overflow attacks [31]. At last, we considered hardening
procedure of network switches as the last chain of this phase.
2) Host Security
The last layer of defense in the end to end security model is
the systems that are serving user’s requests. After deployment
of all indispensable elements for providing suitable network
security, then we should consider security issues in host layer
including operating system, related services and application.
We will discuss about application security concerns in the next
subsection. National Security Agency (NSA) has published a
comprehensive document for hardening procedure of different
operating systems especially UNIX family operating systems.
Whereas in this project all web/application and database
servers were working under Red Hat Enterprise Linux (RHEL)
[32], offered NSA instructions were applied for Linux
operating systems. One of the most important sections of these
instructions was using a centralized authentication and
authorization system for all servers to control user’s access to
them. We used a Light-weight Directory Access Protocol
(LDAP) [33] server in the management zone (zone 3) to
implement this part. By means of this component and
configuring Pluggable Authentication Module (PAM) [34] in
Linux hosts, access granting and management of each user can
be done easily through LDAP server. Also phpLDAPadmin
[35] software was used as a web interface to manage system
users and LDAP server.
450
Another imperative NSA recommendation for host
hardening was using a local stateful firewall for all servers that
iptables also were used in this section of the project. With
configuration of filter table in iptables firewall and closing all
irrelevant ports and IP addresses in each server, security level
of all servers were promoted. Actually configured iptables
firewalls in whole servers worked as a complementary part of
Linux Firewall/NIDS in edge layer. In case of emergency that
requires Linux Firewalls/NIDSs to be bypassed in proposed
designs, configured host iptables can protect servers that
located in DMZ and HSZ from illegal access. Also for
interconnection among defined security zones (DMZ, HSZ and
Management) as well as Linux Firewalls/NIDs, local firewalls
were used to inspect traversing traffic.
Concerning security issues, one remarkable feature applied
in this part was rule synchronizing of Linux edge firewalls and
local iptables firewall through BASH scripting. This procedure
was done by using a scheduled BASH script to find last
committed iptables rules in edge Firewall/NIDS and transfer
extracted rules to update local firewalls. Rule transferring was
done through Secure Shell (SSH) [36] tunnels among edge
firewalls and other servers. The main idea behind the
integration of network and local firewalls was provisioning of
sufficient network security level in emergency and unexpected
situations. For instance, suppose that due to a physical damage
or a critical upgrade procedure for operating system, it is
necessary to bypass Linux edge Firewalls/NIDSs and directly
connect router connections to network switches. In this
situation until edge firewalls return to operational status, there
is not any security barrier to drop illegal traffic from suspicious
IP addresses. Synchronizing iptables rule set of edge and local
firewalls through a customized BASH script to extract, transfer
and update new security rules in the other servers, offers a
suitable security shield in this kind of situations. Fig. 4
demonstrates a simple view of synchronizing procedure.
Any time a malicious user was sending invalid traffic to the
Linux security gateways, defined iptables rules and Snort as an
intrusion detection engine detects this activity and block sender
IP address in edge firewall. Then scheduled scripts extracts
new added rules and transfer those to the web/application
servers for committing in local iptables firewalls.
As the final instrument in host security, we used a familiar
open source software as Host based Intrusion Detection System
(HIDS) and that was OSSEC [37]. It was applied to all project
operating systems to perform file integrity check, rootkit
detection, log monitoring and producing abnormal system
activities report. In any suspicious case, OSSEC agent would
send email report with proper details to security administrator.
All OSSEC agents were managed by a central OSSEC server
and also were monitored through an open source Web User
Interface (OSSEC-WUI) [38] in central server. In fact, OSSEC
HIDS in all servers worked as a complementary component
alongside Linux security gateways as Network IDS.
3) Application Security
Today, most efforts of hackers and intruders have been
concentrated on security breaches of application layer. In
many cases, penetration or disruption of a computer application
is much easier than flooding a network or intruding security
devices. Hence inspection of all critical aspects of various
applications and software codes, especially those are directly
Figure 4. Firewall synchronizing through written BASH script
related to web users should be paid attention to in all similar
projects. Therefore some of well known IT companies in
security field have provided instruction sets for this work. For
example EC-Council has offered Certified Secure Programmer
(ECSP) [39] instructions for developers to review their source
codes and harden it against different kinds of threats.
Web/application code in this project was developed in Java
and whole application code was verified with expert
developers based on EC-Council instructions to ensure its
security level in front of different web attacks types such as
XSS, SQL injection and Buffer overflow [40]. One of the
most vital parts in this process was verification of
communication among web/application serves and database
servers. Importance of this section was due to preventing any
kind of data leakage through SQL injection attacks.
After inspection of application code, we need to consider
web server security as another necessary element. Apache web
server as the most popular and powerful open source web
server was applied in all web/application servers of the project.
According to last issued report of Netcraft [41] in June 2011,
more than 60% of Internet web servers are working based of
Apache web server. As it was mentioned in network security
section, there are novel types of web attacks that have focused
on web server weaknesses and properties. Some parts of these
threats would be mitigated through Snort NIDS in edge layer,
but it could not be effective for new group of those .e.g. HTTP
GET/POST Denial of Service (DoS) attacks [42] that also are
known as low rate denial of service attacks. Detection of these
kinds of attacks is not as easy as detection of other malicious
web activities, because they are just trying to break down web
servers through sending a lot of incomplete HTTP requests. For
detection and prevention of these threats, various web
application firewalls and security software have been presented
with different features and capabilities. ModSecurity [43] as an
open source web application firewall was chosen to act here as
a complementary part of Apache web server. Actually,
ModSecurity provides a set of request filtering and security
features for Apache HTTP Server to inspect incoming web
requests and probe all of them based on defined rules in its
configuration files. By writing comprehensive rules for this
software and integration of it with Apache, many intimidations
related to GET/POST DoS attacks were solved and security
level of web server were increased against these attacks.
4) Secuirty Monitoring
After implementing offered security architecture, it is time
to correlate and monitor all security events that were generated
by various project components to make proper response in
different situations. Most of companies that produce
commercial security products, usually present additional tools
451
Figure 5. Different components of OSSIM
to their customers for analyzing security events and generating
comprehensive security reports.
Whereas we used diverse open source security software in
different layers of the project, first we need to aggregate and
analyze all generated events by them and then archive these
events in a database to refer them any time it is necessary. One
of the best open source products for this task is OSSIM [44].
It is an open source and powerful software for management of
information security in different systems. Its goal is to provide
a comprehensive set of elements to make a detailed view over
security aspects of each network component and hosts. Fig. 5
shows main ingredients of OSSIM.
As you see in Fig. 5, OSSOM is composed of 4 major
elements. Management server is the first one that it should
centralize all received events from different agents. Actually
the principle task of this server is collecting, normalizing and
analyzing of all generated events by other project elements.
Second main components are sensors (agents) which deployed
in the network to monitor and send suspicious activities to
management server. Syslog and Syslog-ng [45] software were
used in server hosts as sensors. Also, Snort sensors were used
to collect various security events and notifications.
After processing, collected information would be stored in
OSSIM database, which is the third major component of
OSSIM. This database is a SQL database to store all events and
helpful information for administration and maintenance of
security monitoring system. In the occurrence of security
attacks or for forensic investigation, stored information in
database can be so useful to solve the problems.
The last part of OSSIM is its frontend interface that is a web
console for monitoring and management of different sensors
and system components. By means of this web user interface,
security administrator can monitor all system activities
centrally and make momentous and sensible decisions for
unexpected situations. Also, this interface would be used for
searching a specific string or information in OSSIM database
and generation of diverse reports. Note that OSSIM role in this
project was just correlation and monitoring of security events.
For monitoring functionality of other elements and services of
the project, another dedicated monitoring server was
considered in management zone as you can see it in Fig. 3.
Figure 6. Traffic graph of incoming bandwidth
III. RESULTS
As it is shown in Fig. 6, during 3 weeks, we experienced
more than 30 Mbps incoming traffic from Internet to access
web/application servers. This graph shows incoming traffic in
active Linux Firewall/NIDS machine. As mentioned before, in
rush hours more than 15,000 concurrent users were connected
through it to web servers. Functionality of Linux
Firewall/NIDS as the major security component was monitored
during the project and except for a few false positive
detections, it handled all incoming traffic smoothly and denied
huge amount of malicious requests in edge layer. Daily security
reports that were generated by OSSIM were showing proper
functionality of different security elements of projects to
provide a safe and secure environment for the project. In some
special cases, threshold values for some of ModSecurity and
Snort rules needed to be reviewed and modified to decrease
occurrences of false positive events in threat detection
procedure.
Also to increase analyzing speed of OSSIM engine and
decrease its database volume, it is necessary to filter incoming
events to ignore logs that are in informational and debug levels.
For the duration of the project more than 22,000,000 web
sessions were created on web/application servers to collect web
user’s information and around 10,800,000 records were
updated in database servers. Fig. 7 demonstrates cumulative
values of created sessions and database inserted records in last
day of project.
Gathering this amount of information without any
disruption in serving user’s requests and data leakage indicates
the efficiency of applied security strategy and techniques. Due
to some security reasons, we are not allowed to disseminate
security reports that were produced via OSSIM server during
the project.
IV. CONCLUSION AND FUTURE WORKS
We described all main security elements of the project that
were effective for its success. As you see, almost all of them
were well known open source software that can be applied
instead of too many proprietary and commercial tools. No
software cost, free available updates, source code availability,
comprehensive documents and so many other features can be
highly persuasive for entering open source world and utilizing
its practical and helpful software.
For the next projects, we will try to use encrypted
connections among different servers to decrease probability of
interception activities. Also using 802.1x [46] authentication
mechanism, open source patch management servers, anti-
viruses in operational servers and measurement of their
effectiveness will be considered for next similar projects.
452
Figure 6. Created sessions and inserted records in databses
REFERENCES
[1] The Open Source Definition (Annotated) Version 1.9. (n.d.). Retrieved
08/10, 2011, from http://www.opensource.org/osd.html
[2] Latest national statistics of Iran population. (2007-05-15). Retrieved
08/10, 2011, from http://www.aftabnews.ir/vdcc0xqe.2bqsi8laa2.htm.
[3] Multitier architecture. (2011-03-18). Retrieved 08/10, 2011, from
http://en.wikipedia.org/wiki/Multitier_architecture.
[4] J. Wolfe, “Defense in Depth: Company B’s Open-Source Nework
Security Strategy”, SANS Institute, GSEC Practical version 1.4b, April
2003.
[5] S. R. Vadalasetty, “Security Concerns in Using Open Source Software
for Enterprise Requirements”, SANS Institute, GSEC Practical version
1.4b, October 2003.
[6] National Security Agency, Central Security Service. (2009-01-15).
Retrieved 08/10, 2011, from http://www.nsa.gov/about.
[7] Defense in depth white paper, NetIQ Corporation, April 2002.
[8] B. Jones, “Overview of DoD Defense in Depth Strategy”, SANS
Institute, January 2005.
[9] “Defense in Depth, a practical strategy for achieving Information
Assurance in today’s highly networked environments”, Retrieved 08/10,
2011, from http://www.nsa.gov/ia/_files/support/defenseindepth.pdf.
[10] “Securing Unified CCE”, Cisco Unified Contact Center Enterprise 7.0,
7.1 and 7.2 SRND, OL-8669-16, Cisco systems, August 2009.
[11] Stateful Firewall. (2011-03-01). Retrieved 08/10, 2011, from
http://en.wikipedia.org/wiki/Stateful_firewall.
[12] The netfilter.org project. (1999). Retrieved 08/10, 2011, from
http://www.netfilter.org.
[13] About Snort, (2010). Sourcefire, Inc. Retrieved 08/10, 2011, from
http://www.snort.org/snort.
[14] A. Chuvakin, “IPTables Linux firewall with packet string-matching
support”. (2010-11-03), Retrieved 08/10, 2011, from
http://www.symantec.com/connect/articles/iptables-linux-firewall-
packet-string-matching-support.
[15] Intrusion Detection System. (2011-08-03). Retrieved 08/10, 2011, from
http://en.wikipedia.org/wiki/Intrusion_detection_system.
[16] What is Snort, (2010). Sourcefire, Inc. Retrieved 08/10, 2011, from
http://www.snort.org.
[17] Sourcefire Vulnerability Research Team (VRT). (2011-08-02).
Retrieved 08/10, 2011, from http://www.sourcefire.com/security-
technologies/snort/vulnerability-research-team.
[18] “FWSnort: Application Layer IDS/IPS with iptables”. (2010), Retrieved
08/10, 2011, from http://www.cipherdyne.org/fwsnort.
[19] S. Nadas, E. “Virtual Router Redundancy Protocol (VRRP) version 3 for
IPv4 and IPv6”, IETF RFC 5798, March 2010.
[20] Bash (UNIX Shell). (2011-08-10). Retrieved 08/10, 2011, from
http://en.wikipedia.org/wiki/Bash_%28Unix_shell%29.
[21] Maciá-Fernández, G., Díaz-Verdejo, J.E., García-Teodoro, P., De Toro-
Negro, F. “LoRDAS: A low-rate DoS attack against application
servers”, Lecture Notes in Computer Science, vol. 5141 LNCS, 2008,
Pages 197-209.
[22] R. Hansen, Slowloris HTTP DoS. (2010). Retrieved 08/10, 2011, from
http://ha.ckers.org/slowloris.
[23] Willy Tarreau, (2008-05-25). HAProxy Architecture Guide, version
1.2.18. Retrieved 08/10, 2011, from
http://haproxy.1wt.eu/download/1.2/doc/architecture.txt
[24] Linux OS, SuSE Linux Enterprise. (2011). Novell corp., Retrieved
08/10, 2011, http://www.suse.com.
[25] Cisco Catalyst 3750-E Series Switches. (2011). Cisco Systems,
Retrieved 08/10, 2011,
http://www.cisco.com/en/US/products/ps7077/index.html.
[26] Virtual LAN, (2011-08-09), Retrieved 08/10, 2011, from
http://en.wikipedia.org/wiki/Virtual_LAN.
[27] Spanning Tree Protocol, (2011-07-29), Retrieved 08/10, 2011, from
http://en.wikipedia.org/wiki/Spanning_Tree_Protocol
[28] Linux bonding, (2009-11-19), The Linux Foundation, Retrieved 08/10,
2011, from
http://www.linuxfoundation.org/collaborate/workgroups/networking/bon
ding.
[29] “Configuring Port Security”, Cisco IOS Software Configuration Guide,
Release 12.2SX, OL-13013-06, Cisco Systems.
[30] “Configuring Dynamic ARP Inspection”, Cisco IOS Software
Configuration Guide, Release 12.2SX, OL-13013-06, Cisco Systems.
[31] I. Dubrawsky, “SAFE Layer 2 Security In-depth version 2 white paper”,
Cisco systems, 2004.
[32] Red Hat Enterprise Linux for Servers. (2011), Retrieved 08/10, 2011,
from http://www.redhat.com/rhel/server.
[33] K. Zeilenga, Ed. “Lightweight Directory Access Protocol (LDAP):
Technical Specification Road Map”, IETF RFC 4510, June 2006.
[34] Pluggable Authentication Module, (2011-08-03). Retrieved 08/10, 2011,
http://en.wikipedia.org/wiki/Pluggable_authentication_module.
[35] About phpLDAPadmin, (2011-04-30). Retrieved 08/10, 2011,
http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page.
[36] T. Ylonen, C. Lonvick, Ed., “The Secure Shell (SSH) Protocol
Architecture”, IETF RFC 4251, January 2006.
[37] About OSSEC. (2008). Retrieved 02/18, 2011, from
http://www.ossec.net/main/about.
[38] OSSEC Web User Interface (wui), (2010). Retrieved 02/18, 2011, from
http://www.ossec.net/wiki/OSSECWUI.
[39] EC-Council Certified Secure Programmer, (2010). Retrieved 02/18,
2011, from http://www.eccouncil.org/certification/ec-
council_certified_secure_programmer.aspx.
[40] OWASP Top 10 Most Critical Web Application Security
Vulnerabilities. (2007). Retrieved 08/10, 2011, from
http://www.owasp.org/images/1/14/OWASP_Top_10_090708.ppt.
[41] June 2011 Web Server Survey, (2011-06-07), Retrieved 02/18, 2011,
from http://news.netcraft.com/archives/2011/06/07/june-2011-web-
server-survey.html.
[42] W. O. Chee, T. Brennan. OWASP AppSec DC 2010. (2010-11-11),
Retrieved 02/18, 2011, from
https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf.
[43] ModSecurity: Open Source Web Application Firewall, (2011), Retrieved
02/18, 2011, from http://www.modsecurity.org.
[44] OSSIM the Open Source Security Information Management, (2011),
Retrieved 02/18, 2011, from http://www.ossim.net.
[45] Open Source Syslog Server , (2011), Retrieved 02/18, 2011, from
http://www.balabit.com/network-security/syslog-ng/opensource-
logging-system.
[46] P. Congdon, B. Aboba, A. Smith, G. Zorn, J. Roese. “IEEE 802.1x
Remote Authentication Dial In User Service”, IETF RFC 3580,
September 2003.
453
