cit 470: advanced network and system administration
DESCRIPTION
CIT 470: Advanced Network and System Administration. Access Control. Access Control. Limiting access to Files Networks Hosts Services Center of gravity of computer security Why do we authenticate users? What security features do OSes provide? What’s the purpose of cryptography?. - PowerPoint PPT PresentationTRANSCRIPT
CIT 470: Advanced Network and System Administration Slide #1
CIT 470: Advanced Network and System Administration
Access Control
CIT 470: Advanced Network and System Administration Slide #2
Access Control
Limiting access toFiles
Networks
Hosts
Services
Center of gravity of computer securityWhy do we authenticate users?
What security features do OSes provide?
What’s the purpose of cryptography?
CIT 470: Advanced Network and System Administration Slide #3
Access Control is Pervasive
1. ApplicationComplex, custom security policy.Ex: Amazon account: wish list, reviews, CC
2. MiddlewareDatabase, system libraries, 3rd party softwareEx: Credit card authorization center
3. Operating SystemFile ACLs, IPC
4. HardwareMemory management, hardware device access.
CIT 470: Advanced Network and System Administration Slide #4
Access Control Matrix
objects
subj
ects
s1
s2
…
sn
o1 … om s1 … sn
Objects O = { o1,…,om }All protected entities.Files, hosts, ports, etc.
Subjects S = { s1,…,sn }Active entities, S Users, processes, hosts.
Rights R = { r1,…,rk }
Entries A[si, oj] R
A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj
CIT 470: Advanced Network and System Administration Slide #5
UNIX Access Control Model
OS checks EUID + EGID on object access.
Usually: EUID=UID, EGID=GID.
setuid/setgid programs run with different EUID/EGID, allowing you privileged access
Setuid programs run with EUID of file owner.
ex: crontab, login, lp, passwd, su
Target for attackers wanting elevated privilege.
CIT 470: Advanced Network and System Administration Slide #6
UNIX File Permissions
Three sets of permissions:User owner
Group owner
Other (everyone else)
Three permissions per groupread
write
Execute
UID 0 can access regardless of permissions.
Files: directories, devices (disks, printers), IPC
CIT 470: Advanced Network and System Administration Slide #7
UNIX File Permissions
Best-match policyOS applies permission set that most closely matches.
You can be denied access by best match even if you match another set.
Directoriesread = listing of directory
execute = traversal of directory
write = add or remove files from directory
CIT 470: Advanced Network and System Administration Slide #8
Special File PermissionsEach object has set of special permission bits
stickyOn a directory, means users can only delete files that they own (ls shows sticky bit with a t instead of x).
setuidExecute program with EUID = owner’s UID
setgidExecute program with EGID = owner’s GID
On directories, causes default group owner to be that of directory owner’s GID.
CIT 470: Advanced Network and System Administration Slide #9
Changing Permissions: chmod
Permission set specifiersu = user
g = group
o = other
Permissionsr = read
w = write
x = execute
# remove other accesschmod o-rwx *.c
# add group r/w accesschmod g+rw *.c
# allow only you accesschmod u=rwx *
CIT 470: Advanced Network and System Administration Slide #10
Octal Permission Notation
Each permissionset (u,g,o) is an octal digit.
Each permission (r,w,x) is one bit of that digit.
ex: chmod 0644 fileu: rw, g: r, o: r
ex: chmod 0711 binu: rwx, g: x, o: x
4 read setuid
2 write setgid
1 execute sticky
CIT 470: Advanced Network and System Administration Slide #11
Changing Ownership
newgrpGroup owner of files is your default group.Changes default group to another group to which
you belong.chgrp
Changes group owner of existing file.chmod
Changes owner of existing file.Only root can use this command.
CIT 470: Advanced Network and System Administration Slide #12
Default Permissions: umask
Determines access permissions given to newly created files
Three-digit octal numberPrograms default to 0666
Umask modifies to: 0666 & ~umask
ex: umask=022 => file has mode 0644
ex: umask=066 => file has mode 0600
CIT 470: Advanced Network and System Administration Slide #13
Limitations of Classic ACLs
ACL control list only contains 3 entriesLimited to one user.
Limited to one group.
Root (UID 0) can do anything.
CIT 470: Advanced Network and System Administration Slide #14
POSIX Extended ACLs
Supported by most UNIX/Linux systems.Slight syntax differences may exist.
getfaclsetfacl
chmod 600 file
setfacl -m user:jsmit:r-- file
File unreadable by other, but ACL allows jsmit
CIT 470: Advanced Network and System Administration Slide #15
Host-based Access Control/etc/hosts.allow and /etc/hosts.deny
used by tcpd, sshd, xinetd, other servers
Identify subjects byhostname
IP address
network address/mask
Allow before Denyuse last rule in /etc/hosts.deny to deny all
CIT 470: Advanced Network and System Administration Slide #16
Configure Firewall
Defence in DepthUse host firewall + network firewall.
Failsafe DefaultsDisable all access by default on each host.
Enable necessary services.
Protects againstInsider attacks.
Running vulnerable services by mistake.
CIT 470: Advanced Network and System Administration Slide #17
iptables
iptables [-t table] cmd [matches] [target]
Commands:-A chain rule-spec: Append rule to chain.
-D chain rule-spec: Delete a rule from chain
-L chain: List all rules in chain.
-F chain: Flush all rules from chain.
-P chain target: Set default policy for chain.
-N chain: Create a new chain.
-X chain: Remove a user-defined chain.
CIT 470: Advanced Network and System Administration Slide #18
iptables Matches
-p protocol: Specify protocol to match.tcp, udp, icmp, etc.
-s address/mask: Source IP address to match.
-d address/mask: Dest IP address to match.
--sport: Source port (TCP/UDP) to match.
--dport: Dest port (TCP/UDP) to match.
CIT 470: Advanced Network and System Administration Slide #19
iptables Extended Matches
-m match: Specify match module to use.
Example: limitOnly accept 3 ICMP packets per hour.
-m limit --limit 3/hour -p icmp -j REJECT
Example: stateUseful stateful packet filtering.
-m state --state NEW: match only new conns
-m state --state ESTABLISHED: match only established connections.
CIT 470: Advanced Network and System Administration Slide #20
iptables Targets
-j ACCEPTAccept packet.
-j DROPDrop packet w/o reply.
-j REJECTDrop packet with reply.
-j RETURNReturn from this chain to calling chain.
-j LOGLog packet; chain processing continues.
CIT 470: Advanced Network and System Administration Slide #21
Chain Targets
-p ICMP -j DROP
-p TCP -j test
-p UDP -j DROP
INPUT
-s 192.168.1.1
test
-d 192.168.1.1
CIT 470: Advanced Network and System Administration Slide #22
Creating a Packet Filter
1. Create a security policy for a service.ex: allow only outgoing telnet service
2. Specify security policy in terms of which types of packets are allowed/forbidden
3. Write packet filter in terms of vendor’s filtering language
CIT 470: Advanced Network and System Administration Slide #23
Example: outgoing telnet
TCP-based serviceOutbound packets
– Destination port is 23– Source port is random port >1023– Outgoing connection established by first packet with no
ACK flag set– Following packets will have ACK flag set
Incoming packets– Source port is 23, as server runs on port 23– Destination port is high port used for outbound packets– All incoming packets will have ACK flag set
CIT 470: Advanced Network and System Administration Slide #24
Example: outgoing telnet
Dir Src Dest Proto S.Port D.Port ACK? Action
Out Int Any TCP >1023 23 Either Accept
In Any Int TCP 23 >1023 Yes Accept
Either Any Any Any Any Any Either Deny
1. First rule allows outgoing telnet packets
2. Second rule allows response packets back in
3. Third rule denies all else, following Principle of Fail-Safe Defaults
CIT 470: Advanced Network and System Administration Slide #25
Implementing the Filter with iptables
# iptables –A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED –m tcp –d tcp --sport 23 -j ACCEPT
# iptables -A INPUT -j REJECT
CIT 470: Advanced Network and System Administration Slide #26
Why is Access Control hard?
• Objects are complex– Identifying objects of interest (subnet, host, port)– Hierarchical structure like filesystem.
• Subjects are complex– Identifying subjects of interest.– What are the relationships between subjects?
• Access Control states change.
• Security objectives often unclear.
CIT 470: Advanced Network and System Administration Slide #27
Key Points• Center of gravity of security; pervasive.
• Access Control Matrix simplest abstraction mechanism for representing protection state.
• UNIX Access Control– UIDs vs EUIDs, setuid– POSIX ACLs
• Network Access Control– TCP Wrappers– iptables
CIT 470: Advanced Network and System Administration Slide #28
References1. Ross Anderson, Security Engineering, Wiley, 2001.2. Michael D. Bauer, Linux Server Security, 2nd edition, O’Reilly, 2005.3. Matt Bishop, Introduction to Computer Security, Addison-Wesley,
2005.4. Aeleen Frisch, Essential System Administration, 3rd edition, O’Reilly,
2002.5. Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX
and Internet Security, 3rd edition, O’Reilly & Associates, 2003.6. Evi Nemeth et al, UNIX System Administration Handbook, 3rd
edition, Prentice Hall, 2001.7. RedHat, Red Hat Enterprise Linux 4 Reference Guide, http
://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005.
8. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.