host security csci n321 – system and network administration copyright © 2000, 2011 by scott orr...
TRANSCRIPT
![Page 1: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/1.jpg)
Host Security
CSCI N321 – System and Network Administration
Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University
![Page 2: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/2.jpg)
Section Overview
Why Security?
System Security Issues
Network Security Issues
Physical and Session Security Issues
Security Implementation
![Page 3: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/3.jpg)
References
CQU 85321 System Administration Course
Chapter 17
![Page 4: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/4.jpg)
Why Worry about Security?
Y2K Bug – 1/1/2000DDoS Attack of Yahoo, CNN – 2/2000Microsoft break-in – 10/2000SPAM and PhishingViruses and Worms
Internet Worm – 11/1988 Melissa/ILoveYou Viruses – 1999 - 2000 CodeRed/Nimda/Slammer/Sobig – 2001-2003 MyDoom,Netsky/Bagel – 2004 Stuxnet - 2010 SPAM/Virus Writer Connection
Terrorist Attacks/Katrina Numerous Web DefacementsMobile Computing?
![Page 5: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/5.jpg)
Reported Incidents
0
20000
40000
60000
80000
100000
120000
140000
1995 1996 1997 1998 1999 2000 2001 2002 2003
Source: CERTSource: CERT
![Page 6: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/6.jpg)
Reported Vulnerabilities
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008*
Source: Source: CERT
![Page 7: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/7.jpg)
Threat Pyramid
ScriptScriptKidsKids
ModerateModerate
AggressiveAggressive
GovernmentsGovernments
1M’s1M’s
10K’s10K’s
1K’s1K’s
100’s100’s
Source: Source: Tom Perrine, SDSCTom Perrine, SDSCSecurity as InfrastructureSecurity as Infrastructure
![Page 8: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/8.jpg)
Source: Source: CERT (CERT (Phishing Exposed)Phishing Exposed)
Treat Evolution
![Page 9: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/9.jpg)
How much security?
SecuritySecurity Ease of UseEase of Use
Beware of Security through Beware of Security through Obscurity!!!Obscurity!!!
![Page 10: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/10.jpg)
Password Security Issues
Low-tech password grabbing Social Engineering Dumpster Diving Shoulder Surfing
Password Cracking Encrypted passwords accessible Brute force & dictionary attacks
Alec Muffett’s Crack John the Ripper Cain and Able Rainbow Cracking
![Page 11: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/11.jpg)
Password Risk Minimization
User Education!!!Password Accessibility (/etc/shadow)Allow for longer passwords One-Time Passwords – OPIE/SecureIDPassword aging Forces periodic changing of password Accounts locked if password expires
Centralized Authentication Kerberos Active Directory Services (ADS)
![Page 12: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/12.jpg)
/etc/shadow FieldsUsernameEncrypted passwordDay last changedMinimum # days between changesMaximum # days between changesNotify # days before account expires
Account Inactivation Expire # days after
max change (Linux) Expire after # days
of inactivity (Solaris)
Expiration dayFlags (unused)
Example: sorr:lYi8.KpsFAb9M:11262::90:7:12784:
![Page 13: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/13.jpg)
Account Management
Principle of least privilegeRestrictive default umaskDisable/remove inactive accountsNo shared group accountsCareful placement of ‘.’ in PATHSame username/UID assignment on all systems on a local network
![Page 14: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/14.jpg)
Root Account Management
Restrict root logins to console Used only when needed su – sudo
Avoid multiple root accounts (UID: 0)Avoid ‘.’ in PATHBe Careful!!!
![Page 15: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/15.jpg)
System Configuration
Keep all software up to date Updates Patches
Remove unneeded softwareMinimize SUID/SGID programsKernel optionsSystem-wide defaultsSystem Hardening SELinux CIS Benchmark Tools Microsoft: Baseline Security Analyzer
![Page 16: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/16.jpg)
Pluggable Auth. Modules
System-wide authentication defaultsAuthentication managementAccount managementSession managementPassword management
![Page 17: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/17.jpg)
Filesystem ProtectionCheck for… World-writable files/directories World-readable files/directories
System configuration files Log files
Ownerless files/directories SUID/SGID programs
Filesystem access restrictionsTrojan horses & root-kits Modified system files/programs Integrity Checkers: Tripwire, AIDE, Osiris
Filesystem Encryption (CFS, EFS)
![Page 18: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/18.jpg)
Network Service Security
Remove unneeded services RC Scripts inetd/xinetd
Upgrade/Patch active servicesPort Scanners – nmap, Saint, NessusService Attack Detection/Protection Intrusion Detection Systems (Snort) TCP Wrappers Firewalls Network Address Translation (NAT)
![Page 19: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/19.jpg)
Network Traffic Issues
Packet Sniffing See all traffic (passwords, email, etc.) Tools: Tcpdump, Wireshark
Spoofing and Session HijackingNetwork Session Encryption Telnet, ftp, X11: Secure Shell (ssh) Email, Web: Secure Socket Layer (SSL) Virtual Private Networks (IPSec/SSL)
![Page 20: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/20.jpg)
Physical Security
Environmental ConcernsFacility Security Hardware cables Locks (Key, Code, Biometrics) Alarms (Theft, Movement, etc.)
Removable mediaSystem BIOS Passwords Boot device order
Boot Loader Passwords
![Page 21: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/21.jpg)
Session Security
X-Windows Remote Applications Remote viewing of your windows xhost/xauth access control
Console locking GUI Screensavers Text console(s) – vlock
Shell inactivity timeout
![Page 22: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/22.jpg)
Implementing Security
Risk AssessmentPolicy DevelopmentImplementationTestingMonitoring/Responding to Incidents
![Page 23: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/23.jpg)
Risks and Policies
Risk Assessment Identifying assets, vulnerabilities, threats Prevention Cost <> Lost/Recovery Cost
Policy Development “That which is not permitted is
prohibited” Grant authority to enforce policy Periodic reviews Be positive
![Page 24: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/24.jpg)
System Testing
Password CheckersVulnerability Checkers System: COPS, Titan, Tiger Network: Saint (SARA), Nessus, nmap
Bug Exploits Script Kiddie sites (i.e.
www.rootshell.com) Full Disclosure Email Lists (i.e. BugTraq) Security Advisories (i.e. CERT)
![Page 25: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/25.jpg)
Log MonitoringBaseline Anomalies Weird su/root login entries Unscheduled Reboots/Service restarts Inconsistent login times/locations
Logfile Anomalies Strange timestamps Incorrect ownership or permissions Short, incomplete, or missing logs
Centralized logging
![Page 26: Host Security CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University](https://reader035.vdocument.in/reader035/viewer/2022062308/56649e175503460f94b02409/html5/thumbnails/26.jpg)
Incident ResponseIsolate the systemUnderstand what happened - Forensics Active system analysis Filesystem analysis (make read-only first)
Recover Close holes Restore files from clean backup
Report incident
Don’t Panic!!!Don’t Panic!!!