Open Source Solutions for Securing information systems

Download Report

Transcript Open Source Solutions for Securing information systems

NATIONAL AGENCY FOR COMPUTER SECURITY
-Tunisia-
Open Source Solutions
for
Securing information systems
Haythem elmir
[email protected]
COPYRIGHT © 2005, NACS. All rights reserved
Plan
Introduction
Firewall
Proxy
Authentification
IDS
Host IDS
AntiSpam
Antivirus
Management tool
Vulnerability scanner
Log management tool
HoneyPot
Communication encryption
NACS-Tunisia
A Seducer
• Source code available  audit
• Free use
• Adaptable & Evolutionary
• Perennial
+ Conformity to principal standards (IETF ).
+ Documentation and Community assistance provided and
available on the Net
+ Mature cases and securely healthy (Unix).
3
NACS-Tunisia
Source code available
No security without CONFIDENCE in used tools
(they do what they say)
Open-source :
We can verify : Every thing done by the tool/ Who it does it
(without difficulty, most of the time)
Perenniality proved for the "musts"
4
NACS-Tunisia
Evolutionary/ Adaptable
No security without means autonomy
(Export restriction for encryption functions )
We can adapt and evolve (without great difficulty)
Every thing done by the tool/ Who it does it
IF
A research and development activity exists,
Ready to ensure :
- Adaptation/Simplification of use (GUIs)
- Enrichment and Distribution
5
NACS-Tunisia
Free use
Security is integral or not
 Enormous Budgetary needs (licenses, ..)
In complement of the commercial solutions
To ensure required Cardinal and qualitative
complementarities
IF
Existence of competences, ready to ensure
- Deployment / Training
- Maintenance / Assistance
6
NACS-Tunisia
Categories of the requested Open Source products
25,00%
22,92%
22,92%
18,75%
12,50%
Firewall
IDS
AUDIT
Encryption
PKI
Training Wishes : extract of the results of an investigation (70 strategic
companies) on the IS security carried out by the security unit of the
ministry of the communication technologies
7
NACS-Tunisia
Open source software for security
Firewall :
Netfilter, IP-Filter,
Intrusion detection :
Encryption :
Vulnerability scanner :
Nessus, Dsniff, Nmap, Sara,
Whisker, Nikto, ,THC-Amap,
Hping2, …
OpenSSL, OpenSSH, Free S/Wan
PGP, (ssltunnel),
Strong Authentification :
OpenLdap, FreeRadius, S/Key
Snort , Prelude, Ntop, Shadow
PKI :
Open_PKI, EuPKI
Antivirus :
Amavis, clamav
Honey-Pots
Honeyd , HoneyNet, Deception
Toolkit, Specter
NACS-Tunisia
Anti-Spam :
Spam Assassin (solution serveur)
(solution client)SamSpade
Sniffer detector :
Neped , Sentinel, Cpm
INTERNET
NACS-Tunisia
NetFilter
Presentation:

•Paquet filter for Linux kernel 2.4 and successor of
IPchains (Linux 2.2)
•Firewall “stateful inspection” (and Stateless
packet filtering for IPv6)
•Using NAT and PAT for sharing Internet access
•Concept of ‘transparent proxies’
•Allows to set up a sophisticated QOS
NACS-Tunisia
NetFilter

Standard IP filtering Functionality
• Filtering parameters




Network card : input or output
IP Addresses (source and destination) : host or subnetwork
IP header fields (Fragmentation, TOS et TTL)
Layer 4 protocols : TCP, UDP and ICMP (source Ports and
destination (TCP and UDP), Flag (TCP), Types and codes
(ICMP) )
• Actions



Allow
Deny
Reject (ICMP message or TCP segment with RST flag)
11
NACS-Tunisia
NetFilter

Statefull inspection filtering
• Concept


Dynamic filtering, with preserving a state for every current
connection
Only packets related to existing states are allowed
• Protocols



TCP : Segments belonging to a current TCP connection
UDP : Datagram responding to a sent UDP datagram - ICMP error messages
ICMP : ICMP Messages responding to a sent ICMP message
• Options allowing to compare traffic to states




NEW : creating a new state
ESTABLISHED : packet belonging to established connection
RELATED : packet related to current connection
• ICMP error Message
• A Traffic related to applicative protocol
INVALID : non identified packet among current communications
• Strategy


Create a state on the beginning of every connection with NEW
Accept all packets related to a current connection
• ESTABLISHED
• RELATED
12
NACS-Tunisia
NetFilter

Address and ports Translation
• Address Translation


One-Way (for output) : privet addresses to public address (s) with the
possibility of changing source port
Bidirectional : public address to one address and reciprocally
• Ports Redirection


Redirection of one port in output to another one, with or without modifying
of the destination address
Netfilter chains
• filtering Rules placed in chains


Chains : subroutine
Filtering rules : instructions
• One of the following 3 standards chains is obligatorily
crossed :



INPUT : packets to the local machine
OUTPUT : packets sent by the local machine
FORWARD : packets forwarding throw the local machine
13
NACS-Tunisia
NetFilter

A script sample
IFACE=eth0
MYLAN=192.168.1.0
MYWKS=192.168.1.1
MYDNS=192.168.1.2
MYADDR=192.168.1.3
# Delete Standard chains
iptables -F
# Block the traffic ( default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Stateful inspection
iptables -A OUTPUT -i $IFACE -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -i $IFACE -m state --state ESTABLISHED, RELATED -j ACCEPT
# SSH Administration
iptables -A INPUT -i $IFACE -p tcp -s $MYWKS --sport 1024:65535 -d $MYADDR --dport 22 \
-m state --state NEW -j ACCEPT
# DNS Resolution
iptables -A OUTPUT -i $IFACE -p udp -s $MYADDR --sport 1024:65535 -d $MYDNS --dport 53 \
-m state --state NEW -j ACCEPT
# inspection with ping(1)
iptables -A OUTPUT -i $IFACE -p icmp -s $MYADDR --icmp-type echo-request -d $MYLAN \
-m state --state NEW -j ACCEPT
14
NACS-Tunisia
NetFilter

Scripts generator tools
FwBuilder : www.fwbuilder.org/
PHP Firewall Generator : http://phpfwgen.sourceforge.net
Easyfwgen : easyfwgen.morizot.net/gen/ (On-Line)
GIPTables Firewall : www.giptables.org
15
NACS-Tunisia
INTERNET
16
NACS-Tunisia
SQUID

Presentation:
 SQUID is a proxy server that allow sharing Internet
access between many users throw one connection.
 SQUID also proposes a mechanism of cache, which
makes it possible to reach the data by using the local
resources instead of the Web, reducing the access times
and the consumed band-width.
 SQUID allow protocols cache for HTTP, ftp, gopher, etc.
It also supports SSL, access controls, the DNS cache
and provides a complete trace (log) of all the requests
17
NACS-Tunisia
SQUID

Access Control
Restricts the access to particular time beaches, provides information
from the cache, authorizes access only to restricted list of sites or
groups of sites, etc... Squid has for these controls two components:
ACL elements (Access Control List) and access list. An access list,
allows or deny service access.
Below some of most important ACL elements










src : The client Ip source address
dst : The destination server IP address
srcdomain : Client domain name (source)
dstdomain : The server domain name (destination)
time : Hour of the day and day of the week
url_regex : Regular expression describing a category of URL
urlpath_regex: Regular expression describing a group of URL without the protocol nor the
host name
proxy_auth : User external authentification process of a user
maxconn : Maximum number of connection per IP client address
We can associate number of tools with squid (filtering, statistics,
supervision...). One of the more essential is ' SquidGuard' a redirector
using the Berkeley bookshop Database of sleepycat
18
NACS-Tunisia
SquidGuard

Characteristics :
•

It differentiate the following transformation:
 Machine address
 User Identity
 URL (obviously)
 Schedule of the request
 Redirection class (for example we can define an advertisement class, adult
class, etc...)
SquidGuard allow :









Limits the access of a number of users to a list of Web servers or accepted
URL (known in advance).
Blocks the access to a list of Web servers or URLs: Blacklist
Blocks the access to of corresponding URLs (matching) with a list of regular
expression or a list of key word
Reinforces the use of the domain name /Deny the use of IP address in URLs
Redirects blocked addresses towards a CGI based information page.
Redirects unregistered users towards a registration form.
Redirects frequent downloads towards local copies.
It has several rule based on time, date...
Affects rules to user groups
19
NACS-Tunisia
INTERNET
OpenLDAP
NACS-Tunisia
20
OpenLDAP
• OpenLDAP is a free directory, it can be installed on many
platforms, including Windows, Unix and obiously Linux.
All the Linux distributions make possible to install it.
• Its source code is available and it is possible to evolve the
directory server. We find for example extensions allowing to
integrate OpenLDAP with Kerberos, Radius, and any other
mechanism of authentification.
• Finally, OpenLDAP is completely integrated into Linux.
The majority of the Linux distributions adopted
OpenLDAP as reference director, and offers a compiled
version and ready to use
• OpenLDAP can be used to manage operating system
users, and to share the same reference frame with
installed applications and delivered with the system,
like Samba, NIS, etc.
21
NACS-Tunisia
OpenLDAP

OpenLDAP services
 Directory Standards functions conforming to LDAP v3. It supports
LDAP V3 protocol in IPv4 as well in IPv6.
 Also supports SASL protocol (Simple Authentication and Security
Layer) for authentification and for security.
 Supports TLS protocol (Transport Layer Security) witch allows data
encryption and integrity of exchanged data with the directory.
 Authorizations management, allowing to access control to the
entries and the attributes according to the user profile connected to
the directory.
 OpenLDAP authorizes the replication multi-Master and masterslave, ensuring a better availability of the directory and a load
distribution on various authorities of the directory, located on one
or more machines.
22
NACS-Tunisia
Apache
INTERNET
Port mirorring
OpenLDAP
NACS-Tunisia
23
Snort

Presentation:
•
•
•
•

Network intrusion detection system (NIDS)
Portable on several types of platforms
Easy Installation and configuration
Strong and real time detection
Functionality:
• Protocols layered detection :
- IP – TCP – UDP - ICMP
• Abnormal activities detection


•
•
•
•
Stealth scan _ For OS fingerprinting
ICMP Code "invalid"
HTTP Preprocessor (CGI attacks)
Small fragment detection
Denial of service detection
Buffer overflow detection
NACS-Tunisia
24
Snort

Writing of rules:
•
•
•
•
•
•
Description Language simple and easy to use
A rule must be imperatively written on only one line
Combining rules is allowed
Variables substitutions is allowed
It is possible to refer to separate rule files
Rule sample:


Alert tcp any any -> 192.16.1.0/24 any (flags:SF;
msg:"Possi. SYN FIN scan";)
Log saving:
•
•
•
•
•
Alert file (-d)
A specific file per attack (logto)
A specific directory (-l)
The directory /var/log/snort (-s)
Saving in directory is done by using source/destination
IP address
NACS-Tunisia
25
Snort

Log (continuation)
• Visualization log files
• Rule :

alert TCP any any -> $MY_NET any (msg:"NMAP TCP ping !"; flags: A; ack:
0;)
date
Time
source port
port dest
@IP source
@IP dest
protocol
Flag
TTL
NACS-Tunisia
N° ACK
type of
Sequence number
service
packet
identification
number
26
Snort
We can add modules to snort (plug-in)

Flexresp (can be integrated) : to reset a connection using
TCP/RST

Snort-Inline : a modified snort version to making it in active
mode (intrusion real time response)

Guardien to write rules in the Iptables firewall

SnortSnarf : Log manager for snort, allows to visualize
detected signatures (per host) and visualize the faulty
packets using a web based interface
27
NACS-Tunisia
Apache
INTERNET
Port mirorring
NACS-Tunisia
OpenLDAP
28
A.I.D.E (HIDS)




AIDE is a HIDS : Host-based Intrusion Detection System.
It’s an improved clone of TripWire
AIDE build a signature base (using hash cryptographic
algorithms) of files that we wish to supervise, and
periodically (or if needed) to recompute these hashes, and
comparing them with the original computed base.
Check if the hashes are different (using the file, its date, its
rights of access, its inode...), AIDE will detect (or not) a
modification on the files.
AIDE is very useful in case of intrusion, to identify all
modified objects (modified log, added things, binary
modified program like netstat, lsof, who, sshd, configuration
files, web pages, etc.).
29
NACS-Tunisia
SendMail
Apache
Spam Assassin
INTERNET
Port mirorring
NACS-Tunisia
OpenLDAP
30
SpamAssassin



« Assassinate » Spam of the electronic mail - at least it identifies
the undesirable one and allows the mail reader to treat it.
SpamAssassin carries out many tests on the analyzed mail. Some
tests are only for HTML mails, to determine if the mail contains
often used sentences, if it indicates not to be Spam according to
certain laws and payments, if he contains an unusual quantity of
exclamation points or interrogation points , if he speaks about
"Million Dollars" and so on.
For every carried test, each mail has points; the user can indicate
how much points are given to the tests in an ASCII configuration
file. If the sum of all the points exceeds a certain threshold (also
configurable), SpamAssassin judges that the mail is a Spam.
Once this decision taken, SpamAssassin inserts in the header of
the markers giving the results of the test. If wished, the spams
can be forced to have "text/plain« format, which facilitates the
results consultation.
31
NACS-Tunisia
SendMail
Apache
Spam Assassin
Amavis
INTERNET
Port mirorring
NACS-Tunisia
OpenLDAP
32
Amavis

Amavis
• Proposes 2 versions (in the past amavis-Perl):
amavisd and amavisd-new



Amavisd : daemon launched once for all.
Amavisd-new is an evolved amavis (who consume
resources because it is necessary to start a Perl
program for each message to treat), which offers rich
functionalities (possibility of coupling a antispam with
the antivirus...).
Possibility of cooperating with other tools such as
ClamAV
33
NACS-Tunisia
SendMail
Apache
Spam Assassin
Amavis
WebMin
Management console
INTERNET
Port mirorring
NACS-Tunisia
OpenLDAP
34
Webmin


Webmin is a web based administration interface conceived
for unix lodging server.
This interface allow an interaction with all programs
installed on the server (Snort, netfilter, apache, squid,
sendmail, …)

Webmin has many functionalities like DNS management,
remote machine restarting, planned tasks (cron)

It’s structure offer the possibility to add extra modules to
extend it’s functionalities
35
NACS-Tunisia
SendMail
Apache
Spam Assassin
Amavis
WebMin
Swatch
Log Watcher
Management console
INTERNET
Port mirorring
NACS-Tunisia
OpenLDAP
36
Swatch


Ensure a Real time supervision and starts preset
actions (alarm...) when a specific event occurs
(trigger)
Swatch (Simple WATCHer) is a tool that supervise
and manage the logs. Swatch was conceived to
reduce the heavy task of management of
enormous quantity of logs
37
NACS-Tunisia
SendMail
Apache
Spam Assassin
Amavis
WebMin
Swatch
Log Watcher
Management console
INTERNET
Port mirorring
NACS-Tunisia
OpenLDAP
38
Nessus

Presentation:
• Nessus is an security scanner multi-platforms: it
audits the security of many network component.
Based on vulnerability data base, it report the
existing weaknesses and vulnerability on the
network. It is based on a client-server
architecture.
• Nessus is a tool able to identify :




Existing machine on the network (IP address, name)
Used operating systems on a given machine
Services (daemons) running on a given machine
The security status of the network
39
NACS-Tunisia
Nessus

Operating:
• Nessus audits the security based on two
elements: a client and a server. The server,
nessusd, charged to test the requested system
trying all attacks contained in the base, while
the client, nessus (witch a graphic interface),
generates a report on obtained results.
• The server has a 300 attacks data base, the
administrator can periodicilly update it.
Nessusd attacks are coded as external
modules (plug-in) written in different
languages.
40
NACS-Tunisia
Nessus

Characteristics:
• Intelligent recognaization of services : Nessus is not
based on port to identify services. So a HTTP server
working on the port 1234 will be detected.
• A detection on several machines in a concurrent way is
made in order to accelerate the analysis
41
NACS-Tunisia
SendMail
Apache
Spam Assassin
Amavis
WebMin
Swatch
Log Watcher
Management console
INTERNET
Port mirorring
HoneyD
OpenLDAP
NACS-Tunisia
42
HoneyD

HoneyNet
 Honeypot is a program, a machine or a system
implemented on a network to be reached by a hacker.
 The concept is to make believe the hacker that he’s on
legitimate system.
 Honeypots are virtual machines simulating real systems by
making believe that they have services, opened ports as
we find in other machines.
 These services have as a finality to attract hackers
attention so that they spend time and resources which will
be recorded thereafter by the honeypot.
Honeypots are conceived to be penetrated and this
for two reasons. First is to allow to find information
concerning the weaknesses of a system. The
administrator can thus learn from the attacker the
way in which he proceeded to break into the
system. The second reason is to collect information
about the hackers and if required to prosecute it.
43
SendMail
Apache
Spam Assassin
Amavis
WebMin
Swatch
Log Watcher
Management console
INTERNET
Port mirorring
HoneyD
GPG
NACS-Tunisia
OpenLDAP
44
GPG









GnuPG is a tool lunched out throw terminal without graphic
interface. It’s a cryptographic engine used directly from a
prompt, a shell script or another program. It can also provide
crypto means to other applications.
However, even used throw a terminal, it provides all
necessary functionalities - as well as an interactive menu. The
command set of this tool will be increasingly complete
compared to graphic interface
It completely replace PGP.
Can be used as filtering program.
Present improvements compared to PGP 2; in security issues.
Decrypt and verify PGP 5, 6 and 7 messages.
Supports ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish,
CAST5, MD5, SHA-1, RIPE-MD-160 et TIGER.
Easy implementation of new de nouveaux algorithms by
using extra modules.
Supports validity expiration of keys and signatures.
45
NACS-Tunisia
Thank You
46