Transcript Monitor Smart Meters
C
ONFIGURING AND
S
ECURITY
: S
YSTEM
M
ANAGING
A
CCESS
C RNI
ONTROL
RNI R
ELEASE
3.1 SP2
© 2013 Sensus. All rights reserved.
C-PAMRAMI-WG-0139-01
2
The goal of this module is to:
Introduce actions that Sensus has taken to prevent visibility and access to system resources.
3
Following this module, you should be able to:
1.
2.
Recall actions taken by Sensus to secure RNI servers prior to shipment to utility.
Describe why using commercial Secure Socket Layer (SSL) certificates are important.
4 Controlling System Access
System Access Control
Server Hardening Commercial SSL Certificates
5 Understanding RNI System Hardening • •
System Access Control
Intended to eliminate as many security risks (such as unauthenticated and unauthorized access to the system) as possible For 3.x, Sensus performs system hardening on the following RNI components: – Network Controller – Web server – Database server – Stats server – Red Hat Enterprise Linux – Apache Web server – Apache Tomcat Review – OpenLDAP server
6 Linux-Based Hardening Actions
System Access Control
• • • Applies to Network Controller and Web servers Performed during installation by Sensus Actions performed: 1.
2.
3.
4.
5.
6.
7.
Add default root user Change root password to complex password Register server with Red Hat Network Disable user mounted file systems Disable USB devices Change directory and file permissions on sensitive system resources and critical files Remove unused user accounts
7 Linux-Based Hardening Actions
(Continued) System Access Control
8.
9.
Lock down existing user accounts Set password policy for local users 10.
Lock down crontab files 11.
Set requirements for PAM (Pluggable Authentication Modules) support 12.
Customize login in banner (optional) 13.
Set permissions for network configurations 14.
Secure files associated with auditing and logging 15.
Configure remote delivery of syslog messages to central location 16.
Configure SSH access only for strong, authenticated sessions 17.
Configure SNMP as needed 18.
Configure audit services to track critical actions on system
8 Database Server Hardening Actions
System Access Control
• • Performed during installation by Sensus 2.
3.
4.
5.
6.
Actions performed: 1.
Change default passwords to complex passwords for local user accounts Set password policy Set account lockout policy Set audit policy Set security options Change default passwords on SQL server
9 Stats Server Hardening Actions
System Access Control
• • Performed during installation by Sensus 2.
3.
4.
5.
6.
Actions performed: 1.
Change default passwords to complex passwords for local user accounts Set password policy Set account lockout policy Set audit policy Set security options Enable SSL on default Web server
10 Apache Web Server Hardening Actions • • • Performed after Linux hardening Performed during installation by Sensus Actions performed: 1.
2.
Remove track and trace HTTP methods Remove insecure encryption ciphers
System Access Control
11 Apache Tomcat Server Hardening Actions
System Access Control
• • • Performed after Apache Web server hardening Performed during installation by Sensus Actions performed: 1.
2.
3.
4.
5.
Remove default tomcat5 files Remove default tomcat6 files Replace shutdown password on tomcat5 install Replace shutdown password on tomcat6 install Update default session timeout as needed
12 OpenLDAP Server Hardening Actions
System Access Control
• • Performed during installation by Sensus Actions performed: 1.
2.
3.
4.
5.
Remove insecure encryption ciphers Disable anonymous bind Create Read-Only and Read/Write accounts for application access Hash all passwords Restrict access to password hashes
13
14
Question
:
1.
What is the purpose of the system hardening procedures performed by Sensus?
a) Limit system access to administrators b) c) d) Prevent password changes on the system Reduce risk of unauthorized access to system Hide selected servers from users
15
Question
:
2.
Which of the following actions is common to server hardening procedures for the various RNI components?
a) b) Customize log in banner Change default passwords c) d) Register server with Red Hat Remove track and trace HTTP methods
16 Controlling System Access
System Access Control
Server Hardening Commercial SSL Certificates
17 SSL and SSL Certificates Defined • • • •
System Access Control
Secure Sockets Layer (SSL) is a standard security protocol used to establish an encrypted link between a server and a client – Typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook) Browser and server need an SSL Certificate to establish the secure connection SSL Certificates identify a key pair and the identity of the certificate/website owner RNI uses SSL and SSL certificates to secure communications between the hardware servers and its software application users
18 Impact of Using SSL Certificates • • Users must be authenticated, use a unique password, to log in Users must enter the server addresses with https:// instead of http://
19
20
Question
:
1.
Which of the following are true about SSL enabled NC, Web, and Stats servers?
a) Users must be authenticated, use a unique password, to log in b) Users must enter the server addresses with https:// in front c) Provides secure communications between the RNI hardware servers and its software application users d) All of the above