110 likes | 216 Views
Computer Security Workshops. Module 5 - System Hardening. System Hardening. How do we respond to problems? (E.g. operating system deadlock) Detect (Detect and) Terminate Prevent Security Analogy Better to prevent than try to clean up. System Hardening - Goals.
E N D
Computer Security Workshops Module 5 - System Hardening
System Hardening • How do we respond to problems? (E.g. operating system deadlock) • Detect • (Detect and) Terminate • Prevent • Security Analogy • Better to prevent than try to clean up
System Hardening - Goals • Prevent intrusion on a particular system • Note: idea can (and should) be applied to network as well • Two main approaches • 1) Develop and ship in hardened state • 2) Harden after setup
Security Certification Levels • Department of Defense, Trusted Computer System Evaluation Criteria (TCSEC) • Orange book – systems; Red book – networks • Levels • Class D (minimal protection) • Class C1 (discretionary security protection) • Class C2 (controlled access protection) • Class B1 (labeled security protection) • Class B2 (structured protection) • Class B3 (security domains) • Class A1 (verified design) • Now largely replaced by Common Criteria for Information Technology Security
1) Hardening Before Shipping • System architecture should be designed to prevent attacks/intrusion • Configured for high security as default • System programmed defensively • assume any user could be unfriendly • System is audited for security problems • System built to contain known problems • Examples – Operating System Level • OpenBSD ( http://www.openbsd.org ) • SELinux ( http://www.nsa.gov/selinux )
2) Hardening After Delivery • Techniques • Configuration • Changing system configuration to deal with security issues • Wrappers • Proxy programs that are run in place of actual program, check for certain problems before calling original program (which is moved to a non-public directory)
Wrapper Example • TCP Wrappers (Linux) • Monitors and filters incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services • Provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files • The wrappers report the name of the client host and of the requested service • Imposes no overhead on the actual conversation between the client and server applications
System Hardening Tools - Linux • Example: bastille • http://www.bastille-linux.org • Script to help automate security changes in a number of areas (file transfer, mail, general configuration) • Certain actions still have to be done manually • Be careful not to turn off needed services accidentally • E.g. Don’t disallow root access at console unless you have other accounts you can use to gain superuser status • There is a RevertBastille application…
System Hardening Tools (Windows) • Microsoft Baseline Security Analyzer • More accurately a vulnerability analysis tool • But notes contain links or information are very useful in system hardening • Start/Programs/Microsoft Baseline Security Analyzer 2.1
Port/Service Closure - Linux • GUI Interface Utilities • Ubuntu: System / Administration / Services • Need to unlock, provide password • Remove services through checkboxes • Manually • Main script directory: /etc/init.d • Directory hierarchy for different run levels: /etc/rcX.d (X = 0 through 6)
Port/Service Closure - Windows • Add and remove services • Start/Programs/Administrative Tools/Services • See processes currently running • Task Manager (ctrl-alt-del), Processes tab