Infrastructure Hardeningx

Download Report

Transcript Infrastructure Hardeningx

Infrastructure Hardening
1
Objectives
Why hardening infrastructure is important?
Hardening Operating Systems, Network and
Applications
2
Security Baselines
The process of baselining involves both the
Configuration of the IT environment
Disabling of non-essential services
The baselining process involves the hardening the key
components
Operating Systems
Network
Applications
3
Operating System Hardening
System is configured to limit the possibility of either internal
or external attack.
While the methods for hardening vary from one operating
system to another the concepts involved are largely similar
regardless of whether Windows, UNIX, Linux, MacOS X or
any other system is being baselined.
4
Operating Systems
Hardening techniques
Disable Non-essential services - For example, unless a
host is functioning as a web or mail server there is no need
to have HTTP or SMTP services running on the system.
Update vendor supplied Patches and Fixes (Security
Updates)
Password Management
Strong passwords
Enforcing the regular changing of passwords
Disabling of user accounts after repeated failed login
attempts
Remove unnecessary accounts
Guest, unused and unnecessary user accounts
When employees leave an organization
5
Operating Systems
Hardening techniques
File and Directory Protection – Through the use of Access
Control Lists (ACLs) and file permissions.
File and File System Encryption –
All disk partitions are formatted with a file system type
with encryption features (NTFS in the case of Windows)
Enable Logging - Operating system is configured to log all
activity, errors and warnings.
File Sharing - Disable any unnecessary file sharing
6
Network Hardening
Updating Software and Hardware
Ongoing process
All networking software together with the firmware in
routers are updated with the latest vendor supplied
patches and fixes
Password Protection
Routers and wireless should be protected with strong
passwords
Disable and remove unnecessary Protocols and
Services –
For example, in a pure TCP/IP network environment it
makes no sense to have AppleTalk protocols
7
Network Hardening
Ports
Unneeded ports blocked by a firewall and associated
services disabled on any hosts within the network
For example, a network in which none of the hosts acts
as a web server does not need to allow traffic for port 80
to pass through the firewall
Wireless Security
Wireless networks must be configured to highest
available security level.
For older access points WEP security should be
configured with 128-bit keys.
Newer routers should implement WPA security
measures.
8
Network Hardening
Restricted Network Access
There should be a firewall between the network and the
internet.
Other options include the use of Network Address
Translation (NAT) and access control lists (ACLs).
Authorized remote access should be enabled through
the use of secure tunnels and virtual private networks.
9
Application Hardening
All applications and services installed on network based
host systems must be included in the security hardening
process to ensure that they do not provide a weak link in the
security defenses.
A number of common operating system based services are
installed by default and need to be reviewed.
10
Web Servers
For non-public sites authentication methods should be put in
place and for sites that are only to be accessible by internal
users
Intranet approach should be used so that external access is
prevented by a firewall
Secure web based transactions - SSL communication
Web server logs should be reviewed routinely for suspicious
activity. Any attempts to access unusual URLs on the web
server typically indicate an attempt to exploit problems in
outdated or Unpatched web servers
Latest vendor supplied patches
11
Email Servers
Unneeded configuration options of the mail server software
are disabled
All the latest vendor supplied updates are applied
Relay prevention options should be activated
Authentication must be used to ensure that only authorized
users are able to send and receive email messages
12
FTP Servers
The purpose of the File Transfer Protocol (FTP) is to allow
files to be downloaded from and uploaded to remote
servers.
Access can be in the form of:
Anonymous FTP
Authenticated FTP
Anonymous FTP accounts should be used with caution
and monitored regularly.
In the case of authenticated FTP it is essential that
Secure FTP be used so that login and password
credentials are encrypted, rather than transmitted in
plain text.
13
DNS Servers
Domain Name Servers (DNS) provide the translation of
human friendly names for network destination (such as a
web site URL) to the IP addresses understood by routers
and other network devices.
Steps should be taken to ensure DNS software is updated
regularly and that all access to servers is authenticated to
prevent unauthorized zone transfers.
Access to the server may be prevented by blocking port 53,
or restricted by limiting access to the DNS server to one or
more specified external systems.
14
Am I Vulnerable?
Have you performed the proper security hardening across
the entire application stack?
Do you have a process for keeping all your software up
to date? This includes the OS, Web/App Server, DBMS,
applications, and all code libraries.
Is everything unnecessary disabled, removed, or not
installed (e.g. ports, services, pages, accounts,
privileges)?
Are default account passwords changed or disabled?
Is your error handling set up to prevent stack traces and
other overly informative error messages from leaking?
Are the security settings in your development
frameworks (e.g., Struts, Spring, ASP.NET) and libraries
understood and configured properly?
A concerted, repeatable process is required to develop and
maintain a proper application security configuration.
15
Example Attack Scenarios
Scenario #1: Your application relies on a powerful
framework like Struts or Spring. XSS flaws are found in
these framework components you rely on. An update is
released to fix these flaws but you don’t update your
libraries. Until you do, attackers can easily find and exploit
these flaw in your app.
Scenario #2: The app server admin console is
automatically installed and not removed. Default accounts
aren’t changed. Attacker discovers the standard admin
pages are on your server, logs in with default passwords,
and takes over.
16
Example Attack Scenarios
Scenario #3: Directory listing is not disabled on your server.
Attacker discovers they can simply list directories to find any
file. Attacker finds and downloads all your compiled Java
classes, which they reverses to get all your custom code.
They then find a serious access control flaw in your
application.
Scenario #4: App server configuration allows stack traces
to be returned to users, potentially exposing underlying
flaws. Attackers love the extra information error messages
provide.
17
How Do I Prevent This?
18
How Do I Prevent This?
19
How Do I Prevent This?
20
How Do I Prevent This?
21
How Do I Prevent This?
22
Questions
23
Security Training
Presentation prepared by
Nishi Kumar
Systems Architect
Processing Professional Services
FIS
OWASP CBT Project Lead
OWASP Global Education Committee
24