Thursday, 19 April 2018

Firewall and its types

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet. 
A firewall can be hardware, software, or both.

Types of firewalls

Proxy firewall

An early type of firewall device, a proxy firewall serves as the gateway from one network to another for a specific application. Proxy servers can provide additional functionality such as content caching and security by preventing direct connections from outside the network. However, this also may impact throughput capabilities and the applications they can support.

Stateful inspection firewall

Now thought of as a “traditional” firewall, a stateful inspection firewall allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed. Filtering decisions are made based on both administrator-defined rules as well as context, which refers to using information from previous connections and packets belonging to the same connection.

Unified threat management (UTM) firewall

A UTM device typically combines, in a loosely coupled way, the functions of a stateful inspection firewall with intrusion prevention and antivirus. It may also include additional services and often cloud management. UTMs focus on simplicity and ease of use.
See our UTM devices.

Next-generation firewall (NGFW)

Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks.
According to Gartner, Inc.’s definition, a next-generation firewall must include:
  • Standard firewall capabilities like stateful inspection
  • Integrated intrusion prevention
  • Application awareness and control to see and block risky apps
  • Upgrade paths to include future information feeds
  • Techniques to address evolving security threats
While these capabilities are increasingly becoming the standard for most companies, NGFWs can do more.

Threat-focused NGFW

These firewalls include all the capabilities of a traditional NGFW and also provide advanced threat detection and remediation. With a threat-focused NGFW you can:
  • Know which assets are most at risk with complete context awareness
  • Quickly react to attacks with intelligent security automation that sets policies and hardens your defenses dynamically
  • Better detect evasive or suspicious activity with network and endpoint event correlation
  • Greatly decrease the time from detection to cleanup with retrospective security that continuously monitors for suspicious activity and behavior even after initial inspection
  • Ease administration and reduce complexity with unified policies that protect across the entire attack continuum

Thursday, 12 April 2018

Web server configuration

What is a Web Server?

A web server is software that listens for requests and returns data (usually a file). When you type “www.mysite.com”, the request is forwarded to a machine running web server software which returns a file back to your browser, e.g. the contents of index.html. The browser might then make further requests based on the HTML content, e.g. CSS, JavaScript, and graphic files.
Since the web server sits between your browser and the requested file, it can perform processing that is not possible by opening an HTML file directly. For example, it can parse PHP code which connects to a database and returns data.
You can use your host’s web server for testing, but uploading will become tiresome and changes could go live before they had been fully tested. What you need is a local web server installation.

Why Apache?

In general, I would recommend using the web server software that your web host uses. Unless you are creating ASP.NET applications on Microsoft IIS, your host is likely to use Apache: the most widespread and fully-featured web server available. It is open-source project so it does not cost anything to download or install.
The following instructions describe how to install Apache on Windows. Mac OSX comes with Apache and PHP, although you might need to enable them. Most Linux users will have Apache pre-installed or available in the base repositories.

All-in-One packages

There are some excellent all-in-one Windows distributions that contain Apache, PHP, MySQL and other applications in a single installation file, e.g. XAMPP (including a Mac version), WampServer and Web.Developer. There is nothing wrong with using these packages, although manually installing Apache will help you learn more about the system and its configuration options.

The Apache Installation Wizard

An excellent official .msi installation wizard is available from the Apache download page. This option is certainly recommended for novice users or perhaps those installing Apache for the first time.

Manual Installation

Manual installation offers several benefits:
  • backing up, reinstalling, or moving the web server can be achieved in seconds
  • you have more control over how and when Apache starts
  • you can install Apache anywhere, such as a portable USB drive (useful for client demonstrations).

Step 1: configure IIS

If you have a Professional or Server version of Windows, you may already have IIS installed. If you would prefer Apache, either remove IIS as a Windows component or disable its services.
Apache listens for requests on TCP/IP port 80. The default installation of Skype also listens on this port and will cause conflicts.

Step 2: download the files

We are going to use the unofficial Windows binary from Apache Lounge. This version has performance and stability improvements over the official Apache distribution, although I am yet to notice a significant difference. However, it is provided as a manually installable ZIP file from www.apachelounge.com/download/
You should also download and install the Windows C++ runtime from Microsoft.com. You may have this installed already, but there is no harm installing it again.
As always, remember to virus scan all downloads.

Step 2: extract the files

We will install Apache in C:Apache2, so extract the ZIP file to the root of the C: drive.
Apache can be installed anywhere on your system, but you will need to change the configuration file paths accordingly…

Step 3: configure Apache

Apache is configured with the text file confhttpd.conf contained in the Apache folder. Open it with your favourite text editor.
Note that all file path settings use a ‘/’ forward-slash rather than the Windows backslash. If you installed Apache anywhere other than C:Apache2, now is a good time to search and replace all references to “c:/Apache2”.
There are several lines you should change for your production environment:
Line 46, listen to all requests on port 80:
Listen *:80
Line 116, enable mod-rewrite by removing the # (optional, but useful):
LoadModule rewrite_module modules/mod_rewrite.so
Line 172, specify the server domain name:
ServerName localhost:80
Line 224, allow .htaccess overrides:
AllowOverride All

Step 4: change the web page root (optional)

By default, Apache return files found in its htdocs folder. I would recommend using a folder on an another drive or partition to make backups and re-installation easier. For the purposes of this example, we will create a folder called D:WebPages and change httpd.conf accordingly:
Line 179, set the root:
DocumentRoot "D:/WebPages"
and line 204:
<Directory "D:/WebPages">

Step 5: test your installation

Your Apache configuration can now be tested. Open a command box (Start > Run > cmd) and enter:

cd Apache2bin
httpd -t
Correct any httpd.conf configuration errors and retest until none appear.

Step 6: install Apache as a Windows service

The easiest way to start Apache is to add it as a Windows service. From a command prompt, enter:

cd Apache2bin
httpd -k install
Open the Control Panel, Administrative Tools, then Services and double-click Apache2.2. Set the Startup type to “Automatic” to ensure Apache starts every time you boot your PC.
Alternatively, set the Startup type to “Manual” and launch Apache whenever you choose using the command “net start Apache2.2”.

Step 7: test the web server

Create a file named index.html in Apache’s web page root (either htdocs or D:WebPages) and add a little HTML code:

<html>
<head><title>testing Apache</title></head>
<body><p>Apache is working!</p></body>
</html>
Ensure Apache has started successfully, open a web browser and enter the address http://localhost/. If all goes well, your test page should appear.

How to install and configure IIS

Step one: Install the Web Server (IIS) role
Open the Server Manager and click Add Roles and Features:
How to install and configure IIS on Windows Server 2012 R2
Go on until you reach the Server Roles tab:
How to install and configure IIS on Windows Server 2012 R2
How to install and configure IIS on Windows Server 2012 R2
How to install and configure IIS on Windows Server 2012 R2
Select Web Server (IIS):
How to install and configure IIS on Windows Server 2012 R2
Click Add Features:
How to install and configure IIS on Windows Server 2012 R2
Ignore the Features tab and go on:
How to install and configure IIS on Windows Server 2012 R2
Click Next:
How to install and configure IIS on Windows Server 2012 R2
The default configuration will be fine. Click Next:
How to install and configure IIS on Windows Server 2012 R2
Click Install:
How to install and configure IIS on Windows Server 2012 R2
Installation completed!
How to install and configure IIS on Windows Server 2012 R2
Step two: Configure IIS
Go back to the Server Manager. Select Internet Information Services (IIS) Manager from the Tools menu:
How to install and configure IIS on Windows Server 2012 R2
Click Add Website:
How to install and configure IIS on Windows Server 2012 R2
Specify at least the site name and path. Click Ok:
How to install and configure IIS on Windows Server 2012 R2
Your first site is ready to be accessed.

Tuesday, 10 April 2018

Multipurpose Internet Mail Extensions (MIME) type

The Multipurpose Internet Mail Extensions (MIME) type is a standardized way to indicate the nature and format of a document. It is defined and standardized in IETF RFC 6838. The Internet Assigned Numbers Authority (IANA) is the official body responsible for keeping track of all official MIME types, and you can find the most up-to-date and complete list at the Media Types page.
Browsers often use the MIME type (and not the file extension) to determine how it will process a document; it is therefore important that servers are set up correctly to attach the correct MIME type to the header of the response object.

Syntax

General structure

type/subtype
The structure of a MIME type is very simple; it consists of a type and a subtype, two strings, separated by a '/'. No space is allowed. The type represents the category and can be a discrete or a multipart type. The subtype is specific to each type.
A MIME type is case-insensitive but traditionally is written all in lower case.

Discrete types

text/plain
text/html
image/jpeg
image/png
audio/mpeg
audio/ogg
audio/*
video/mp4
application/*
application/json
application/javascript
application/ecmascript
application/octet-stream
…
Discrete types indicate the category of the document, it can be one of the following:
Type Description Example of typical subtypes
text Represents any document that contains text and is theoretically human readable text/plain, text/html, text/css, text/javascript
image Represents any kind of images. Videos are not included, though animated images (like animated gif) are described with an image type. image/gif, image/png, image/jpeg, image/bmp, image/webp
audio Represents any kind of audio files audio/midi, audio/mpeg, audio/webm, audio/ogg, audio/wav
video Represents any kind of video files video/webm, video/ogg
application Represents any kind of binary data. application/octet-stream, application/pkcs12, application/vnd.mspowerpoint, application/xhtml+xml, application/xmlapplication/pdf
For text documents without specific subtype, text/plain should be used. Similarly, for binary documents without specific or known subtype, application/octet-stream should be used.

Multipart types

multipart/form-data
multipart/byteranges
Multipart types indicate a category of document that are broken in distinct parts, often with different MIME types. It is a way to represent a composite document. With the exception of multipart/form-data, that are used in relation of HTML Forms and POST method, and multipart/byteranges that are used in conjunction with 206 Partial Content status message to send only a subset of a whole document, HTTP doesn't handle multipart documents in a specific way: the message is simply transmitted to the browser (which will likely propose a Save As window, not knowing how to display the document inline.)

Important MIME types for Web developers

application/octet-stream

This is the default value for a binary file. As it really means unknown binary file, browsers usually don't automatically execute it, or even ask if it should be executed. They treat it as if the Content-Disposition header was set with the value attachment and propose a 'Save As' file.

text/plain

This is the default value for textual files. Even if it really means unknown textual file, browsers assume they can display it.
Note that text/plain does not mean any kind of textual data. If they expect a specific kind of textual data, they will likely not consider it a match. Specifically if they download a text/plain file from a <link> element declaring a CSS files, they will not recognize it as a valid CSS files if presented with text/plain. The CSS mime type text/css must be used.

text/css

Any CSS files that have to be interpreted as such in a Web page must be of the text/css files. Often servers do not recognize files with the .css suffix as CSS files, instead they send them with text/plain or application/octet-stream MIME type: in these cases, they won't be recognized as CSS files by most browsers and will be silently ignored. Special attention has to be paid to serve CSS files with the correct type.

text/html

All HTML content should be served with this type. Alternative MIME types for XHTML (like application/xml+html) are mostly useless nowadays (HTML5 unified these formats).

Images types

Only a handful of image types are widely recognized and are considered Web safe, ready for use in a Web page:
MIME type Image type
image/gif GIF images (lossless compression, superseded by PNG)
image/jpeg JPEG images
image/png PNG images
image/svg+xml SVG images (vector images)
There is a discussion to add WebP (image/webp) to this list, but as each new image type will increase the size of a codebase, this may introduce new security problems, so browser vendors are cautious in accepting it.
Other kinds of images can be found in Web documents. For example, many browsers support icon image types for favicons or similar. In particular, ICO images are supported in this context with the image/x-icon MIME type.

Audio and video types

Like images, HTML doesn't define a set of supported types to use with the <audio> and<video> elements, so only a relatively small group of them can be used on the Web. The Media formats supported by the HTML audio and video elements explains both the codecs and container formats which can be used.
The MIME type of such files mostly represent the container formats and the most common ones in a Web context are:
MIME type Audio or video type
audio/wave
audio/wav
audio/x-wav
audio/x-pn-wav
An audio file in the WAVE container format. The PCM audio codec (WAVE codec "1") is often supported, but other codecs have more limited support (if any).
audio/webm An audio file in the WebM container format. Vorbis and Opus are the most common audio codecs.
video/webm A video file, possibly with audio, in the WebM container format. VP8 and VP9 are the most common video codecs used within it; Vorbis and Opus the most common audio codecs.
audio/ogg An audio file in the OGG container format. Vorbis is the most common audio codec used in such a container.
video/ogg A video file, possibly with audio, in the OGG container format. Theora is the usual video codec used within it; Vorbis is the usual audio codec.
application/ogg
An audio or video file using the OGG container format. Theora is the usual video codec used within it; Vorbis is the usual audio codec.

multipart/form-data

The multipart/form-data type can be used when sending the content of a completed HTML Form from the browser to the server. As a multipart document format, it consists of different parts, delimited by a boundary (a string starting with a double dash '--'). Each part is an entity by itself, with its own HTTP headers, Content-Disposition, and Content-Type for file uploading fields, and the most common (Content-Length is ignored as the boundary line is used as the delimiter).
Content-Type: multipart/form-data; boundary=aBoundaryString
(other headers associated with the multipart document as a whole)

--aBoundaryString
Content-Disposition: form-data; name="myFile"; filename="img.jpg"
Content-Type: image/jpeg

(data)
--aBoundaryString
Content-Disposition: form-data; name="myField"

(data)
--aBoundaryString
(more subparts)
--aBoundaryString--

The following form:
<form action="http://localhost:8000/" method="post" enctype="multipart/form-data">
  <input type="text" name="myTextField">
  <input type="checkbox" name="myCheckBox">Check</input>
  <input type="file" name="myFile">
  <button>Send the file</button>
</form>
will send this message:
POST / HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------8721656041911415653955004498
Content-Length: 465

-----------------------------8721656041911415653955004498
Content-Disposition: form-data; name="myTextField"

Test
-----------------------------8721656041911415653955004498
Content-Disposition: form-data; name="myCheckBox"

on
-----------------------------8721656041911415653955004498
Content-Disposition: form-data; name="myFile"; filename="test.txt"
Content-Type: text/plain

Simple file.
-----------------------------8721656041911415653955004498--

multipart/byteranges

The multipart/byteranges MIME type is used in the context of sending partial responses back to the browser. When the 206 Partial Content status code is sent, this MIME type is used to indicate that the document is composed of several parts, one for each of the requested range. Like other multipart types, the Content-Type uses the boundary directive to define the boundary string. Each of the different parts have a Content-Type header with the actual type of the document and a Content-Range with the range they represent.
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Type: multipart/byteranges; boundary=3d6b6a416f9b5
Content-Length: 385

--3d6b6a416f9b5
Content-Type: text/html
Content-Range: bytes 100-200/1270

eta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="vieport" content
--3d6b6a416f9b5
Content-Type: text/html
Content-Range: bytes 300-400/1270

-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: "Open Sans", "Helvetica
--3d6b6a416f9b5--

Importance of setting the correct MIME type

Most web servers send unknown-type resources using the default application/octet-stream MIME type. For security reasons, most browsers do not allow setting a custom default action for such resources, forcing the user to store it to disk to use it. Some commonly seen incorrect server configurations happen with the following file types:
  • RAR-encoded files. In this case, the ideal would be to set the true type of the encoded files; this is often not possible (as it may not be known to the server and these files may contain several resources of different types). In this case, configuring the server to send the application/x-rar-compressed MIME type, users will not have defined a useful default action for them.
  • Audio and video files. Only resources with the correct MIME Type will be recognized and played in <video> or <audio> elements. Be sure to use the correct type for audio and video.
  • Proprietary file types. Pay particular attention when serving a proprietary file type. Avoid using application/octet-stream as special handling will not be possible: most browsers do not allow defining a default behavior (like "Opening in Word") for this generic MIME type.

Sunday, 8 April 2018

Advantages and Disadvantages of Email

Knowing the advantages and disadvantages of email will help you analyse the time you spend using it.
Learn the pros and cons to decide when and how to use email effectively.

10 Advantages of Email

1. It's free!
Once you’re online, there is no further expense.
2. Easy to reference
Sent and received messages and attachments can be stored safely, logically and reliably.  It's a lot easier to organize emails than paper.
3. Easy to use
Once you’re set up, sending and receiving messages is simple. That goes for a host of other email functions. Data storage and contacts can be accessed quickly and easily.
4. Easy to prioritize
Incoming messages have subject lines that mean you can delete without opening. How much time does that save compared to ‘snail mail?’
5. Speed
Message to send? Done, under a second! Email is as fast a form of written communication as any.
6. Global
Web based email means you can access your messages anywhere online. Going overseas? Before you go, mail yourself a copy of your passport number, travel insurance details or your accommodation details.
7. Good for the planet
Actually the advantages and disadvantages of email are clear here. Computers themselves aren’t 'green', but email offsets some of the damage by reducing the environmental cost of contact.
8. Info at your fingertips
Storing data online means less large, space taking file cabinets, folders and shelves. You can access information far quicker if you learn how to use email this way.
9. Leverage
Send the same message to any number of people. Adaptations are simple, too. If you have a product or service to sell, email is an effective medium to get your message out.
10. Send reminders to yourself
Do you use more than one account? Email yourself messages from work to home or vice versa. Does the idea of two or more accounts seem complicated? It's not if you know how to manage multiple accounts.
Used well, email really is a superb communication and productivity tool.
But you clicked to learn the advantages and disadvantages of email.
Here's the flip side...

10 Disadvantages of Email

1. Emotional responses 
Some emails cause upset or anger. A reply in the heat of the moment can’t be easily retracted, but it can cause lasting damage.
2. Information overload
Too many people send too much information. They cover their backs citing ‘need to know’ as the justification. Learn how to use email effectively and you’ll reduce time wasted on this.
3. Lacking the Personal Touch 
Some things are best left untyped. Email will never beat a hand written card or letter when it comes to relationships.
4. Misunderstandings
Emails from people who don’t take the time to read what they write before clicking ‘send’. Time is wasted, either to clarify or, worse, acting on a misinterpretation of the message.
5. No Respite 
Your email inbox is like a garden; it needs to be constantly maintained. Leave it and will continue to grow. Ignore it at your peril! 
6. Pressure to Reply
Once it’s in your inbox, you feel an ever increasing obligation to act on it. Procrastinating doesn’t making it go away.  Do it, dump it or delegate it.
7. Spam
Having to deal with spam and spoofs is one of the worst avoidable time wasters online.  Use some anti spam software.
8. Sucks up Your Time
Over checking messages is so common, but it is time wasted on a low value, passive activity.  Better to check once or twice a day.
9. Too Long
How long is too long? It’s hard to say exactly, but the longer it goes on, the harder it is to take in. Email is suited to brevity - keep it short and sweet.
10. Viruses
A virus could seriously affect your computer. If you want to know how to use email effectively, it's worth learning how to deal with these.