Transcript Slide 1
Implementing Secure
Edge Devices using
Open Source Software
Introduction to OpenBSD
James Duncan, LMS Technologist
Sheridan Institute of Technology and Advanced Learning
What is an ‘Edge Device’
Edge of the network
Exposed devices
Routers
NIDS
Internet
Firewall
‘Public’ servers
NIDS
Router
Load Balancer
Firewall
Mail
Switch
www1
MacNet
Mobile
www2
www3
Introduction to OpenBSD
“UNIX-like” Operating System
Spun off of NetBSD and 4.4BSD in 1996 by Theo DeRaadt
Differs from Linux in source base, and in licensing
‘Free, Functional, Secure’
Based in Calgary
6 Month Release Cycle / CVS Access to current source
base
Currently in pre-release of version 3.4
http://www.openbsd.org
Supported Architectures
Currently Supported
Alpha
Hp300/HPPA
I386
Mac68k
MacPPC
MVME68k
Sparc/Sparc64
Vax
Ports in Progress
MVME88k
AMD64
HPPA64
ROMP
SGI
Amiga
Sun3
Features of OpenBSD
Bug Management
“Secure by Default”
Proactive source code auditing
W^X page protection / ProPolice Stack Protection
Privilege separated daemons
Secure Communications & Services
IPSec using ISAKMPd
Support for NIDS (Snort)
Secure Network Services
PF+AltQ
Firewall/Routing/Queuing using PF+AltQ
Bug Management
Bug Prevention
Secure by Default
Source code auditing
Bug Mitigation
W^X
ProPolice
Privilege Separation
“Secure by Default”
Definition
Strictly configured by default
Firewall rejects traffic to all ports except 22 (ssh)
Turn off as many services as possible
Daemons configured securely with extraneous features
turned off
“One remote hole in the default
install, in more than 7 years”
Source Code Audits
Between 6 and 12 developers devoted to this
Looking for basic software bugs
If a new class of bug is found, entire tree is
re-audited
Proactive
Bug-finding ‘Arms Race’
Reduction in setuid and setgid binaries
What is a Stack? (Basic)
Section of contiguous
memory
Holds data, as well
as program instructions
1382:0100
1382:0110
1382:0120
Memory executed in
sequence, until a return
address is reached
1382:0130
1382:0140
Stack
Buffer Overflows
Overload the bounds of a data register
i.e., cram more data into a box than it was
designed to hold
Lack of bounds checking is the flaw in code
Buffer overflow will write executable code into
memory, then modify return address to point to
this code
W^X Page Protection
‘Write or Execute’
Page can be either written to, or executable,
but not both
Prevents an attacker from writing code anywhere
into memory where it might be executed
Supported on Sparc, Sparc64, Alpha, HPPA, i386
and PowerPC
Natively supported on Sparc, Sparc64, Alpha, x86-64
PowerPC and i386 required ugly hacks
Similar in function but different in execution to PAX
ProPolice Stack Protection
Extension to GCC (GNU C Compiler)
Available on Linux, FreeBSD, OpenBSD, others…
Software compiled with GCC+ProPolice has stack
protection built in to it
Makes it harder to exploit bugs such as buffer
overflows by modifying the way program data is
stored on the stack
How does this work?
ProPolice (continued)
Insert protective code into application at compile time
Buffer overflow detection (concept from StackGuard)
Variable reordering – reorder data and variables in such
a way that overwriting a pointer becomes difficult when
data is overflowed
http://www.research.ibm.com/trl/projects/security/ssp/
Privilege Separation
Concept of Least Privilege
Separate network daemons into two levels
One process running as root for everything that
requires that level of privilege
Sub processes running as unprivileged user
This minimizes damage caused by remote attacks
E.g., sshd, syslogd
Privilege Separation (cont.)
root
duncajam
duncajam
28740 14036 0 17:35 ?
28743 28740 0 17:35 ?
28744 28743 0 17:35 ?
00:00:00 sshd:duncajam [priv]
00:00:00 sshd:duncajam@pts/4
00:00:00 –tcsh
sshd forks off child process at root level to handle
incoming connection
This process forks off an unprivileged process to
handle the rest of the communications
Secure Communications
‘Snoop the Line’ – Network Intrusion Detection Systems
IPSecurity – Secured Network Protocol
Secured Network Daemons
Intrusion Detection Systems
Full support for Snort NIDS (Network Intrusion
Detection System)
Topic covered in another presentation, moving
right along…
IPSec using ISAKMPd
IP Security
AH – Authentication Header
ESP – Encapsulated Security Protocol
Compatible with other IPSec implementations,
such as those available from Linux and Windows
Exposed Web Services
Ports
Packages
Apache, Sendmail, Bind, etc.
Chroot (e.g. Apache)
PrivSep (e.g. SSH, Syslog)
Audits
Modern Firewalling
What is a Firewall?
What is a Router?
What is Rate Limiting (Queuing?)
This is all done in OpenBSD via the PF+AltQ subsystem
Configured from /etc/pf.conf
Configurable via pfctl command (as root)
Packet Filter Features
Stateful filtering, “modulate state”
Pass / Block / Drop
Match on address, source / destination ports,
packet flags
Easy syntax, with tables, lists, and highly
configurable options
Scrub – Packet Normalization
Packet Logging – tcpdump format
Block spoofed packets (antispoof)
Block packets with IP options set (OS fingerprinting)
Anchors and sub rule sets
SpamD
PF Ruleset Example
int_if = "fxp0"
ext_if = "ep0"
set block-policy return
set loginterface ep0
scrub in all
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Routing Features
Basic Routing
Traffic redirection
NAT (Network Address Translation)
Round-robin load balancing
Routing Example
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
nat on $ext_if inet from any to any -> { 192.0.2.5, 192.0.2.10 } source-hash
rdr on $ext_if proto tcp from any to any port 80 -> \
{10.0.0.10, 10.0.0.11, 10.0.0.13}
Queuing Features
Bandwidth Management System
Useful for managing outbound traffic
i.e., limiting use of some protocols or giving
priority to others
Queuing done in FIFO, CBQ, or PQ
Based on AltQ
Matches functionality found in commercial products
such as Packeteer.
Queuing Example
altq on fxp0 priq bandwidth 610Kb queue \
{ std_out, ssh_im_out, dns_out, tcp_ack_out }
queue
queue
queue
queue
std_out priq(default)
ssh_im_out priority 4 priq(red)
dns_out priority 5
tcp_ack_out priority 6
pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \
keep state queue(std_out, tcp_ack_out)
Summary
Benefits
Cons
Free, Secure, OS
Enterprise-ready features
Available on many platforms
Not Performance Tuned
No SMP support yet
Emphasis of security
over ‘Bleeding-Edge’
software
http://www.openbsd.org
Q&A