Securing IT Assets with Linux

download report

Transcript Securing IT Assets with Linux

Securing IT Assets with Linux
Presented by:
Matthew Will
Steven Kohrs
Bass & Associates, Inc.
Open Source Experts
Securing IT Assets with Linux
Security In Today’s Internet
The Internet resources currently available today to individuals, businesses, and organizations allow for
the innovative exchange of information. However, the widespread storage and transfer of information
creates an opportunity for security breaches, even in the most secure systems. It is important to
recognize the sources of threat, and take educated preventative measures.
• Why is Security Important?
• Security should be a concern in every situation. Whether you’re building a network for a small
trucking firm or working for NASDAQ as a financial advisor.
• The Internet is a vast system of information with varying degrees of confidentiality; it is inviting to
criminal activity because users may be as anonymous as they want. Internet crime continues to grow; it
is important that security be a serious consideration for every user.
• Statistics About Common Threats
• CERT/CC (Computer Emergency Response Team Coordination Center)
• national computer response team that addresses and records security issues
• publishes list of statistics dealing with computer security
Securing IT Assets with Linux
Security In Today’s Internet
• Future Potential Security Problems
• The need for security in the future will be even greater than it is now. Hopefully by then most basic
security precautions will be second nature.
• However, even in the future when higher security measures are taken, new ways will be developed to
get around them.
• There is no guaranteed way to know what the future security concerns will be, only the guarantee that
security will always be an issue.
• Futility of Security
• Security will always be an ongoing process. Security is much like trying to patch holes in a dam.
Although some of the water might occasionally leak through, it is important to never stop patching
holes; enough holes and the dam falls apart.
• Always be on the watch for security holes. Monitoring sites can help in this process. Join trusted list
services that deal with security problems.
Securing IT Assets with Linux
Security In Today’s Internet
• Security is Never 100%
• There is NO way to be completely secure. Skilled crackers can gain entrance to secure systems
without leaving a trace.
• Government agencies, like the CIA and FBI, have been breached before, despite their almost
unlimited resources and abilities. Lately the CIA and the FBI have been off-limits for crackers, but this
is mainly because of their ability to catch crackers, not because they can prevent them from breaking in.
• Solutions for an Insecure World
• What should we do to protect ourselves? There are several methods of security planning.
• Protect a system from inside and outside attacks.
• Basic protection methods include:
• set up firewalls to protect networks; setup firewalls behind firewalls
• set up tripwires to send alerts if and unauthorized person gains access
• patch those security holes and perform regular backups
• use encryption when sending/receiving any data
Securing IT Assets with Linux
Firewall using IPTABLES
Without some form of security, a connection between a local network and the Internet is an
unrestricted pathway. Users inside the network can use resources outside of the network and vice
versa. This accessibility can be beneficial. However, for security, outside access to the network should
be restricted, monitored, and controlled. The most common method of controlling the flow of
information on a network is through the use of packet filtering programs such as iptables.
• Packet Filtering
• Data is sent across networks in the form of packets containing information on the packet’s origin,
destination, and protocol.
• A packet filter is a program which examines the packets as they enter or leave a system, selectively
restricting passage.
Securing IT Assets with Linux
Firewall using IPTABLES
• Why filter?
• Packets that are filtered increase security.
• Prevent ousiders from using services on a system.
• Prevent malicious attacks such as Denial of Service (DoS) and ping flood attacks.
• Control the flow of information.
• Prevent internal system users from using certain sites or types of protocols.
Securing IT Assets with Linux
Firewall using IPTABLES
• The Rules Chain Concept
• The most common method used by packet filtering for the organization of the filters is the rules chain.
A rule chain contains a listing of each filter, or rule, that has been configured on the local system.
•Linux uses four main chains:
• Input – packets traveling to the host
• Output – packets leaving from the host
• Forward – packets received by the host and will be forwarded by the host
• User Defined – special type of chain created by the user that receives packets from the three
main chains for processing
• Rules chains allow for complex filtering of data entering or leaving a system while making it easy to
install and maintain the rules.
Securing IT Assets with Linux
Firewall using IPTABLES
• What is iptables?
• iptables is the building block of a framework inside the Linux kernel. This framework enables packet
filtering, network address translation (NAT), network port translation (NPT), and other packet
• iptables is a generic table structure for the definition of rulesets. Each rule with an IP table consists of
a number of classifiers (iptables matches) and one connection action (iptable target).
• What can I do with iptables?
• build internet firewalls based on stateless and stateful packet filtering
• use NAT and masquerading for sharing internet access
• use NAT to implement transparent proxies
• do further packet manipulation (mangling) like altering the bits of the IP header
Securing IT Assets with Linux
Snort: An Intrusion Detection System
• Why Use Intrusion Detection?
- Intrusion detection devices are an integral part of any network. The Internet is constantly evolving,
and new vulnerabilities and exploits are found regularly. They provide an additional level of protection
to detect the presence of an intruder, and help to provide accountability for the attacker's actions.
• Snort
- Detect and alert based on pattern matching for threats including buffer overflows, stealth port scans,
CGI attacks, SMB probes and NetBIOS queries, NMAP and other portscanners, well-known backdoors
and system vulnerabilities, DDoS clients, and many more.
- Use syslog, SMB "WinPopUp" messages, or a file to alert an administrator.
- Develop new rules quickly once the pattern (attack signature) is known for the vulnerability.
- Record packets in their human-readable form from the offending IP address in a hierarchical directory
-Used as a "passive trap" to record the presence of traffic that should not be found on a network, such as
NFS or P2P connections.
Securing IT Assets with Linux
Snort: An Intrusion Detection System
• Where to Place a Snort System?
- its effectiveness depends largely on where on your network Snort runs and how that computer is
connected to the rest of your network.
- Hubs vs. switches.
Although switches are better for network efficiency, hubs are better for use with Snort. However,
some switches can be configured to echo all traffic to a specific port in addition to sending the
data to the destination computer. Consult your switch's documentation to learn if yours can do
this. If it can't, you may be limited in your ability to monitor internal traffic.
If you put Snort outside of the firewall, it can monitor external attacks on your network, but won't
see most internal traffic.
If you put Snort behind the firewall, it can monitor internal traffic and attacks that manage to
breach the firewall, but not attacks blocked by the firewall.
Securing IT Assets with Linux
Snort: An Intrusion Detection System
• How to keep Snort rules up to date?
- Oinkmaster
Oinkmaster is simple Perl script released under the BSD license to help you update your Snort
2.0+ rules and comment out the unwanted ones after each update. It also has a few other useful
features regarding rules management. Oinkmaster will tell you exactly what had changed since the
last update, giving you good control of your rules. It is most often used to update the official rules
from, but can just as well be used for managing/distributing your homemade rules.
- What problem does Oinkmaster solve?
Since we always want to run the latest and greatest rules, we download the new rules from as soon as they have been updated. Oops - all our customized rules are now
overwritten, and we have to do it all over again. This is where Oinkmaster comes in - it will
automatically do those boring modifications to the rules that you would usually have to do
manually after each update.
Securing IT Assets with Linux
Packet Sniffer - Ethereal
• Network Protocol Analyser
• capture data live IP frames off the wire or save the capture for later analysis
• data can be read from ethernet, PPP, Token-Ring, IEEE 802.11, ect
• browse data via a GUI or TTY mode
• over 500 protocols can be dissected
• Filter data to find exactly what you want
• Monitor the traffic on your network
• verify misuse of your network by internal users
• great way to locate attacks by monitoring suspicous activity
Securing IT Assets with Linux
Monitoring Network Integrity with Nmap
• Network Intrusion Detection Systems (NIDS) are one way to maintain network integrity. However, a
commercial NIDS can be costly to install and maintain.
• If you can't afford a NIDS, basic network mapping techniques are still beneficial. The best tool for network
scanning, also known as port scanning, is the open-source Nmap.
• Nmap performs all sorts of network scans, from simple ping scans to see what hosts on a network are
"alive" to more advanced scans by protocol and packet type.
• Nmap is clearly designed to enable rapid pinpointing of hosts vulnerable to attack, and that's exactly its
• Nmap scans a list of target machines and outputs a list of the interesting ports on each.
• “Protected” areas behind firewalls are frequently left unrestricted. This is folly: most security breaches are
inside jobs, and a firewall is no substitute for good host-based security. On a properly secured host, ALL
network traffic should be accounted for, incoming and outgoing.
• Periodic nmap scans are a key component of any well-rounded security infrastructure.
Securing IT Assets with Linux
System Monitoring
• Check the Log Files
• When monitoring a network for possible breaches, the log files are a rich source of data. They provide
a vast amount of information concerning login attempts, system messages, and remote access. Using
this information, the detection of a break-in and perhaps the subsequent identification of the intruder is
• Security Audits
• The key elements to network security are the ability to analyze a network for tampering and the
correction of vulnerabilities which could possibly invite a breach. There are two types of software and
techniques that are available to aid administrators with either issue.
• One type deals with intruder detection by detecting if a security breach has occurred and whether
anything has been altered, moved, or deleted.
• Another type of security measure is to implement a way of testing a network for security
weakness. Ideally, security breaches in the network will not occur at all, and to prevent those
breaches, preventive measures are extremely important.
• Several programs aid a network administrator in both of these types if security analysis.
Securing IT Assets with Linux
•Nessus is a professional-grade security scanner, but it's a free and 100% customizable one.
- Plug-in architecture. Each security test is written as an external plugin. This way, you can easily add
your own tests without having to read the code of the nessusd engine.
- NASL. The Nessus Security Scanner includes NASL, (Nessus Attack Scripting Language) a language
designed to write security test easily and quickly. (security checks can also be written in C)
- Up-to-date security vulnerability database. We mostly focus on the development of security checks
for recent security holes. Our security checks database is updated on a daily basis.
- Client-server architecture. The Nessus Security Scanner is made up of two parts : a server, which
performs the attacks, and a client which is the front-end. You can run the server and the client on
different systems. That is, you can audit your whole network from your personal computer, whereas the
server performs its attacks from the main frame which is upstairs.
- Can test an unlimited amount of hosts at the same time. Depending of the power of the station you
run the Nessus server onto, you can test two, ten or forty hosts at the same time
- Smart service recognition. Nessus does not believe that the target hosts will respect the IANA
assigned port numbers. This means that it will recognize a FTP server running on a non-standard port
(31337 say), or a web server running on port 8080
Securing IT Assets with Linux
• Nessus
- Multiples services. Imagine that you run two web servers (or more) on your host, one on port 80 and
another on port 8080. When it will come to testing their security, Nessus will test both of them
- Tests cooperation. The security tests performed by Nessus cooperate so that nothing useless is made.
If your FTP server does not offer anonymous logins, then anonymous-related security checks will not
be performed.
- Complete reports : Nessus will not only tell you what's wrong on your network, but will, most of the
time, tell you how to prevent crackers from exploiting the security holes found and will give you the
risk level of each problem found (from Low to Very High)
- Exportable reports : The Unix client can export Nessus reports as ASCII text, LaTeX, HTML,
"spiffy" HTML (with pies and graphs) and an easy-to-parse file format.
- Full SSL support : Nessus has the ability to test SSLized services such as https, smtps, imaps, and
more. You can even supply Nessus with a certificate so that it can integrates into a PKI-fied
- Smart plugins (optional) : Nessus will determine which plugins should or should not be launched
against the remote host (for instance, this prevents the testing of Sendmail vulnerabilities against
Securing IT Assets with Linux
• Nessus
- Non-destructive (optional) : If you don't want to take the risk to bring down services on your
network, you can enable the "safe checks" option of Nessus, which will make Nessus rely on banners
rather than exploiting real flaws to determine if a vulnerability is present
- Nessus Plugins
- Backdoors
- Denial of Service
- Firewalls
- Gain a shell remotely
- Netware
- Peer-To-Peer File Sharing
- Remote file access
- System Settings
- Windows
- CGI abuses
- Default Unix Accounts
- Finger abuses
- Gain root remotely
- Port scanners
- SMTP problems
- Useless services
- Windows : User management
(There are 2095 plugins in the database, covering 1332 unique CVE ids and 1548 unique Bugtraq IDs)
Securing IT Assets with Linux
Intrusion Detection System
• Tripwire
- What is Tripwire software?
Tripwire software is a tool that checks to see what has changed on your system. The program monitors
key attributes of files that should not change, including binary signature, size, expected change of size,
- What is Tripwire used for?
Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes
such as integrity assurance, change management, policy compliance and more.
- Does Tripwire keep out intruders?
Sadly speaking no, but the whole essence of this system is to put into place invisible cameras on your
system that are completely invisible to the intruder who manages to bypass your existing security
framework. Thus Tripwire running stealthily on your system, just sits and waits for something to go
wrong. As soon as a violation occurs it throws a detailed postmortem, having analyzed the crime
scenario. Thus Tripwire will help you determine damage to any of your data, whether it is corrupted,
what is the extent of damage over the network, what System files have been replaced (possible
placement of TROJANS on you System binaries) and in general, the extent of damage.
Securing IT Assets with Linux
Samba 3.0 Does Windows Even Better
• Enables machines to join an Active Directory domain as a native member and to authenticate users with
LDAP and Kerberos. For companies that use Active Directory, these improvements can make a mixedplatform server environment easier to manage. One logon ID for both Windows and Linux systems.
• Its capability as an NT-style primary domain controller offers sites that have held off on deploying Active
Directory a strong option for replacing their Windows file and print servers with Linux boxes running
Samba—for which they needn't buy client access licenses.
• Samba will maintain user, group and domain security identifiers for businesses that are switching from
Windows NT 4.0 domains to Samba domains.
• 'Stacking' VFS (virtual file system) layer allows dynamic checking of file access.
- Virus scanning, auditing, security.
• SWAT (Samba Web Administration Tool)
-a Web-based management and setup client that offers a basic interface into the universe of different
configuruation options for Samba.,1759,1449497,00.asp?rsDis=Samba_3.0_Does_Windows_Even_Better-Page001-110499
Securing IT Assets with Linux
Securing Microsoft Groupware Environments with Linux
• Large portions of many mid- to large-size corporations have based their core IT infrastructure on Microsoft
• It's much simpler to create malicious code if you only have to worry about one flavor of operating system or
mail client or office suite, especially one that facilitates programmatic access either through built-in
mechanisms (e.g. macros) or inherent security flaws (e.g. buffer overflows).
• It is this very environment, which was designed to facilitate easy administration, global collaboration and
information exchange, that requires the most protection.
- is a secure, reliable, efficient, simple message transfer agent.
- Secure: Security isn't just a goal, but an absolute requirement. Mail delivery is critical for users; it
cannot be turned off, so it must be completely secure.
- Reliable: qmail's straight-paper-path philosophy guarantees that a message, once accepted into the
system, will never be lost. qmail also supports maildir, a new, super-reliable user mailbox format.
Maildirs, unlike mbox files and mh folders, won't be corrupted if the system crashes during delivery.
- Efficient: qmail can easily sustain 200,000 local messages per day.
Securing IT Assets with Linux
Securing Microsoft Groupware Environments with Linux
• Qmail
-Simple: qmail is vastly smaller than any other Internet MTA.
(1) qmail has one simple forwarding mechanism that lets users handle their own mailing lists.
(2) qmail-send is instantly triggered by new items in the queue
(3) qmail's design inherently limits the machine load
- In short, it's up to speed on modern MTA features.
• Qmail-Scanner
- an addon that enables a Qmail server to scan all gateway-ed email for certain characteristics (i.e. a
content scanner).
- typically used for its anti-virus protection functions, in which case it is used in conjunction with
external virus scanners.
- can be used as an archiving tool for auditing or backup purposes.
- is integrated into the mail server at a lower level than some other Unix-based virus scanners, resulting
in better performance.
- is capable of scanning not only locally sent/received email, but also email that crosses the server in a
relay capacity.
Securing IT Assets with Linux
Securing Microsoft Groupware Environments with Linux
• Clam AntiVirus
- is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail
servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a
command line scanner, and a tool for automatic updating via the Internet. The programs are based on a
shared library distributed with the Clam AntiVirus package, which you can use with your own software.
Most importantly, the virus database is kept up to date .
• SpamAssassin
- is one of the most well known spam fighting tools in the open source world. It is regularly maintained
and updated, works for individual users as well as in site-wide configurations, is highly customizable
and integrates with many different mail servers.
• The never-ending battle
As your inbox no doubt proves, spammers get smarter every day, virus writers get more clever by the
second and users never stop complaining about spam. As a result, you'll need to do regular checks for
software updates to qmail, qmail-scanner, ClamAV, and (especially) SpamAssassin.
Securing IT Assets with Linux
Paros & SPIKE – Fuzzing detection
• Paros
- is a HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing
HTTP messages on−the−fly with client−certificate, proxy−chaining, filtering and intelligent
vulnerability scanning.
- works on a principle common to the new generation of Web security tools. It runs as a local proxy on
your scanning workstation, and all the interaction between your local browser and the target Web server
is brokered by the security tool.
- can capture an outbound query, alter or fuzz it and then send it along to the server.
- Automated SQL Injection Detection
- Web Site Crawling (guaranteed not to crawl sites other than the one being tested)
- Login form brute forcing
- Automated overflow detection
- Automated directory traversal detection
Securing IT Assets with Linux
F.I.R.E - Forensics and Incident Response Environment
• F.I.R.E.
- is a single CD-ROM Linux distribution geared toward analyzing compromised systems and recovering
data from them.
- can use it either by rebooting the compromised system with the F.I.R.E. CD-ROM or by mounting the
CD-ROM in a running but feared-compromised Linux system and running tools directly off the CD.
- makes it easy to copy data from the compromised system to other hosts on your network.
- includes the X Windows System and a variety of both command-line and X-based security tools
(including Nmap and Nessus).
- can use F.I.R.E. to transform an ordinary Windows laptop into an awesome penetration-testing
- at no extra charge, F.I.R.E.'s major functions can be accessed from a menu system comprehendable
even by those of us who aren't full-time computer forensics specialists.
Securing IT Assets with Linux
• Don’t believe your network cannot be breached. Before making any software or hardware changes
you should first answer one question: How will this effect security in this environment?
• Keep up to date on all security technology. Don’t let your security model become stagnant. New
security holes or leaks are found almost on a daily basis.
• Don’t be afraid of Open Source or the products produced from the Open Source community.
“Open source is not just for hackers. It’s a new way of organizing people to create complex
products in a knowledge-based economy…Open Source is an alternative way of spurring
innovation “
-Steven Weber, author of “The Success of Open Source” Harvard University
Open Source’s Untapped Potential - San Francisco Chronicle - April 19, 2004
Securing IT Assets with Linux
Thank You for Attending
Securing IT Assets with Linux
Links and Additional Information
• Webmin – manage nearly all system services from a web interface
• Big Brother – monitor your network from printers to servers right down to a specific service
• Netfilter – iptables for linux
• Tripwire – intruder detection
• Ethereal – packet sniffer utility to monitor network traffic
• SANS Internet Storm Center – cyber threat monitor and alert system
Securing IT Assets with Linux
Links and Additional Information
• CERT – coordination center of Internet security
• Linux Security – Linux community for security
• PacketStorm – portal for Linux security information
• BugTraq – keep informed on bugs
• Revolution OS – get the story on the open source movement (highly recommended)
• Snort – Intrusion Detection System
Securing IT Assets with Linux
Links and Additional Information
• Oinkmaster – Snort rules manager / updater
• Nessus – system security scanner
• Tripwire – file integrity checker
• Samba – file and printer sharing server
• qmail – safe and secure Mail Transport Agent (MTA)
• qmail-scanner – content scanner for qmail
Securing IT Assets with Linux
Links and Additional Information
• Clam AntiVirus – open source antivirus scanner
• SpamAssassin – a mail filter to identify spam
• Paros – Web application security assessor
• SPIKE – Web application security assessor
• F.I.R.E. – Forensics and Incident Response Environment
Securing IT Assets with Linux
Contact Information
Bass & Associates, Inc.
A HunTel Company
Matthew Will
Open Source Experts
SiLK Enterprises, Inc.
Steven L. Kohrs
Bass & Associates, Inc.
Open Source Experts
2027 Dodge Street; Suite 500
1536 N 105 th Street
Omaha, Ne 68102
Omaha, Ne 68114
[email protected]
[email protected]