Template Coporate CS Internet - Asian Institute of Technology
Download
Report
Transcript Template Coporate CS Internet - Asian Institute of Technology
AIT ITServ & Lab Supervisors Meeting
Practical How-To for
System and Network Security
ITServ Plans on Policies and
Services
Alain Fauconnet <[email protected]> #5083
Security Specialist / CISO
March 31st, 2003 Meeting
V 20030331
1
AIT ITServ
Presentation Roadmap
1. Introduction
1.1. Attacks are not only for others
1.2. Potential damage
2. Basic security how-to
2.1.
2.2.
2.3.
2.4.
2
General recommendations
Rule #1: Install and configure carefully
Rule #2: Keep software up-to-date
Rule #3: Servers are not workstations
AIT ITServ
Presentation Roadmap
2.5. Rule #4: Monitor your servers and network
2.6. Rule #5: Do network filtering
3. Useful links and resources
4. ITServ plans
4.1.
4.2.
4.3.
4.4.
Local resources
Support and consulting
Services
Policies
Questions and answers
3
AIT ITServ
1. Introduction
1.1. Attacks are not only for others
• Frequent lack of real concern about security
–
–
–
–
“I have no confidential data”
“I have a so small network, I’m not concerned”
“Hackers/abusers inside. So what? Still works…”
too often: “I have no clue” :-)
• Too many misconceptions
–
–
–
–
4
“Hackers only target (large) (US) businesses”
“I’ve switched to Unix (Linux), so I’m safe”
“I’m protected by AIT global filtering”
“Security is expensive and requires experts”
AIT ITServ
1. Introduction
1.1. Attacks are not only for others
• The facts
– All AIT networks are being scanned by hackers
several times a day, known vulnerabilities are
actively searched
– Your network has been scanned already today!
– Academic networks especially targeted
– Filtering at AIT border can not protect you from all
kind of attacks (there will be more Nimda &
SQLslammer-like)
– Attacks from inside AIT likely (more and more to
come)
– Not only servers open to the Internet exposed
5
AIT ITServ
1. Introduction
1.1. Attacks are not only for others
• The facts (cont.)
– Basic system and network security:
• is simple:
– install and configure properly
– update
– be consistent
• requires just serious, consistent people with fair
IT experience
• blocks 80% (at least) of attacks
• can save you a lot of time, efforts and money
– You will learn 5 recipes today: use them!
6
AIT ITServ
1. Introduction
1.1. Attacks are not only for others
• The facts (cont.)
– An unpatched, unsecured Red Hat Linux server is
at least as vulnerable as Windows
– Windows 2000 (even with SP3) is not safe
– A misconfigured firewall can make your security
worse than no firewall at all
• gives wrong feeling of safety
• protect servers first, then set up a firewall if
you wish and if you can
7
AIT ITServ
1. Introduction
1.2. Potential damage
• Hackers use the network bandwidth we all
share and servers resources that you have
paid for
• Damage to the services you provide
–
–
–
–
Downtime for legitimate users
Defaced web site (reputation, confidence, image)
Loss or alteration of data
Wasted time and efforts to repair damage
• Leaking of confidential data
– From LAN sniffing also (data from other servers)
8
AIT ITServ
1. Introduction
1.2. Potential damage
• Damage to the services we all use
– Slow network connections
– Slow servers
– Part or all of AIT networks / domains banned from
major sites
• Loss of connectivity
• Cannot send e-mail
• Legal liability
– Attacks on other sites / networks from your
network
– Offensive or illegal material on your servers
9
AIT ITServ
2. Basic Security How-To
2.1. General recommendations
• This simple how-to can avoid at least 80% of
the break-ins currently seen
• Do it for all servers (new and old)
• This is an ongoing task: never finished
• Assign someone to handle security (can be
part-time): must have authority to control
that the following rules are applied
• Don’t trust people saying that buying extra
software will do it for you
10
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Do not do full or default installations of
operating system
– Lots of useless and dangerous software packages
installed
– Alternative: do a full or default install, then
uninstall packages that you don’t use immediately
• Red Hat Linux installation
– Consider alternative Linux distributions e.g.:
E-smith at http://www.e-smith.org/
Trustix at http://www.trustix.net/
– Consider FreeBSD instead of Linux
11
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Windows 2000
– unless specific need, do not install any of
Networking Services, Other Network File and Print Services,
Remote Installation Services, Remote Storage, Terminal
Services, Windows Media Services...
12
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Windows 2000 (cont.)
– do not install unused parts of IIS: SMTP, NNTP…
• Note: SMTP needed by Active Directory Replication
• Configure to use RPC transport instead
• Internet server should not handle this anyway
13
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Windows 2000 (cont.)
– Disable the features of IIS you don’t need using
the Microsoft IIS Lockdown Tool
http://www.microsoft.com/technet/security/tools/locktool.asp
– Defaults suggested by tool are generally OK
14
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Windows 2000 (cont.)
– Install a virus scanner on Windows servers
• AVG is a very decent free virus scanner with
automatic update
• Download it from: http://www.grisoft.com
• Registration needed, use a “disposable” e-mail
address just in case, but no report of
spamming yet
• Free version could well disappear due to the
current IT business context: enjoy while it lasts
• Commercial virus scanner: Sophos highly
recommended: http://www.sophos.com
– much less problems than with McAfee, Norton
– free updates
15
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Windows 2000 (cont.)
– Remove Outlook Express in any case
There is no good reason to have it on a server
– Install an alternate web browser
Mozilla a good choice:
http://www.mozilla.org
– IE is quite difficult to remove completely
• make it a policy not to use it
• better: use Windows ACLs to prevent usage
(details upon request)
16
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Red Hat Linux installation
– Use an up-to-date distribution: Red Hat Linux 7.2
at least, never 7.0 or earlier
•
•
•
•
•
•
not a file server: do not install: nfs*, samba, portmap
not a name server: do not install: bind*
not a mail server: do not install: imap, sendmail
not a web server: do not install: apache*
not a DB server: do not install: MySQL*, postgresql*
unless specific need, do not install: dhcpd, finger.server,
anonftp, bootparamsd …
– Uninstalling a Linux RPM package:
# rpm -e --nodeps packagename ...
17
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Unix configuration: Disable all services not
needed
– Services started by connection: file /etc/inetd.conf
finger stream tcp
nowait nobody /usr/sbin/tcpd in.fingerd
comment out unwanted services by adding ‘#’:
#finger stream tcp
nowait nobody /usr/sbin/tcpd in.fingerd
Should be commented out unless specific need:
ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2,
pop-3, finger, auth, gopher, time, linuxconf (Linuxspecific) … almost all lines
• Red Hat 7.1+ uses xinetd.conf, can be
managed by chkconfig (see next slide)
18
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Disable all services not needed
– Services started at boot time: start-up scripts
• Details vary a lot from Unix to Unix
• Red Hat Linux start-up scripts are controlled using
chkconfig command:
# chkconfig --list
list all services
# chkconfig service off
disable a service
# chkconfig service on
enable a service
– Unless needed, you should disable: sendmail (if not
mail server), portmap, nfs, nfslock, netfs, all r*d
(rusersd …), all yp* (ypbind…), lpd, samba, identd,
named (if not name server), httpd (if not web
server), snmpd, xfs, amd
19
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
– Unix start-up scripts (cont.)
• Most other Unix (and Linux too): rename files in rcN.d (N
= 2, 3…) directories. Solaris has /etc/rcN.d. E.g.:
# cd /etc/r2c.d
# mv S73nfs.client _S73nfs.client
– E.g. for Solaris, you should disable: S73nfs.client,
S74autofs, S80lp, S88sendmail (if not mail server),
S15nfs.server, S76snmpx, S77dmi
• Other kind of Unix: use administration tools
–
–
–
–
20
FreeBSD: /stand/sysinstall “Do post-install configuration”
HP-UX: sam
AIX: smit
Refer to documentation, but target should be to disable
NFS, RPC, remote printing, SNMP, SMTP server...
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Enforce a strict login/password policy
– one person = one login account, do not use
shared accounts (“operator”, project account…)
– minimise root/administrator account usage: only
when needed, not for daily work
– require correct passwords
•
•
•
•
•
•
21
no password = login name
no default password (especially empty!)
no password = name of department
no password = nickname
no single words found in a dictionary
etc…
Everyone knows this already!
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Have a strict policy on remote administration
– Only when really needed and from a very little
number of client workstations (see “filtering”)
– On Unix, do not allow direct remote login to root:
log in as normal user and use su or better sudo
– Use only standard tools and well-known ones
– Avoid home-made web-based admin tools
– Good Unix web-based administration tool: Webmin
http://www.webmin.com/
• Do not use telnet and FTP !
22
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Remote administration (cont.)
– Require strong encryption and authentication
• Unix: install and use SSH (“encrypted telnet”), not
standard telnet
– ssh server part of Linux and FreeBSD
– for other Unix: download from http://www.openssh.org/
– ready-to-install binaries for Solaris at:
http://www.sunfreeware.com/
– freeware Windows SSH client (terminal emulator):
TeraTerm Pro with SSH extension
http://hp.vector.co.jp/authors/VA002416/teraterm.html
http://www.zip.com.au/~roca/ttssh.html
– SSH can do file upload/download too: use freeware
WinSCP client for Windows (http://winscp.vse.cz/eng/)
23
AIT ITServ
2. Basic Security How-To
2.2. Rule #1: Install and configure carefully
• Remote administration (cont.)
– Require strong encryption and authentication
• Windows: use recent version of PC Anywhere with
encryption set at least to “PCAnywhere”
• Windows Remote Desktop has encryption always on
• Avoid VNC (freeware PCAnywhere-like) except over an
encrypted tunnel
24
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Fact: off the CD un-patched installation of
Red Hat Linux or Windows + IIS put on the
Internet usually hacked within 3 weeks
• All standard O/S distributions have many
serious security holes: apply critical patches
• Check vendor web site once a week for new
vulnerabilities or subscribe to alert mailing
lists: CERT, Securityfocus, SANS...
• Information in next slides to be outdated very
soon...
25
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Windows (W2K) servers
– CodeRed and Nimda exploit bugs in IIS that have
been known since May 2001
“There’s no patch for negligence and laziness”
– Microsoft reference page for Nimda:
http://www.microsoft.com/technet/security/topics/Nimda.asp
– SQLslammer exploits bug in MS-SQL that has been
known since July 2002
– Microsoft reference page for SQLslammer:
http://www.microsoft.com/security/slammer.asp
– Microsoft starting point page for security:
http://www.microsoft.com/technet/security/
26
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Windows (W2K) servers (cont.)
– Bringing up a (reasonably) safe (to external
attacks at least) Windows 2000 server is simple:
• 1) Install Windows and IIS (correctly,
see rule #1)
• 2) Install Service Pack 3
http://www.microsoft.com/windows2000/downloads/servicepacks/
• 3) Install Hotfixes MS02-052, MS02-065,
MS03-001
http://www.microsoft.com/technet/security/bulletin/MSxx-xxx.asp
27
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Windows (W2K) servers (cont.)
• 4) If your server has MS-SQL, install MS-SQL
SP3 (note: if unsure, install it anyway)
http://www.microsoft.com/sql/downloads/2000/sp3.asp
• 5) Don’t forget to patch Internet Explorer too!
Upgrade to IE6 SP1 and patch it
http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/
http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
• 6) Reminder: remove Outlook Express!
There is no good reason to have it on a server.
28
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Windows (W2K) servers (cont.)
– If infected:
• Backup data, format, reinstall and patch!
If you don’t patch, you will get infected again
• Do not rely on “cleaners”: they cannot handle
100% of infection variants
• Restore your data
• Check all your HTML and Javascript files: delete
all added links to *.EML files
• Delete any README.EML or *.EXE file in your
data
29
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Windows (W2K)servers (cont.)
– Use automated tools to check against latest
security patches
– Windows automatic update (installed with SP3), in
the Control Panel
• + already installed
• + easy to use
• - gives little control over what is installed
30
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Microsoft Hot Fix Checker (new version)
http://www.microsoft.com/technet/security/tools/hfnetchk.asp
• + can scan your network from a single point
• + on-line checking: always up-to-date (well, nearly)
• + just tells you what you should install, doesn’t install
anything
• + can run on both NT4/IIS4, W2K/IIS5, XP/IIS6
• - command-line console application
31
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)
1) Download and install
Can install anywhere, suggested:
C:\Program Files\Hotfix Checker
32
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)
2) Open “Command
Prompt” window
Do not run from Explorer
33
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)
3) Change directory where installed:
cd “\Program Files\Hotfix Checker”
4) Run program
hfnetchk -v -z -s 1 -nosum
34
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)
5) Check results: look for “Patch not found MSXXYY”
35
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)
6) Search returned missing patches MSXX-YY on
Microsoft Technet security site
http://www.microsoft.com/technet/security/
7) Install them !
Options described in detail at:
http://support.microsoft.com/support/kb/articles/q303/2/15.asp
36
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Shavlik ’s HFNetChkPro
• improved version of Microsoft’s tool with GUI,
much easier to use
• not free, but free “Lite” version for networks up
to 50 nodes
http://www.shavlik.com/pHFNetChkLT.aspx
37
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Linux servers: Red Hat covered in this
presentation, other distributions similar
– Check:
http://www.redhat.com/apps/support/errata/
– Review all Security Errata (=bugs!)
– At least, install all update RPMs mentioning
“remote root” or “remote compromise” in the
description, and all related to:
kernel, ftpd, wu-ftpd, lpd, lprng, rpc, portmap,
sendmail, pop, imap, linuxconf, [open]ssh, apache
38
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Linux servers (cont.)
– How to install an updated RPM on Red Hat Linux:
1) download RPM e.g. wu-ftpd-2.6.0-14.6x.i386.rpm
2) type:
# rpm -Uvh name-of-RPM
e.g.:
# rpm -Uvh wu-ftpd-2.6.0-14.6x.i386.rpm
Other useful commands:
• rpm -q -a
lists installed RPMs
• rpm -ivh name-of-RPM
installs a RPM
• rpm -e --nodeps name-of-RPM
uninstalls a RPM
• rpm -V name-of-RPM
checks an installed RPM
39
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Most critical vulnerabilities in Red Hat Linux 7.x:
• OpenSSH (ssh server and client)
http://rhn.redhat.com/errata/RHSA-2002-043.htm
• OpenSSL (used by Apache)
https://rhn.redhat.com/errata/RHSA-2002-155.html
• Kernel
http://rhn.redhat.com/errata/RHSA-2001-130.html
http://rhn.redhat.com/errata/RHSA-2003-098.html
• BIND (DNS server)
http://rhn.redhat.com/errata/RHSA-2001-007.html
• LprNG (print server)
http://rhn.redhat.com/errata/RHSA-2000-065.html
40
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Most critical vulnerabilities in Red Hat Linux 7.x
(cont.):
• xntp3 (time daemon)
http://rhn.redhat.com/errata/RHSA-2001-045.html
• telnetd (telnet server)
http://rhn.redhat.com/errata/RHSA-2001-099.html
• ucd-snmp-utils (SNMP server)
http://rhn.redhat.com/errata/RHSA-2001-163.html
• sendmail (SMTP server)
http://rhn.redhat.com/errata/RHSA-2003-073.html
Some may only apply to 7.0, 7.1 or 7.2, check the
web pages
41
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Most critical vulnerabilities in Red Hat Linux 8.0:
• Kernel
http://rhn.redhat.com/errata/RHSA-2003-098.html
• sendmail (SMTP server)
http://rhn.redhat.com/errata/RHSA-2003-073.html
• Apache, mod_ssl, PHP
http://rhn.redhat.com/errata/RHSA-2002-222.html
42
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
– Use automatic update
• register to Red Hat Network (needed):
# up2date --register
• configure the update agent to your
preferences:
# up2date --configure
• run full update:
# up2date -u
• use option --nox for non-GUI (text)
• Full documentation at:
http://rhn.redhat.com/help/basic/index.html
43
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Sun Solaris (on Sun hardware or PC)
– Check:
http://sunsolve.sun.com
Click on “Security Bulletin Archive”
– Install Recommended Patch Bundles
Click on “Recommended & Security Patches”
according to platform (SPARC or x86) and version
• 2.6 = 5.6
• 2.7 = 5.7 = 7
• 2.8 = 5.8 = 8
Sun likes confusing version
numbering...
– Free download: no need for a support contract
44
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Sun Solaris (cont.)
– How to install patch bundle (e.g. for Solaris 7):
1) download zip file
2) unzip it in a temporary directory (100Mb++)
# unzip 7_Recommended.zip
3) start the automatic installation script (as root)
# cd 7_Recommended
# ./install_cluster
4) wait for a long time
5) reboot
45
AIT ITServ
2. Basic Security How-To
2.3. Rule #2: Keep your software up-to-date
• Special care for name servers
– All versions of BIND (standard Unix DNS name
server) prior to 8.2.3 final released version have
severe security bugs allowing remote root
compromise
– Updates for Red Hat Linux and recommended
patch bundles for Sun Solaris take care of this
or:
– Compile and install BIND version 8.2.4 at least
(9.1 OK but requires migration work) from:
http://www.isc.org/
46
AIT ITServ
2. Basic Security How-To
2.4. Rule #3: Servers are not workstations
• Buy new machines for servers, or do full reformat, re-install if you recycle h/w
• Do not use workstations to bring up network
services (file server, web server…)
• Convince your staff not to use servers as
workstations
– No web browsing except trusted sites, and not using IE
except when browsing Microsoft’s sites
– On Windows, no e-mail activity, especially not using Outlook
– No installation of any program not directly related to server
operation and administration
– Avoid program development on server whenever possible
47
AIT ITServ
2. Basic Security How-To
2.5. Rule #4: Monitor your servers and network
• Any sudden change in load is suspicious
• Monitor the traffic on your link to the Internet
– If you have manageable switches (support SNMP),
bring up MRTG to show per-port traffic
Real case: huge rise of the outgoing traffic =
scans being launched from a compromised server
48
AIT ITServ
2. Basic Security How-To
2.5. Rule #4: Monitor your servers and network
• Monitor CPU load on your servers
– Task Manager on Windows (Ctrl-Alt-Del, click on
“Task Manager” button)
– The top command on Unix
• Look for unusual processes running
– Become familiar with the names of the processes
running on your server during normal operations
– Check for any new process running
– If so, find what it is
49
AIT ITServ
2. Basic Security How-To
2.5. Rule #4: Monitor your servers and network
• Look for unusual processes (cont.)
– Windows: use Processes list of Task Manager
50
AIT ITServ
2. Basic Security How-To
2.5. Rule #4: Monitor your servers and network
• Look for unusual processes (cont.)
– Unix: use ps command
• Linux, FreeBSD:
• Solaris, HP-UX, AIX:
ps -auxww
ps -ef
# ps -auxww
USER
root
root
root
root
root
51
PID
1
2
3
4
5
%CPU %MEM
0.0 0.0 344
0.0 0.0
0
0.0 0.0
0
0.0 0.0
0
0.0 0.0
0
VSZ RSS TTY
80 ?
S
0?
SW
0?
SW
0?
SW
0?
SW
STAT START TIME COMMAND
Jan17 2:20 init [3]
Jan17 0:03 [kflushd]
Jan17 6:53 [kupdate]
Jan17 0:00 [kpiod]
Jan17 0:04 [kswapd]
AIT ITServ
2. Basic Security How-To
2.5. Rule #4: Monitor your servers and network
• Look for automatically started programs
– Linux (Red Hat): check for new or modified scripts
in /etc/rc.d and below
– Windows: use REGEDIT to look at keys:
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
or run MSCONFIG and look at the “Startup” tab
• Look for new user names
– Windows: check with the User Manager
– Unix: check /etc/passwd file
52
AIT ITServ
2. Basic Security How-To
2.6. Rule #5: Do network filtering
• Filtering is:
– Letting only the network traffic that you need pass
through, blocking all the rest
E.g.: SMTP, POP, IMAP to a mail server
and/or
– Blocking all the traffic that you know you don’t
need, letting all the rest pass through
E.g.: Windows file sharing
53
AIT ITServ
2. Basic Security How-To
2.6. Rule #5: Do network filtering
• Simple guidelines for minimal filtering
– Implement multiple-level filtering
– On router, block all LAN-only traffic: file sharing,
printer sharing, database access
Mail server
NFS
Internet
POP
Router
Web server
= block
54
AIT ITServ
2. Basic Security How-To
2.6. Rule #5: Do network filtering
• Guidelines (cont.)
– On server, allow only legitimate traffic to pass
• SMTP, POP, IMAP on a mail server
• HTTP, HTTPS on a web server
• Domain on a name server
Mail server
NFS
Internet
POP
Router
Web server
= block
55
AIT ITServ
2. Basic Security How-To
2.6. Rule #5: Do network filtering
• Filtering on router
– Block dangerous protocols
– Let the rest pass through
– More refined filtering can be done
• Filter on source and destination
• Filter on direction of connection
– Done globally by ITServ
• On border interfaces (Internet & others)
• Between AIT networks (schools, labs, entities)
• Details upon request
56
AIT ITServ
2. Basic Security How-To
2.6. Rule #5: Do network filtering
• How to implement filtering on server ?
– Use TCP Wrappers by Wietse Wenema
• Standard for Linux and FreeBSD
• Download, compile and install for other Unix
– ftp://ftp.porcupine.org/pub/security/index.html#software
– http://www.sunfreeware.com has pre-compiled binaries for
Sun Solaris
– install into /etc/inetd.conf (more help upon request)
– TCP Wrappers configuration in two files
• hosts.allow (in /etc or /usr/local/etc)
– which service (port number) is allowed
– from which IP address / network
57
AIT ITServ
2. Basic Security How-To
2.6. Rule #5: Do network filtering
• How to implement filtering on server ?
– TCP Wrappers configuration (cont.)
• hosts.allow (cont.)
– Format is:
daemon_name : IP address[netmask] …
– Examples:
FTP only from a given address:
ftpd : 203.159.12.34
SSH only from AIT networks:
sshd : 203.159.0.0/255.255.0.0 192.41.70.0/255.255.255.0
POP from anywhere
popper : ALL
58
AIT ITServ
2. Basic Security How-To
2.6. Rule #5: Do network filtering
• How to implement filtering on server ?
– TCP Wrappers configuration (cont.)
• hosts.deny (in /etc or /usr/local/etc)
– What is not allowed
– Must have a single line:
ALL: ALL
– Do not leave empty (=> allow everything!)
– FreeBSD TCP wrappers have a single configuration
file (hosts.allow)
• adds “: allow” or “: deny” at end of line
59
AIT ITServ
3. Useful links and resources
• Security alert news
–
–
–
–
–
http://www.cert.org
http://www.sans.org
http://xforce.iss.net
http://www.securityfocus.com
http://www.linuxsecurity.com/advisories
• Information and checklists
– SANS “Top 20 Most Critical Internet Security
Vulnerabilities”
http://www.sans.org/top20.htm
• Free automated network scanner available !
60
AIT ITServ
3. Useful links and resources
• Information and checklists (cont.)
– NSA “The 60 Minute Network Security Guide”
http://nsa2.www.conxion.com/support/guides/sd-7.pdf
• Linux
– Securing and Optimizing Linux Red Hat Edition A Hands on Guide
http://www.linuxdoc.org/guides.html#securing_linux
– Securing Linux Servers for Service Providers (IBM
document)
http://www.ibm.com/linux/Securing_Linux_Servers_xSP_hilf
_external.pdf
61
AIT ITServ
3. Useful links and resources
• Linux (cont.)
– Linux security checklists
http://www.uga.edu/ucns/wsg/security/linuxchecklist.html
http://www.wfu.edu/~rbhm/linux.html
– TrinityOS Guide to Configuring Linux
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/
mHTML/TrinityOS-m.html
Parts 8.7 to 8.10 especially explain Linux security configuration in
great detail
• Windows
– Microsoft’s Security Site
http://www.microsoft.com/technet/security/
62
AIT ITServ
3. Useful links and resources
• Windows sites (cont.)
– NT4 / IIS4 Security Checklist
http://www.microsoft.com/technet/security/iischk.asp
– W2K / IIS5 Security Checklist
http://www.microsoft.com/technet/security/iis5chk.asp
• Sun Solaris
– Solaris Network Hardening
http://ist.uwaterloo.ca/security/howto/2000-09-19/
Includes a tool to automate configuration
– YASSP (Yet Another Solaris Security Package)
http://www.yassp.org/
63
AIT ITServ
3. Useful links and resources
• Free Security tools (mostly Unix)
– Nessus Security Scanner
http://www.nessus.org
– Web-based simple port scanner
http://www.ntsecurity.com/scan.asp
– Snort Intrusion Detection System (IDS)
http://www.snort.org
• Runs on Windows too
– SANS “Top 20” vulnerability scanner
http://www.cisecurity.org/scanning_tool.html
• Runs on Unix only
• Can scan vulnerabilities of Unix and Windows servers
64
AIT ITServ
3. Useful links and resources
• Free Security tools (Windows)
– SwatIt Windows trojan remover
http://lockdowncorp.com/bots/downloadswatit.htm
– Foundstone ’s Windows forensics toolbox
http://www.foundstone.com/knowledge/free_tools.html
– PrcView process viewer
Gives much info about DLLs used, how process
has been started
http://www.teamcti.com/pview/prcview.htm
65
AIT ITServ
3. Useful links and resources
• Miscellaneous
– Lance Spitzner's white papers
http://www.enteract.com/~lspitz/papers.html
– The Center for Internet Security
http://www.cisecurity.com
66
AIT ITServ
4. ITServ plans
• What we know by now:
– Filtering at the border of the AIT network is only a
part of the solution (can’t address all threats)
– Maintaining security easily becomes an almost fulltime job for all but the smallest networks inside
AIT
– Not all labs/schools/entities have the right people
with enough free time to do it
– All that is a lot of duplicated efforts, duplicated
investments and duplicated downloads
67
AIT ITServ
4. ITServ plans
• Our goals:
– Establish a global standard of security for all AIT
• standardisation of environments
• validation of servers
• fully enforced configuration and update policies
– Rely more on standards and policies observed by
all entities inside AIT and less on tight global
filtering and on corrective blocking of IP addresses
inside AIT
– Provide extensive local resources and consulting
68
AIT ITServ
4. ITServ plans
• Our goals (cont.):
– Provide centralised services than entities inside
AIT can use without loosing control over their
servers and/or contents
•
•
•
•
•
proper configuration
real dedicated firewall, possibly intrusion detection
24-hour monitoring, regular auditing
software updates
clearly defined, dependable
– The most efficient way: an Internet Data Centre at
ITServ for co-location and hosting
69
AIT ITServ
4. ITServ plans
• What we need:
– Clearly identified people in charge of IT security in
all AIT entities, willing to co-operate
– A honest acceptance and support of the common
goals and the means to reach them:
•
•
•
•
standardise vs. “I like Linux DebDrakeHatGNUXYZ only”
commitment to dedicate enough resources (time)
actual usage of local resources vs. “magic tools”
willingness to “outsource” what can not be managed
locally due to lack of resources vs. “I absolutely want this
server in my office”
• accept servers and services being audited and validated
70
AIT ITServ
4. ITServ plans
4.1. Local resources
For a limited number of supported operating
systems and environments:
• Local cache of all critical patches
– much faster downloads
– save Internet bandwidth
• Local “CERT-like” web site to announce
vulnerabilities
– summarised and targeted at supported
environments: much easier to read
– links to local downloads
• Local alert mailing lists
71
AIT ITServ
4. ITServ plans
4.1. Local resources
• Campus license for selected critical security
software, with local downloads
• Windows anti-virus software a priority
– local download and possibly
transparent/automated installation
– local and automatic updates
– very cost-effective
72
AIT ITServ
4. ITServ plans
4.2. Support and consulting
• Provide installation manuals with
configuration guidelines tuned to AIT
environment for supported O.S.
• Provide security check-lists (more usable than
Microsoft’s) with verification tools
• On-demand security auditing
– network scanning, possibly real-time (from AIT
Intranet web)
– on-site auditing with written report upon request
73
AIT ITServ
4. ITServ plans
4.2. Support and consulting
• Emergency assistance in case of intrusion
– evaluate damage
– save important information to track down source
(computer forensics)
– help cleaning or re-install machine while
preserving data
– final written report with probable causes of
intrusion, to avoid the same mistakes being done
again
74
AIT ITServ
4. ITServ plans
4.3. Services
• AIT Internet Data Centre in ITServ building
– co-location of Internet/Intranet servers
– shared hosting of Internet servers (mostly web)
– provides reliable operation of your servers:
• power, air conditioning
• 24-hr operator staff to watch servers, reboot,
restart service
• network-based disk back-up facility
• web-based real-time monitoring of service
availability (e.g. HTTP server up/down)
75
AIT ITServ
4. ITServ plans
4.3. Services
• AIT Internet Data Centre (cont.)
– provides secure environment:
• full-featured firewall (not simple port filtering)
• O/S installation & hardening service available
• software updates installation service
• web-based detailed network traffic statistics
and real-time monitoring, alert generation in
case of abnormally high traffic
• preventive regular auditing (scanning) to detect
anomalies
• possibly: IDS, content-based filtering
76
AIT ITServ
4. ITServ plans
4.3. Services
• AIT Internet Data Centre (cont.)
– preserves full control over your equipment
• remote administration (SSH, PC Anywhere,
remote desktop…)
• physical access whenever needed
• personalised per-server policy on the firewall,
agreed upon and modifiable via on-line
requests
77
AIT ITServ
4. ITServ plans
4.4. Policies
• Standardisation of server environment to a
set of supported O.S./server software and
versions
–
–
–
–
installed based used as a start (fill questionnaire!)
reduced to a smaller set (negotiation)
open-source O.S. and software preferred
extensive assistance for migration if needed
• Mandatory anti-virus software on all Windows
servers and desktops
– campus-wide license
– transparent and automatic installation and update
78
AIT ITServ
4. ITServ plans
4.4. Policies
• Validation and continuous auditing of servers
– audit before opening service to the Internet
– exclude usage as a workstation
– committed delay to do audit
• LAN network services really LAN-only
– phase-out cross-network Windows file sharing
– provide safer alternatives
– help labs to migrate
79
AIT ITServ
4. ITServ plans
4.4. Policies
• Formal but fast and efficient communication
for all security-related issues
– web-based “ticket processing” system with 2-way
interactivity
– full information on what is being done and why
– formal incident reporting and archival
• Regular meetings with designated IT Security
Managers in all entities
– attendance required
– the place where policies will be elaborated
80
AIT ITServ
AIT ITServ & Lab Supervisors Meeting
• Thank you very much for your attention
• Now let’s talk!
81
AIT ITServ