SECURITY BASELINES
-Sangita Prabhu
Overview
OS/NOS vulnerabilities and hardening practices
Operation and security of file systems Common Network Hardening Practices Best practices in securing web services
OS/NOS Hardening
Making OS more secure to outside threats
Categorization of disrupting actions Attacks Malfunctions Errors
Best Practices for System Hardening
Remove unused applications and services Strong Password Policies Limited number of administrators Account lockout Latest security updates and hot fixes Maintain external log Periodic backup
File Systems Hardening
Configuring Access Controls Setting Privileges on files and data objects
Creating User Groups Grouping users by common needs
File encryption capabilities Resource consuming feature
Configuring Access Controls
Common Practices for setting file and data privileges: Disable write and execute permissions for all
executables Restrict access to important files Pay close attention to access control inheritance Make all log files “Append Only” if the option is
available Prevent users from installing, removing or editing
scripts
System Updates Minimize gap between release and installation of a
security patch. Monitor security-related Information
--Mailing lists, security related sites, Hackers sites Evaluate Updates for Applicability
--Paper Logs Plan the installation of Updates
--unsystematic and haphazard updates could introduce new vulnerabilities to networks
Document update plan Deploy new systems with latest software
Network Hardening
Firmware updates Configuration
Best Practices in configuring Router and Firewall systems
Maintain a copy of current configurations Never allow IP-directed broadcasts Configure devices with meaningful names Always use description for each interface Always specify bandwidth on the interfaces Always configure loopback address
Network Hardening
Best Practices in configuration contd…
Avoid using common words for password and naming schemes
Deploy logging throughout the network Restrict data traffic to required ports only
Access Control Lists
ACL is a set of statements that controls the flow of packets through a device based on certain parameters and information within the packets
ACLs implement packet filtering Packet filtering rules can be designed based
on intrinsic and extrinsic information pertaining to a data packet
Designing filtering rules
Best Practices Deny all packets unless explicit permissions Design antispoofing rules Identify protocols ,ports, and source and destination
addresses that need to be serviced on your networks Configure the rule set of ACL by protocol and by port Place “deny all” rules at the end of the rule set
Enabling And Disabling Of Services And Protocols
Running unnecessary services on the network devices makes them vulnerable
Administrators should identify and remove all unnecessary services
Required services should be evaluated and installed in a manner to lower potential risks
Example: RPC and SNMP– if needed then should be accomplished via VPN for security
Commonly Exploited Services
Service Description Default NoteSNMP Protocol Routers can support
SNMP remote query and configuration
Enabled If not in use, explicitly disable or restrict access
Domain name Service
Routers can perform DNS name resolution
Enabled Set the DNS server address explicitly, or disable DNS
IP Source Routing IP feature that allows packets to specify their own routes
Enabled This rarely–used feature can be helpful in attacks; disable it.
Some Examples of commonly exploited services on CISCO platforms
Application Hardening
Web Servers Isolating Web Servers Configuring web servers for access privileges Identifying and Enabling Web Server-Specific logging
tools Considering security Implications Configuring Authentication and Encryption
Application Hardening…
E-mail Servers Attachments with malicious contents E-mails with abnormal MIME headers Scripts Embedded into HTML-Enabled Mail Defense mechanisms:
Latest software updates and patches Email content filtering using email gateway products Deployment of virus-scanning tools on the server Attachment checking mechanisms HTML active Content Removal
Application Hardening…
FTP Servers Protecting against Bouncebacks
--Using FTP servers to connect to the attacked machine rather than connecting directly
--Makes difficult to track the attacker
--Configure servers to not open data connections to TCP ports less than 1024
--Use proper file protections
--Disable PORT command : It also disables PROXY FTP which might be needed in certain situations
FTP Servers…
Restricting Areas Protecting Usernames and passwords
Utilize alternate authentication mechanisms to avoid attempts to intercept clear text password
Limit number of attempts for a legitimate password Limit the number of control connections Return same response USER command, prompting
for the password and then reject the combination of Username and Password
Port Stealing : Deploy random port assignments
Application Hardening…
DNS Servers Inaccurate Data on IP Address Ownership
Without accurate IP ownership data cannot distinguish between innocent users and attackers
Customer Registry Communication Use encrypted communication
DNS Spoofing and Cache Poisoning Not Updated root.hints files Recursive Queries Denial of service Attacks
Application Hardening…
NNTP Servers (Network News Transfer Protocol) Messages are delivered to Newsgroups instead of
individual users Newsgroups acts as a storage for the related messages News Client is used to read messages To gain access to new postings users need to access news
servers NNTP is designed to store news article in a central
database and allow user to choose only the items of their interest
NNTP Servers…
Typically, NNTP servers run as a background process on one host and accepts connections to other hosts
Have similar vulnerabilities as any other network services
Proper authentication, disabling of unneeded services and application of relevant software and OS patches are effective methods to prevent attacks
Application Hardening
File and Print Servers Offering only essential Network and OS Services on a
Server Configuring Servers for User Authentication Configuring Server Operating Systems Managing Logging and other data collection
mechanisms Configuring servers for File Backups
Application Hardening…
DHCP Servers (Dynamic Host Configuration Protocol) Assignment of dynamic IP Addresses to devices on the network Simplifies network administration Has no security provisions therefore vulnerable to attacks
Broadcast-based protocol, therefore, attacker can use a sniffer program to collect critical network information.
Spoof official DHCP server : Redundant DHCP servers are allowed
Launch DoS attack against the DHCP server
DHCP Servers…
Certain steps to prevent such attacks Permanent address assignments with DHCP Allow dynamic addressing and monitor log files
for malicious user Force stations with new MAC addresses to
register with the DHCP server Intrusion Detection tools can be used Latest software and patches are important
Data Repositories
Directory Services Lightweight Directory Access protocol (LDAP) LDAP directory is a special kind of database that
stores information Based on simple tree-like hierarchy, called a Directory
Information Tree (DIT) Threats to LDAP can be categorized in two groups:
Directory Service-oriented threats Non directory Service-oriented threats
Directory Service-Oriented Threats
Unauthorized access to data Unauthorized access to resources Unauthorized modification or deletion Spoofing of directory services Excessive use of resources
NonDirectory Service Oriented Threats
Common network based attacks to compromise the availability of resources.
Attacks against hosts by Physically accessing the resources
Attacks against back-end databases
Security of LDAP
Based on two processes Authentication
Anonymous—No specific authentication Simple Authentication– Plaintext Passwords Simple Authentication and Security Layer (SASL)—
Exchange of encrypted data (Most Secure) Authorization
What resources, application and services are accessible by an authenticated client
Databases
General Principles of Security-- Authentication of users and Applications
Ensure use by Legitimate users only Determining access privileges Applications require username/password to use the
database Administrative Policies and Procedures
Written security policy Initial Configuration Auditing Backup and Recovery Procedures