1 / 28

SECURITY BASELINES

SECURITY BASELINES. - Sangita Prabhu. Overview. OS/NOS vulnerabilities and hardening practices Operation and security of file systems Common Network Hardening Practices Best practices in securing web services. OS/NOS Hardening . Making OS more secure to outside threats

verne
Download Presentation

SECURITY BASELINES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURITY BASELINES -Sangita Prabhu

  2. Overview • OS/NOS vulnerabilities and hardening practices • Operation and security of file systems • Common Network Hardening Practices • Best practices in securing web services

  3. OS/NOS Hardening • Making OS more secure to outside threats • Categorization of disrupting actions • Attacks • Malfunctions • Errors

  4. Best Practices for System Hardening • Remove unused applications and services • Strong Password Policies • Limited number of administrators • Account lockout • Latest security updates and hot fixes • Maintain external log • Periodic backup

  5. File Systems Hardening • Configuring Access Controls • Setting Privileges on files and data objects • Creating User Groups • Grouping users by common needs • File encryption capabilities • Resource consuming feature

  6. Configuring Access Controls Common Practices for setting file and data privileges: • Disable write and execute permissions for all executables • Restrict access to important files • Pay close attention to access control inheritance • Make all log files “Append Only” if the option is available • Prevent users from installing, removing or editing scripts

  7. System Updates • Minimize gap between release and installation of a security patch. • Monitor security-related Information --Mailing lists, security related sites, Hackers sites • Evaluate Updates for Applicability --Paper Logs • Plan the installation of Updates --unsystematic and haphazard updates could introduce new vulnerabilities to networks • Document update plan • Deploy new systems with latest software

  8. Network Hardening • Firmware updates • Configuration • Best Practices in configuring Router and Firewall systems • Maintain a copy of current configurations • Never allow IP-directed broadcasts • Configure devices with meaningful names • Always use description for each interface • Always specify bandwidth on the interfaces • Always configure loopback address

  9. Network HardeningBest Practices in configuration contd… • Avoid using common words for password and naming schemes • Deploy logging throughout the network • Restrict data traffic to required ports only

  10. Access Control Lists • ACL is a set of statements that controls the flow of packets through a device based on certain parameters and information within the packets • ACLs implement packet filtering • Packet filtering rules can be designed based on intrinsic and extrinsic information pertaining to a data packet

  11. Designing filtering rules • Best Practices • Deny all packets unless explicit permissions • Design antispoofing rules • Identify protocols ,ports, and source and destination addresses that need to be serviced on your networks • Configure the rule set of ACL by protocol and by port • Place “deny all” rules at the end of the rule set

  12. Enabling And Disabling Of Services And Protocols • Running unnecessary services on the network devices makes them vulnerable • Administrators should identify and remove all unnecessary services • Required services should be evaluated and installed in a manner to lower potential risks • Example: RPC and SNMP– if needed then should be accomplished via VPN for security

  13. Commonly Exploited Services Some Examples of commonly exploited services on CISCO platforms

  14. Application Hardening • Web Servers • Isolating Web Servers • Configuring web servers for access privileges • Identifying and Enabling Web Server-Specific logging tools • Considering security Implications • Configuring Authentication and Encryption

  15. Application Hardening… • E-mail Servers • Attachments with malicious contents • E-mails with abnormal MIME headers • Scripts Embedded into HTML-Enabled Mail • Defense mechanisms: • Latest software updates and patches • Email content filtering using email gateway products • Deployment of virus-scanning tools on the server • Attachment checking mechanisms • HTML active Content Removal

  16. Application Hardening… • FTP Servers • Protecting against Bouncebacks --Using FTP servers to connect to the attacked machine rather than connecting directly --Makes difficult to track the attacker --Configure servers to not open data connections to TCP ports less than 1024 --Use proper file protections --Disable PORT command : It also disables PROXY FTP which might be needed in certain situations

  17. FTP Servers… • Restricting Areas • Protecting Usernames and passwords • Utilize alternate authentication mechanisms to avoid attempts to intercept clear text password • Limit number of attempts for a legitimate password • Limit the number of control connections • Return same response USER command, prompting for the password and then reject the combination of Username and Password • Port Stealing : Deploy random port assignments

  18. Application Hardening… • DNS Servers • Inaccurate Data on IP Address Ownership • Without accurate IP ownership data cannot distinguish between innocent users and attackers • Customer Registry Communication • Use encrypted communication • DNS Spoofing and Cache Poisoning • Not Updated root.hints files • Recursive Queries • Denial of service Attacks

  19. Application Hardening… • NNTP Servers (Network News Transfer Protocol) • Messages are delivered to Newsgroups instead of individual users • Newsgroups acts as a storage for the related messages • News Client is used to read messages • To gain access to new postings users need to access news servers • NNTP is designed to store news article in a central database and allow user to choose only the items of their interest

  20. NNTP Servers… • Typically, NNTP servers run as a background process on one host and accepts connections to other hosts • Have similar vulnerabilities as any other network services • Proper authentication, disabling of unneeded services and application of relevant software and OS patches are effective methods to prevent attacks

  21. Application Hardening • File and Print Servers • Offering only essential Network and OS Services on a Server • Configuring Servers for User Authentication • Configuring Server Operating Systems • Managing Logging and other data collection mechanisms • Configuring servers for File Backups

  22. Application Hardening… • DHCP Servers (Dynamic Host Configuration Protocol) • Assignment of dynamic IP Addresses to devices on the network • Simplifies network administration • Has no security provisions therefore vulnerable to attacks • Broadcast-based protocol, therefore, attacker can use a sniffer program to collect critical network information. • Spoof official DHCP server : Redundant DHCP servers are allowed • Launch DoS attack against the DHCP server

  23. DHCP Servers… • Certain steps to prevent such attacks • Permanent address assignments with DHCP • Allow dynamic addressing and monitor log files for malicious user • Force stations with new MAC addresses to register with the DHCP server • Intrusion Detection tools can be used • Latest software and patches are important

  24. Data Repositories • Directory Services • Lightweight Directory Access protocol (LDAP) • LDAP directory is a special kind of database that stores information • Based on simple tree-like hierarchy, called a Directory Information Tree (DIT) • Threats to LDAP can be categorized in two groups: • Directory Service-oriented threats • Non directory Service-oriented threats

  25. Directory Service-Oriented Threats • Unauthorized access to data • Unauthorized access to resources • Unauthorized modification or deletion • Spoofing of directory services • Excessive use of resources

  26. NonDirectory Service Oriented Threats • Common network based attacks to compromise the availability of resources. • Attacks against hosts by Physically accessing the resources • Attacks against back-end databases

  27. Security of LDAP • Based on two processes • Authentication • Anonymous—No specific authentication • Simple Authentication– Plaintext Passwords • Simple Authentication and Security Layer (SASL)—Exchange of encrypted data (Most Secure) • Authorization • What resources, application and services are accessible by an authenticated client

  28. Databases • General Principles of Security-- • Authentication of users and Applications • Ensure use by Legitimate users only • Determining access privileges • Applications require username/password to use the database • Administrative Policies and Procedures • Written security policy • Initial Configuration • Auditing • Backup and Recovery Procedures

More Related