Introduction

download report

Transcript Introduction

CIT 470: Advanced Network and
System Administration
Security
CIT 470: Advanced Network and System Administration
Slide #1
Topics
1.
2.
3.
4.
5.
6.
7.
Risk Management
Security Policies
OS Hardening
Authentication
PAM
Passwords
Incident Response
CIT 470: Advanced Network and System Administration
Slide #2
Risk Management
Risk is the relationship between your assets,
the vulnerabilities characteristic to those
assets, and attackers who wish to access or
modify those assets.
CIT 470: Advanced Network and System Administration
Slide #3
Assets
1.
2.
3.
4.
5.
Login account.
Network bandwidth.
Disk space.
Data.
Reputation.
CIT 470: Advanced Network and System Administration
Slide #4
Security Goals
Data confidentiality
Customer account data (credit cards, identity)
Trade secrets
Administrative data (passwords, configuration)
Data integrity
Administrative data
Software downloads (patches, free tools)
Web pages
CIT 470: Advanced Network and System Administration
Slide #5
Security Goals
System integrity
System binaries
Kernel
System/network availability
Network bandwidth
Network services (auth, file, mail, print)
Disk space
CIT 470: Advanced Network and System Administration
Slide #6
Threats
Financial motives
Identity theft
Phishing
Spam
Extortion
Botnets
Political motives
Danish sites hacked after Mohammed cartoons.
Personal motives
Just for fun.
Insider revenge.
CIT 470: Advanced Network and System Administration
Slide #7
Vulnerabilities
1.
2.
3.
4.
5.
6.
7.
Bad/default passwords.
Unused services with open ports.
Unpatched software vulnerabilities.
Transmitting confidential data in cleartext.
Open modems or wireless networks.
Physical access to critical systems.
Uneducated users.
CIT 470: Advanced Network and System Administration
Slide #8
Attack Trees
CIT 470: Advanced Network and System Administration
Slide #9
Defense Types
Perimeter Security
– Firewall off network to prevent intrusions.
– What about wireless?
– What about mobile computing?
Defense in Depth
– Secure systems at all levels:
• Network perimeter (firewall)
• Intrusion detection
• System hardening
CIT 470: Advanced Network and System Administration
Slide #10
Defenses
Vulnerability mitigation
Use secure authentication systems.
Deploy software in secure configuration.
Patch security flaws quickly.
Attack mitigation
Firewalls to prevent network attacks.
IDS to detect attacks.
Virus/spyware scanners.
CIT 470: Advanced Network and System Administration
Slide #11
Security Policies
User Level Policies
Users must sign before receiving resources.
1. Acceptable Use Policy
2. Monitoring and Privacy Policy
3. Remote Access Policy
Business Level Policies
1. Network Connectivity Policy
2. Log Retention Policy
CIT 470: Advanced Network and System Administration
Slide #12
OS Hardening
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Secure the physical system.
Install only necessary software.
Keep security patches up to date.
Delete or disable unnecessary user accounts.
Use secure passwords.
Disable remote access except where necessary.
Use sudo instead of su.
Run publicly accessible services in a jail.
Check logs regularly.
Configure firewall on each host.
Run security scanner to check security.
Document security configuration.
CIT 470: Advanced Network and System Administration
Slide #13
Secure the physical system
1.
2.
3.
4.
5.
Place servers in a physically secure location.
Physically secure the case.
Place ID tags on all hardware.
Password protect the BIOS.
Disable booting from removable media.
CIT 470: Advanced Network and System Administration
Slide #14
Install only Necessary Software
Put different services on different hosts.
A compromise in ftp shouldn’t compromise mail.
Improves reliability and maintainability too.
Common unnecessary packages
X-Windows
Software development (gcc, gdb, etc.)
CIT 470: Advanced Network and System Administration
Slide #15
Security Patches
Subscribe to vendor security patch list.
Or know vendor’s update schedule.
MS Windows updates on 2nd Tuesday.
Update test host first.
yum update
Patches can sometimes break services.
Update other hosts after that.
May need to schedule downtown if reboot
required.
CIT 470: Advanced Network and System Administration
Slide #16
Jails
Complete isolation: virtual machines.
Partial isolation: chroot
chroot /var/httpd httpd
chroot filesystem needs:
/var/httpd/etc: limited /etc/{passwd,shadow,group}
/var/httpd/usr/lib shared libraries
/var/httpd/bin: extra binaries
/var/httpd/var/log: log space
/var/httpd/tmp: temporary space
CIT 470: Advanced Network and System Administration
Slide #17
Check Logs
Review logs every morning.
Better yet, have a program scan them.
logwatch
swatch
Send logs to a central server for
security: attacker can’t hide tracks by deleting
ease of use: you can read all logs in one place
CIT 470: Advanced Network and System Administration
Slide #18
Security Scanning
Scan host security
Run bastille on host.
Scan network security
Scan for open ports with nmap.
Scan for vulnerabilities with nessus.
CIT 470: Advanced Network and System Administration
Slide #19
Intrusion Detection
Host-based intrusion detection
Check if system files are modified.
Check for config / process modifications.
Tools: tripwrite, osiris, samhain
Network-based intrusion detection
NIDS = Sniffer + traffic analysis + alert system.
Check for suspicious activities: port scans, etc.
Check for attack signatures: worms, etc.
Tools: snort, air snort
CIT 470: Advanced Network and System Administration
Slide #20
Security Auditing
Internal and External Audits
– Internal: by a group within organization.
– External: by a group external to organization.
Audit areas
–
–
–
–
–
Check compliance with security policy.
Check physical security of building, data center.
Check that machines have up to date patches.
Scan networks to verify hosts + services.
Penetration testing.
CIT 470: Advanced Network and System Administration
Slide #21
Authentication
Binding of an identity to a subject
Based on:
1.
2.
3.
4.
What the entity knows (e.g., passwords)
What the entity has (e.g., access card)
What the entity is (e.g., fingerprints)
Where the entity is (e.g., local terminal)
Two-factor authentication
CIT 470: Advanced Network and System Administration
Slide #22
Purpose of Authentication
Access Control
– Most systems base access rights on identity of
principal executing the process.
Accountability
– Logging and auditing functions.
– Need to track identity across account/role
changes (e.g., su, sudo).
CIT 470: Advanced Network and System Administration
Slide #23
Access Control Matrix
Group
Dev RE
Developers
W
R
R
Release Engineers
R
W
R
Finance
Fin Res HR Ops Infra Sec
W
Human Resources
R
R
Operations
R
W
R
W
System Administration
A
A
A
A
A
A
A
Security
A
A
A
A
A
A
A
A
Dev = developer, RE = release engineering, Fin = finance,
Res = corporate resource (intranet), HR = human resources, Ops = operations,
Inf = infrastructure (mail/auth servers, etc.), Sec=security (firewalls, IDS)
A = administrative access, R = read, W = write
CIT 470: Advanced Network and System Administration
Slide #24
Single-sign on
Login once to access all computing resources
UNIX
Windows
Web Applications
Databases
Remote access
Difficult to achieve in practice.
Kerberos (Active Directory)
CIT 470: Advanced Network and System Administration
Slide #25
PAM
Problem:
Many programs require authentication.
Ex: ftp, rlogin, ssh, etc.
New auth schemes require rewrites.
Ex: longer passwords, keys, one-time passwords
Solution:
Separate authentication from programs.
Use Pluggable Authentication Modules for auth.
Programs choose PAMs to use at runtime by
reading config files.
CIT 470: Advanced Network and System Administration
Slide #26
PAM Configuration
Configured under /etc/pam.d
Each PAM-aware service has a file there.
Format: <module interface> <control flag>
<module name> <module arguments>
Module interface: one of 4 module types.
Control flag: how module will react to failure or
success (multiple successes may be required.)
Module name: PAM shared library.
Module args: Files to use, other options.
CIT 470: Advanced Network and System Administration
Slide #27
Module Interfaces
auth — Authenticates use of service. For
example, it may request and verify a
password.
account — Verifies that access is permitted,
e.g. check for expired accounts or
location/time.
password — Sets and verifies passwords.
session — Configures and manages user
sessions, e.g. mounting user home directories
or mailboxes.
CIT 470: Advanced Network and System Administration
Slide #28
Module Stacking Example
rlogin PAM requirements
The file /etc/nologin must not be present.
Root may not login over network (securetty.)
Environment variables may be loaded.
~/.rhosts entry allows login without password.
Otherwise perform standard password login.
PAM config file
auth
auth
auth
auth
auth
required pam_nologin.so
required pam_securetty.so
required pam_env.so
sufficient pam_rhosts_auth.so
required pam_stack.so service=system-auth
CIT 470: Advanced Network and System Administration
Slide #29
Control Flags
required — Module result must be successful for
authentication to continue. User is not notified on failure
until results on all modules referencing that interface are
available.
requisite — Module result must be successful for
authentication to continue. User is notified immediately
with a message reflecting the first failed required or
requisite module.
sufficient — Module result ignored if it fails. If a sufficient
flagged module result is successful and no required flagged
modules above it have failed, then no other results are
required and the user is authenticated to the service.
optional — Module result is ignored. Only necessary for
successful authentication when no other modules reference
the interface.
CIT 470: Advanced Network and System Administration
Slide #30
PAM Files
/etc/pam.d: PAM configuration files.
/lib/libpam.so: Main PAM library.
Reads configuration files.
Loads other PAM modules.
/lib/security: Pluggable modules.
/usr/share/doc/*pam*: Documentation.
CIT 470: Advanced Network and System Administration
Slide #31
Use Secure Passwords
Attacks against Passwords
Password sniffing
Password guessing via login
Password cracking
Defences
Do not transfer passwords over the network.
Secure /etc/{passwd,shadow}
Configure password quality/aging rules.
Test your passwords by cracking them.
CIT 470: Advanced Network and System Administration
Slide #32
Password Quality
Use pam_cracklib.so in system-auth
Options
retry=#: Maximum # of retries.
minlen=#: Minimum password length.
lcredit=#: Min # of lower case letters.
ucredit=#: Min # of upper case letters.
dcredit=#: Min # of digits.
ocredit=#: Min # of other chars.
CIT 470: Advanced Network and System Administration
Slide #33
Password Aging
Configure /etc/login.defs before creating accounts.
PASS_MAX_DAYS: Max # of days before password expires.
PASS_MIN_DAYS: Min # of days before user can change pw.
PASS_WARN_AGE: # of days for pw change notice given.
Also configure /etc/default/useradd
INACTIVE: # of days after pw expiration that account is disabled.
EXPIRE: Account expiration date in format YYYY-MM-DD.
Remember old passwords with pam_unix.so
Prevents users from changing password back to old value.
Modify /etc/pam.d/system-auth
Set pam_unix.so option remember=26
Create /etc/security/opasswd to store old passwords.
CIT 470: Advanced Network and System Administration
Slide #34
One-Time Passwords
A password that’s invalidated once used.
Challenge: number of auth attempt
Response: one-time password
Problems
– Generation of one-time passwords
• Use hash or crytographic function
– Synchronization of the user and the system
• Number or timestamp passwords
CIT 470: Advanced Network and System Administration
Slide #35
Biometrics
Identify by physical chars
–
–
Fingerprint
Iris scan
Unique identifiers.
–
–
A tradeoff always exists
between false acceptances
and false rejections.
Not secrets.
Can’t be changed at will.
Possible outcomes:
1. Correct person accepted
2. Imposter rejected
3. Correct person rejected
(False Rejection)
4. Imposter accepted (False
Acceptance)
CIT 470: Advanced Network and System Administration
Slide #36
Disable Unnecessary Accounts
/etc/passwd contains application accounts.
Delete unnecessary application accounts.
Common ex: uucp, games, gdm, xfs, rpcuser, rpc
All should have locked passwords.
Set shell to /bin/noshell or /bin/false.
Disable user accounts immediately on
termination of employment.
CIT 470: Advanced Network and System Administration
Slide #37
Disabling Remote Access
Disable cleartext protocols
telnet, ftp, rsh, rlogin
Disable root access via ssh.
Set PermitRootLogin to “no” in sshd_config
Remove root non-terminal consoles
Set in /etc/securetty
Disable password access via ssh
Use keys instead.
CIT 470: Advanced Network and System Administration
Slide #38
sudo
Login as root only for single-user mode.
Use sudo instead of su.
sudo command
Advantages:
Uses user password instead of root’s password.
Logs who executed what commands as root.
Can delegate limited powers to some users.
CIT 470: Advanced Network and System Administration
Slide #39
What is an Incident?
Violation of security policy:
–
–
–
–
–
–
Unauthorized access of information
Unauthorized access to machines
Embezzlement
Virus or worm attack
Denial of service attacks
Email spam or harassment
CIT 470: Advanced Network and System Administration
Slide #40
Incident Response Goals
1.
2.
3.
4.
5.
6.
Determine if a security breach occurred.
Contain intrusion to prevent further damage.
Recover systems and data.
Prevent future intrusions of same kind.
Investigate and/or prosecute intrusion.
Prevent public knowledge of incident.
CIT 470: Advanced Network and System Administration
Slide #41
Incident Response
Phases to restore system to satisfy site security policy:
1.
2.
3.
4.
5.
6.
7.
8.
Preparation for attack (before attack detected)
Identification of attack
Containment of attack (confinement)
Damage assessment
Preserve evidence (if necessary)
Eradication of attack (stop attack)
Recovery from attack (restore system to secure state)
Follow-up to attack (analysis and other actions)
CIT 470: Advanced Network and System Administration
Slide #42
References
1.
2.
3.
4.
5.
6.
Michael D. Bauer, Linux Server Security, 2nd edition, O’Reilly, 2005.
Aeleen Frisch, Essential System Administration, 3rd edition, O’Reilly,
2002.
Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX
and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
Andrew Morgan, Linux PAM System Administrator’s Guide,
http://www.kernel.org/pub/linux/libs/pam/Linux-PAMhtml/pam.html, 2002.
Evi Nemeth et al, UNIX System Administration Handbook, 3rd
edition, Prentice Hall, 2001.
RedHat, Red Hat Enterprise Linux 4 Reference Guide,
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/refguide/, 2005.
CIT 470: Advanced Network and System Administration
Slide #43