320 likes | 477 Views
Securing IT Assets with Linux Presented by: Matthew Will Bass & Associates, Inc. Steven Kohrs Open Source Experts. Securing IT Assets with Linux Security In Today’s Internet.
E N D
Securing IT Assets with Linux • Presented by: • Matthew Will Bass & Associates, Inc.Steven Kohrs Open Source Experts
Securing IT Assets with Linux • Security In Today’s Internet • The Internet resources currently available today to individuals, businesses, and organizations allow for the innovative exchange of information. However, the widespread storage and transfer of information creates an opportunity for security breaches, even in the most secure systems. It is important to recognize the sources of threat, and take educated preventative measures. • Why is Security Important? • Security should be a concern in every situation. Whether you’re building a network for a small trucking firm or working for NASDAQ as a financial advisor. • The Internet is a vast system of information with varying degrees of confidentiality; it is inviting to criminal activity because users may be as anonymous as they want. Internet crime continues to grow; it is important that security be a serious consideration for every user. • Statistics About Common Threats • CERT/CC (Computer Emergency Response Team Coordination Center) • national computer response team that addresses and records security issues • publishes list of statistics dealing with computer security
Securing IT Assets with Linux • Security In Today’s Internet • Future Potential Security Problems • The need for security in the future will be even greater than it is now. Hopefully by then most basic security precautions will be second nature. • However, even in the future when higher security measures are taken, new ways will be developed to get around them. • There is no guaranteed way to know what the future security concerns will be, only the guarantee that security will always be an issue. • Futility of Security • Security will always be an ongoing process. Security is much like trying to patch holes in a dam. Although some of the water might occasionally leak through, it is important to never stop patching holes; enough holes and the dam falls apart. • Always be on the watch for security holes. Monitoring sites can help in this process. Join trusted list services that deal with security problems.
Securing IT Assets with Linux • Security In Today’s Internet • Security is Never 100% • There is NO way to be completely secure. Skilled crackers can gain entrance to secure systems without leaving a trace. • Government agencies, like the CIA and FBI, have been breached before, despite their almost unlimited resources and abilities. Lately the CIA and the FBI have been off-limits for crackers, but this is mainly because of their ability to catch crackers, not because they can prevent them from breaking in. • Solutions for an Insecure World • What should we do to protect ourselves? There are several methods of security planning. • Protect a system from inside and outside attacks. • Basic protection methods include: • set up firewalls to protect networks; setup firewalls behind firewalls • set up tripwires to send alerts if and unauthorized person gains access • patch those security holes and perform regular backups • use encryption when sending/receiving any data
Securing IT Assets with Linux • Firewall using IPTABLES • Without some form of security, a connection between a local network and the Internet is an unrestricted pathway. Users inside the network can use resources outside of the network and vice versa. This accessibility can be beneficial. However, for security, outside access to the network should be restricted, monitored, and controlled. The most common method of controlling the flow of information on a network is through the use of packet filtering programs such as iptables. • Packet Filtering • Data is sent across networks in the form of packets containing information on the packet’s origin, destination, and protocol. • A packet filter is a program which examines the packets as they enter or leave a system, selectively restricting passage.
Securing IT Assets with Linux • Firewall using IPTABLES • Why filter? • Packets that are filtered increase security. • Prevent ousiders from using services on a system. • Prevent malicious attacks such as Denial of Service (DoS) and ping flood attacks. • Control the flow of information. • Prevent internal system users from using certain sites or types of protocols.
Securing IT Assets with Linux • Firewall using IPTABLES • The Rules Chain Concept • The most common method used by packet filtering for the organization of the filters is the rules chain. A rule chain contains a listing of each filter, or rule, that has been configured on the local system. • Linux uses four main chains: • Input – packets traveling to the host • Output – packets leaving from the host • Forward – packets received by the host and will be forwarded by the host • User Defined – special type of chain created by the user that receives packets from the three main chains for processing • Rules chains allow for complex filtering of data entering or leaving a system while making it easy to install and maintain the rules.
Securing IT Assets with Linux • Firewall using IPTABLES • What is iptables? • iptables is the building block of a framework inside the Linux kernel. This framework enables packet filtering, network address translation (NAT), network port translation (NPT), and other packet mangling. • iptables is a generic table structure for the definition of rulesets. Each rule with an IP table consists of a number of classifiers (iptables matches) and one connection action (iptable target). • What can I do with iptables? • build internet firewalls based on stateless and stateful packet filtering • use NAT and masquerading for sharing internet access • use NAT to implement transparent proxies • do further packet manipulation (mangling) like altering the bits of the IP header • http://www.netfilter.org/
Securing IT Assets with Linux • Snort: An Intrusion Detection System • Why Use Intrusion Detection? • - Intrusion detection devices are an integral part of any network. The Internet is constantly evolving, and new vulnerabilities and exploits are found regularly. They provide an additional level of protection to detect the presence of an intruder, and help to provide accountability for the attacker's actions. • Snort • - Detect and alert based on pattern matching for threats including buffer overflows, stealth port scans, CGI attacks, SMB probes and NetBIOS queries, NMAP and other portscanners, well-known backdoors and system vulnerabilities, DDoS clients, and many more. • - Use syslog, SMB "WinPopUp" messages, or a file to alert an administrator. • - Develop new rules quickly once the pattern (attack signature) is known for the vulnerability. • - Record packets in their human-readable form from the offending IP address in a hierarchical directory structure. • Used as a "passive trap" to record the presence of traffic that should not be found on a network, such as NFS or P2P connections. • http://www.linuxsecurity.com/feature_stories/using-snort.html
Securing IT Assets with Linux • Snort: An Intrusion Detection System • Where to Place a Snort System? • its effectiveness depends largely on where on your network Snort runs and how that computer is connected to the rest of your network. • Hubs vs. switches. • Although switches are better for network efficiency, hubs are better for use with Snort. However, some switches can be configured to echo all traffic to a specific port in addition to sending the data to the destination computer. Consult your switch's documentation to learn if yours can do this. If it can't, you may be limited in your ability to monitor internal traffic. • Firewalls. • If you put Snort outside of the firewall, it can monitor external attacks on your network, but won't see most internal traffic.If you put Snort behind the firewall, it can monitor internal traffic and attacks that manage to breach the firewall, but not attacks blocked by the firewall. • http://www.linux-mag.com/2003-05/guru_01.html
Securing IT Assets with Linux • Snort: An Intrusion Detection System • How to keep Snort rules up to date? • Oinkmaster • Oinkmaster is simple Perl script released under the BSD license to help you update your Snort 2.0+ rules and comment out the unwanted ones after each update. It also has a few other useful features regarding rules management. Oinkmaster will tell you exactly what had changed since the last update, giving you good control of your rules. It is most often used to update the official rules from www.snort.org, but can just as well be used for managing/distributing your homemade rules. • What problem does Oinkmaster solve? • Since we always want to run the latest and greatest rules, we download the new rules from www.snort.org as soon as they have been updated. Oops - all our customized rules are now overwritten, and we have to do it all over again. This is where Oinkmaster comes in - it will automatically do those boring modifications to the rules that you would usually have to do manually after each update. • - www.snort.org/dl/rules
Securing IT Assets with Linux • Packet Sniffer - Ethereal • Network Protocol Analyser • capture data live IP frames off the wire or save the capture for later analysis • data can be read from ethernet, PPP, Token-Ring, IEEE 802.11, ect • browse data via a GUI or TTY mode • over 500 protocols can be dissected • Filter data to find exactly what you want • Monitor the traffic on your network • verify misuse of your network by internal users • great way to locate attacks by monitoring suspicous activity • http://www.ethereal.com/
Securing IT Assets with Linux • Monitoring Network Integrity with Nmap • Network Intrusion Detection Systems (NIDS) are one way to maintain network integrity. However, a commercial NIDS can be costly to install and maintain. • If you can't afford a NIDS, basic network mapping techniques are still beneficial. The best tool for network scanning, also known as port scanning, is the open-source Nmap. • Nmap performs all sorts of network scans, from simple ping scans to see what hosts on a network are "alive" to more advanced scans by protocol and packet type. • Nmap is clearly designed to enable rapid pinpointing of hosts vulnerable to attack, and that's exactly its strength. • Nmap scans a list of target machines and outputs a list of the interesting ports on each. • “Protected” areas behind firewalls are frequently left unrestricted. This is folly: most security breaches are inside jobs, and a firewall is no substitute for good host-based security. On a properly secured host, ALL network traffic should be accounted for, incoming and outgoing. • Periodic nmap scans are a key component of any well-rounded security infrastructure. • http://www.certcities.com/editorial/columns/story.asp?EditorialsID=109
Securing IT Assets with Linux • System Monitoring • Check the Log Files • When monitoring a network for possible breaches, the log files are a rich source of data. They provide a vast amount of information concerning login attempts, system messages, and remote access. Using this information, the detection of a break-in and perhaps the subsequent identification of the intruder is possible. • Security Audits • The key elements to network security are the ability to analyze a network for tampering and the correction of vulnerabilities which could possibly invite a breach. There are two types of software and techniques that are available to aid administrators with either issue. • One type deals with intruder detection by detecting if a security breach has occurred and whether anything has been altered, moved, or deleted. • Another type of security measure is to implement a way of testing a network for security weakness. Ideally, security breaches in the network will not occur at all, and to prevent those breaches, preventive measures are extremely important. • Several programs aid a network administrator in both of these types if security analysis.
Securing IT Assets with Linux • Nessus • Nessus is a professional-grade security scanner, but it's a free and 100% customizable one. • Plug-in architecture. Each security test is written as an external plugin. This way, you can easily add your own tests without having to read the code of the nessusd engine. • NASL. The Nessus Security Scanner includes NASL, (Nessus Attack Scripting Language) a language designed to write security test easily and quickly. (security checks can also be written in C) • Up-to-date security vulnerability database. We mostly focus on the development of security checks for recent security holes. Our security checks database is updated on a daily basis. • Client-server architecture. The Nessus Security Scanner is made up of two parts : a server, which performs the attacks, and a client which is the front-end. You can run the server and the client on different systems. That is, you can audit your whole network from your personal computer, whereas the server performs its attacks from the main frame which is upstairs. • Can test an unlimited amount of hosts at the same time. Depending of the power of the station you run the Nessus server onto, you can test two, ten or forty hosts at the same time • Smart service recognition. Nessus does not believe that the target hosts will respect the IANA assigned port numbers. This means that it will recognize a FTP server running on a non-standard port (31337 say), or a web server running on port 8080
Securing IT Assets with Linux • Nessus • Nessus • - Multiples services. Imagine that you run two web servers (or more) on your host, one on port 80 and another on port 8080. When it will come to testing their security, Nessus will test both of them • - Tests cooperation. The security tests performed by Nessus cooperate so that nothing useless is made. If your FTP server does not offer anonymous logins, then anonymous-related security checks will not be performed. • - Complete reports : Nessus will not only tell you what's wrong on your network, but will, most of the time, tell you how to prevent crackers from exploiting the security holes found and will give you the risk level of each problem found (from Low to Very High) • - Exportable reports : The Unix client can export Nessus reports as ASCII text, LaTeX, HTML, "spiffy" HTML (with pies and graphs) and an easy-to-parse file format. • - Full SSL support : Nessus has the ability to test SSLized services such as https, smtps, imaps, and more. You can even supply Nessus with a certificate so that it can integrates into a PKI-fied environement • - Smart plugins (optional) : Nessus will determine which plugins should or should not be launched against the remote host (for instance, this prevents the testing of Sendmail vulnerabilities against Postfix).
Securing IT Assets with Linux • Nessus • Nessus • Non-destructive (optional) : If you don't want to take the risk to bring down services on your network, you can enable the "safe checks" option of Nessus, which will make Nessus rely on banners rather than exploiting real flaws to determine if a vulnerability is present • Nessus Plugins • Backdoors - CGI abuses - CISCO - Default Unix Accounts - Denial of Service - Finger abuses - Firewalls - FTP - Gain a shell remotely - Gain root remotely - Netware - NIS- Peer-To-Peer File Sharing - Port scanners - Remote file access - RPC- System Settings - SMTP problems - SNMP - Useless services - Windows - Windows : User management • (There are 2095 plugins in the database, covering 1332 unique CVE ids and 1548 unique Bugtraq IDs)
Securing IT Assets with Linux • Intrusion Detection System • Tripwire • - What is Tripwire software?Tripwire software is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. • What is Tripwire used for?Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more. • Does Tripwire keep out intruders?Sadly speaking no, but the whole essence of this system is to put into place invisible cameras on your system that are completely invisible to the intruder who manages to bypass your existing security framework. Thus Tripwire running stealthily on your system, just sits and waits for something to go wrong. As soon as a violation occurs it throws a detailed postmortem, having analyzed the crime scenario. Thus Tripwire will help you determine damage to any of your data, whether it is corrupted, what is the extent of damage over the network, what System files have been replaced (possible placement of TROJANS on you System binaries) and in general, the extent of damage. • http://www.freeos.com/articles/3404/
Securing IT Assets with Linux • Samba 3.0 Does Windows Even Better • Enables machines to join an Active Directory domain as a native member and to authenticate users with LDAP and Kerberos. For companies that use Active Directory, these improvements can make a mixed- platform server environment easier to manage. One logon ID for both Windows and Linux systems. • Its capability as an NT-style primary domain controller offers sites that have held off on deploying Active Directory a strong option for replacing their Windows file and print servers with Linux boxes running Samba—for which they needn't buy client access licenses. • Samba will maintain user, group and domain security identifiers for businesses that are switching from Windows NT 4.0 domains to Samba domains. • 'Stacking' VFS (virtual file system) layer allows dynamic checking of file access. • Virus scanning, auditing, security. • SWAT (Samba Web Administration Tool) • a Web-based management and setup client that offers a basic interface into the universe of different configuruation options for Samba. • http://www.eweek.com/article2/0,1759,1449497,00.asp?rsDis=Samba_3.0_Does_Windows_Even_Better-Page001-110499http://us1.samba.org/samba/ftp/slides/enterprisesamba.pdf
Securing IT Assets with Linux • Securing Microsoft Groupware Environments with Linux • Large portions of many mid- to large-size corporations have based their core IT infrastructure on Microsoft technologies. • It's much simpler to create malicious code if you only have to worry about one flavor of operating system or mail client or office suite, especially one that facilitates programmatic access either through built-in mechanisms (e.g. macros) or inherent security flaws (e.g. buffer overflows). • It is this very environment, which was designed to facilitate easy administration, global collaboration and information exchange, that requires the most protection. • Qmail • - is a secure, reliable, efficient, simple message transfer agent. • - Secure: Security isn't just a goal, but an absolute requirement. Mail delivery is critical for users; it cannot be turned off, so it must be completely secure. • - Reliable: qmail's straight-paper-path philosophy guarantees that a message, once accepted into the system, will never be lost. qmail also supports maildir, a new, super-reliable user mailbox format. Maildirs, unlike mbox files and mh folders, won't be corrupted if the system crashes during delivery. • - Efficient: qmail can easily sustain 200,000 local messages per day.
Securing IT Assets with Linux • Securing Microsoft Groupware Environments with Linux • Qmail • Simple: qmail is vastly smaller than any other Internet MTA. • (1) qmail has one simple forwarding mechanism that lets users handle their own mailing lists. (2) qmail-send is instantly triggered by new items in the queue(3) qmail's design inherently limits the machine load • - In short, it's up to speed on modern MTA features. • Qmail-Scanner • - an addon that enables a Qmail server to scan all gateway-ed email for certain characteristics (i.e. a content scanner). - typically used for its anti-virus protection functions, in which case it is used in conjunction with external virus scanners. - can be used as an archiving tool for auditing or backup purposes. - is integrated into the mail server at a lower level than some other Unix-based virus scanners, resulting in better performance. - is capable of scanning not only locally sent/received email, but also email that crosses the server in a relay capacity.
Securing IT Assets with Linux • Securing Microsoft Groupware Environments with Linux • Clam AntiVirus • - is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via the Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date . • SpamAssassin • is one of the most well known spam fighting tools in the open source world. It is regularly maintained and updated, works for individual users as well as in site-wide configurations, is highly customizable and integrates with many different mail servers. • The never-ending battle • As your inbox no doubt proves, spammers get smarter every day, virus writers get more clever by the second and users never stop complaining about spam. As a result, you'll need to do regular checks for software updates to qmail, qmail-scanner, ClamAV, and (especially) SpamAssassin. • http://www.securityfocus.com/infocus/1772
Securing IT Assets with Linux • Paros & SPIKE – Fuzzing detection • Paros • is a HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on−the−fly with client−certificate, proxy−chaining, filtering and intelligent vulnerability scanning. • works on a principle common to the new generation of Web security tools. It runs as a local proxy on your scanning workstation, and all the interaction between your local browser and the target Web server is brokered by the security tool. • can capture an outbound query, alter or fuzz it and then send it along to the server. • SPIKE • - Automated SQL Injection Detection • - Web Site Crawling (guaranteed not to crawl sites other than the one being tested) • - Login form brute forcing • - Automated overflow detection • - Automated directory traversal detection
Securing IT Assets with Linux • F.I.R.E - Forensics and Incident Response Environment • F.I.R.E. • is a single CD-ROM Linux distribution geared toward analyzing compromised systems and recovering data from them. • can use it either by rebooting the compromised system with the F.I.R.E. CD-ROM or by mounting the CD-ROM in a running but feared-compromised Linux system and running tools directly off the CD. • makes it easy to copy data from the compromised system to other hosts on your network. • includes the X Windows System and a variety of both command-line and X-based security tools (including Nmap and Nessus). • can use F.I.R.E. to transform an ordinary Windows laptop into an awesome penetration-testing juggernaut. • at no extra charge, F.I.R.E.'s major functions can be accessed from a menu system comprehendable even by those of us who aren't full-time computer forensics specialists. • http://www.linuxjournal.com/article.php?sid=7235
Securing IT Assets with Linux Conclusion • Don’t believe your network cannot be breached. Before making any software or hardware changes you should first answer one question: How will this effect security in this environment? • Keep up to date on all security technology. Don’t let your security model become stagnant. New security holes or leaks are found almost on a daily basis. • Don’t be afraid of Open Source or the products produced from the Open Source community. • “Open source is not just for hackers. It’s a new way of organizing people to create complex products in a knowledge-based economy…Open Source is an alternative way of spurring innovation “ • Steven Weber, author of “The Success of Open Source” Harvard University Open Source’s Untapped Potential - San Francisco Chronicle - April 19, 2004
Securing IT Assets with Linux Discussion Thank You for Attending
Securing IT Assets with Linux Links and Additional Information • Webmin – manage nearly all system services from a web interface • www.webmin.com • Big Brother – monitor your network from printers to servers right down to a specific service • www.bb4.com • Netfilter – iptables for linux • www.netfilter.org • Tripwire – intruder detection • www.tripwire.org • Ethereal – packet sniffer utility to monitor network traffic • www.ethereal.com • SANS Internet Storm Center – cyber threat monitor and alert system • isc.sans.org
Securing IT Assets with Linux Links and Additional Information • CERT – coordination center of Internet security • www.cert.org • Linux Security – Linux community for security • www.linuxsecurity.com • PacketStorm – portal for Linux security information • www.packetstorm.org • BugTraq – keep informed on bugs • www.bugtraq.org • Revolution OS – get the story on the open source movement (highly recommended) • www.revolution-os.com • Snort – Intrusion Detection System • www.snort.com
Securing IT Assets with Linux Links and Additional Information • Oinkmaster – Snort rules manager / updater • oinkmaster.sourceforge.net • Nessus – system security scanner • www.nessus.org • Tripwire – file integrity checker • www.tripwire.org • Samba – file and printer sharing server • www.samba.org • qmail – safe and secure Mail Transport Agent (MTA) • www.qmail.org • qmail-scanner – content scanner for qmail • qmail-scanner.sourceforge.net
Securing IT Assets with Linux Links and Additional Information • Clam AntiVirus – open source antivirus scanner • www.clamav.net • SpamAssassin – a mail filter to identify spam • www.spamassassin.org • Paros – Web application security assessor • www.proofsecure.com • SPIKE – Web application security assessor • www.immunitysec.com/spikeproxy.html • F.I.R.E. – Forensics and Incident Response Environment • fire.dmzs.com
Securing IT Assets with Linux Contact Information Bass & Associates, Inc. Open Source Experts A HunTel Company SiLK Enterprises, Inc. Matthew Will Steven L. Kohrs Bass & Associates, Inc. Open Source Experts 2027 Dodge Street; Suite 500 1536 N 105th Street Omaha, Ne 68102 Omaha, Ne 68114 402.346.1505 402.498.0457 mwill@bass-inc.com skohrs@opensourceexperts.com www.bass-inc.com www.OpenSourceExperts.com