1 / 25

Review

Review. Please turn in any homework/ practicals you may have Jobs Job IDs Backgrounding Runlevels HDDs Partitions. Today. My favorite topic Security Corporate vs ‘actual’ Hardening IPTables SELinux. Corporate vs Practical Security.

krista
Download Presentation

Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Review • Please turn in any homework/practicals you may have • Jobs • Job IDs • Backgrounding • Runlevels • HDDs • Partitions

  2. Today • My favorite topic • Security • Corporate vs ‘actual’ • Hardening • IPTables • SELinux

  3. Corporate vs Practical Security • Practical security looks at ports, process that opened that port, and known vulnerabilities • Port 80 – Internet – well-known, usually masked by network, required for http, etc… • This on a web server is not a big deal • Port 23 – Telnet – also well known, required for telnet, HUGE DEAL • Telnet offers no security, is easily sniffed, has many exploits, offers MITM chances, etc…

  4. Corporate Security • Corporate security is bureaucracy • Found open telnet port, report goes into writeup • Writeup goes to boss • Goes to boss’ boss • Goes to boss’ boss’ boss • Boss’ boss’ boss wants details • Comes back to you to say ‘it’s in an audit’ or not • VP or Senior Manager will then ‘signoff’ or not • ALWAYS KEEP THIS EMAIL OR DOCUMENT

  5. Security • ALWAYS KEEP THAT EMAIL OR DOCUMENT • We will not be talking about intrusions today • That is it’s own beast • Those interested should look at NIST • http://csrc.nist.gov/

  6. Audit • Different types of companies have different audits • SAS70 – successor to SoX (ish) • HIPAA – anything relating to healthcare • PCI (not the hardware spec) – Credit card processing systems • And more…

  7. Scope • Know what is in your environment • Keep an inventory of both hardware systems and applications running on those systems • Versions are important (Heartbleed) • Know how a ‘normal’ system behaves • This is a system profile (active processes, logfiles, common errors and system behavior) • Actively monitor your logs

  8. System Baseline • Don’t install things you don’t need to • Our installs contain quite a bit – a ‘best practice’ installation would not include many of these modules (GUI) • Set the system to log at an appropriate level (ex. high level is not necessary when application doesn’t log to that level) • Send logs to a “SEIM” if appropriate • Backup – set the schedule and ensure failed backup attempts run at some point that day

  9. Device ‘Hardening’ • Process of making a device more secure • ie, those things we just mentioned • Best Practice all over the place • Reducing ‘attack surface’ and making it less of a target • Hackers go after ‘low hanging fruit’ first • Script kiddies will give up if they don’t find it • If they’re not script kiddies, you’re being targeted and they’re going to get in anyway

  10. IPTables • Who liked Vista’s pop-up security notifications? • Who likes Windows firewall? • Linux has one too – iptables • Again, just an application/program running on the system • It is a simple software based firewall

  11. Firewall • Network security system that controls incoming and outgoing traffic through ‘rules’ • Allow web traffic incoming and outgoing • Deny telnet either incoming or outgoing • Allow outbound SSH connections • Can be a program • Can be a physical device • Best practice is to have your ruleset and then the last one is ‘deny all’ • Block all traffic that you aren’t sure of

  12. Firewall – Network vs Personal • Network firewall usually sits in between our line in and our gateway out to the internet • Literally – there will be a single cable (network cable, coax, fibre) that your ISP will run into the building – this is your ‘line in’ into your company • Usually, this plugs into the ISP’s router, but may go directly out to the internet • From there, it goes into your network, so frequently it goes into a firewall owned by you • That firewall then routes known good traffic to the router

  13. IPTables • OSI Model, firewalls are layer 2/3 devices • So conceptually think of them as sitting in between the plug on the cord and the computer, but really they’re just in another part of memory • Input streams come in/out – a request for a web page, SSH connection, etc… • IPTables looks at the connection, checks its rules for this connection type, and acts accordingly • Accepts or rejects

  14. Rules • IPTables comes with a ‘default’ ruleset • Mantra seems to be “we’re better than CentOS5!” • Accept or reject – Accept means it allows the connection in and continues with it’s ruleset (may forward as well – you can ‘chain’ iptables rules just like commands) • Reject means it drops it, done, no connection allowed • We can add rules through the command line

  15. Accessing It • Access it through iptables command • Show current ruleset

  16. Adding Rules • Simple rules – Accept or Reject • We want to accept SSH, accept HTTP (so we can SSH, so we can run a web server) • We want to reject Telnet and FTP • iptables -A INPUT -p tcp --dport 22 -j ACCEPT • -A flag = ‘add’ (we can –D to drop rules we want to get rid of) • -p flag = protocol (SSH uses TCP protocol) • --dport = destination port • -j flag = do we accept or drop?

  17. Accept HTTP (port 80, tcp) • iptables -A INPUT -p tcp --dport 80 -j ACCEPT • So what is the command to deny telnet to port 23 over the tcp protocol?

  18. Best Practice • Best practice with firewalls in general is to have the last rule as the ‘paranoid’ rule • Theory: don’t let anything in that you haven’t explicitly ok’d • iptables -A INPUT -j DROP • This at the end of your ruleset means anything that doesn’t match your rules, gets dropped • (and rules with OUTPUT and FORWARD)

  19. Questions on iptables? • iptables -A INPUT -p tcp --dport 80 -j ACCEPT • Find a command similar to your own • Validate port, protocol, direction, and what do to with it • Is on all Linux systems • Best practice is to deny anything unexpected

  20. SELinux • Security Enhanced Linux is installed by default • Uses mandatory access controls • Principle of least privilege • Principle of minimal privilege, principle of least authority • Breaks down users, policies, and security contexts • SELinux users do not always match up 1-to-1 with real users • A policy is an explicit list of permissions • Context is the ‘labeling’ of what processes can and cannot access

  21. Three Modes • Disabled, Permissive, Enforcing • Disabled = off • Permissive = off, but logs all messages • Used with ‘audit2allow’ to build a policy • Enforcing = implementing all rules and contexts • /etc/selinux/config • sestatus command returns current state (no argument)

  22. Implementing SELinux • -Z flag shows ‘context’ of running processes • ls -Z or ps -Zef • USE IT! • 75% of all businesses will use Dev/Test/Prod environments • The other 25% use small-scale replications of “production” and then test on a live subset • Run ‘permissive’ mode in test, enforcing in production

  23. If You’re Interested In Security • Corporate security is “white hat” • Except for pen-testers, most of whom are GSEC’s • Look at Kali Linux & “Metasploitable” • Think about CCDC • http://www.prccdc.org/ • I want to put together a team • PS – Byte Club! • NIST, SANS GSEC, one specific subject • You have to know what you’re breaking into

  24. BTW – ‘Standard Process’ • A “req” is needed • A good boss shows their resources are over utilized • Ideal description is created • HR adds description into their “standard” stuff • HR filters all applicants • This is why certs matter • “Finalists” are forwarded on to actual manager • Then interviews occur

  25. Own Study • Security • Corporate vs ‘actual’ • Hardening • IPTables • SELinux

More Related