Download Unix Network Security - LSU Computer Science

UnixNetworkSecuirty-05-2004-CIT-ACDS
/
Unix Network Security
Mehmet Balman
/
Introduction
A machine connected to phone lines or local network has the potential for intruders.
Therefore security aspect of every system must always be kept in mind. Since
internet grows rapidly, network services gain more importance in terms of
operational and business requirements. This makes security concept one of the key
points for the quality and availability of the running service. Basic idea behind secure
environments is to decrease the probability for being compromised and analyze the
risk of vulnerabilities.
This paper presents a brief survey about the security concept in host and network
environment according to philosophy behind Unix. Instead of working about the
details, we will discuss the general concepts, guidelines to implement basic structure.
We will present an implementation as the example in practice.
In the first chapter basic concepts about Information security will be explained for
motivation and introduction. Next chapter is about properties of Unix systems. Third
chapter will provide an architectural view of the overall concepts and introduce idea
behind Unix Network Security. Fourth chapter will guide through Unix security
concepts. Last chapter is a special example for Solaris implementation.
Security Essentials
Security is a very general terminology in computer science environment. Since
electronic communication and electronic data has an essential importance in all
aspects of business and personal process, leaking information may produce harmful
damages for different situation. However, securing information will bring difficult
tasks and policies which are hard to apply and most probably will affect service
given. Thus, security concept must be investigated in such a policy plan which first
analyze risks and then reorganize the structure and implementation to improve
quality and decrease probability of unexpected conditions. Moreover, security service
can not be abandoned in today’s environment in which Internet is growing and
network is being the basic resource of information industry.
“Broadly speaking, security is keeping anyone from doing things you do not want
them to do to, with, or from your computers or any peripherals”
-William R. Cheswick
Information security deals with three major concepts; confidentiality, integrity,
availability.
Information Security Classification:
• Confidentiality
Prevention of unauthorized disclosure of information.
• Integrity
Prevention of unauthorized modifications of information.
• Availability
Prevention of unauthorized withholding of information or resources
Confidentiality is keeping your data or communication secret to others. Only
authorized person should be able to access the information. Integrity is being sure
that information has not been changed while processing or communicating.
Availability is obtaining resources only to authorized clients.
Confidentiality, availability and integrity are the basic term and point to different
types of problems technically. They should be analyzed separately for services and
systems to provide a composite security mechanism. Confidentiality is the problem
that someone obtained the data that must be confidential. If this data is changed or
manipulated, it is about integrity.
For a secure network or secure system, security services should be applied and
possible cases must be investigated in terms of confidentiality, availability and
integrity
Security services can be defined as methodologies and processes which are needed
to enhance system in terms of confidentiality, availability and integrity.
“A service that enhances the security of the data processing systems and the
information transfers of an organization. The service counters security attacks and
makes use of one or more security mechanisms to provide the service.”
-William Stallings
Security Service Classification:
• Confidentiality
Restricts information access to authorized parties.
• Authentication
Identification of the user/service/system/etc.
• Integrity
Restricts alterations to authorized parties.
• Nonrepudiation
Yes you did send it or yes you did read it.
• Access Control
Restricts access to resources to authorized parties.
• Availability
Keeping the system up when needed by authorized parties.
Security services are implemented for possible attacks which are interruption,
interception, modification and fabrication. Each attack class should be prevented with
a counter service implementation.
Security Attack Classification:
•Interruption
Attack on
•Interception
Attack on
•Modification
Attack on
•Fabrication
Attack on
Availability
Confidentiality
Integrity
Authentication
Unix Operating System
Unix Operating System is an environment which is widely used in different vendor
products. It is an approved OS in terms of performance, utilization and also security.
In Internet environment Unix machines are mostly used and it has started to be
standard as an Operating System and dominant over other systems. Some derivates
are Red Hat Linux, Suse Linux, SUN Solaris, IBM AIX, MAC OS X, Debian Linux,
FreeBSD, OpenBSD, etc.
System has a modular structure in which resources such as memory, CPU and IO are
treated in different layers. This behavior makes Unix more flexible for increasing
necessities of Information Technology.
Os layers:
• user programs
• Input/output management
• Operator-process communication
• Memory management
• CPU scheduling
• Hardware
Unix Operating System is designed according to security concepts to provide better
qualitative service. It is a multithreaded, time-sharing environment which is very
portable for development and enhancements.
Some properties of basic Unix environments are the followings:
•Designed to be a time-sharing system.
•Has a simple standard user interface (shell) that can be replaced.
•File system with multilevel tree-structured directories.
•Files are supported by the kernel as unstructured sequences of bytes.
•Supports multiple processes.
•High priority given to making system interactive and providing facilities for program
development
Most of the security attacks are initiated from forgotten simple administrative or
implementation defects. Main intuition while administrating a Unix system is to start
from a higher level strong design and not to skip any case. Most of the security
attacks are formed due to simple unimportant defects that seem insignificant; even
there exists strong security services.
Architectural Overview
Unix Network security model is based on Internet connectivity and firewall model.
Layers of firewalls also determine the layers of vulnerability. In order to understand
the concept and start with healthy and working strategy, architectural overview of
Unix Network system in terms of security will be introduced.
General statements which apply to all network systems are risk, vulnerability, and
threat. Analyzes of those statements should be done completely according to the
necessities of the network and system.
•
Risk
•
Vulnerability
•
Treat
Risk
Risk is possibility of successful attack. An intruder may gain access in your local
network and work on your system to read confidential data, manipulate or destroy
information, or deny your running services.
• Read Access. Read or copy information from your network.
• Write Access. Write to or destroy data on your network (including
planting trojan horses, viruses, and back-doors).
• Denial of Service. Deny normal use of your network resources by
consuming all of your bandwidth, CPU, or memory.
Vulnerability
Vulnerability is degree of your security and protection. Security attack may be
caused from your network or outside of your network. Most of the attacks are
originated from inside of the company, also intrudes will try to hide traces by
breaking into the local network from outside.
Treat
Treat is the intruder who attempt to gain unauthorized access. However, value of
your data and training of your trusted users will affect the vulnerability to treats.
Motivation and Trust are two common factors.
• Motivation
• Trust
Motivation is the usability of your data or how useful if your network is destroyed.
Trust factor depends on how well you can trust to your users. Moreover,
understanding and training of trusted users about feasible or approvable actions
influences vulnerability. Therefore, while preparing a security implementation both
motivation of intruders and effect of trusted users must be kept in mind.
Unix Network Security Architecture can be organized within seven different layers:
Security Layers:
Layer
Name
Functional Description
LAYER 7
POLICY
POLICY DEFINITION AND DIRECTIVES
LAYER 6
PERSONNEL
PEOPLE WHO USE EQUIPMENT AND DATA
LAYER 5
LAN
COMPUTER EQUIPMENT AND DATA ASSETS
LAYER 4
INTERNAL-DEMARK
CONCENTRATOR - INTERNAL CONNECT
LAYER 3
GATEWAY
FUNCTIONS FOR OSI 7, 6, 5, 4
LAYER 2
PACKET-FILTER
FUNCTIONS FOR OSI 3, 2, 1
LAYER 1
EXTERNAL-DEMARK
PUBLIC ACCESS - EXTERNAL CONNECT
Policy
Policy is the high level definition of acceptable risk down to the low level directives of
what and how to implement equipment and procedures at the lower layers. It is the
most important part of the concept. Without a complete and effective policy, security
services can not be accomplished.
After analyzing risk, vulnerability and treat, policy which is usually a living and
updating documentation is produced according to the service requirements of the
organization. It is not a detailed implementation plan; a well defined policy only
captures overall structure which will be utilized in the lower layers.
Personal
Personnel are trained and informed about the policy and strategy. People in the
organization should accept the security program and behave with the knowledge of
possible risk and treats. This layer includes whole organization not only administrator
so, it must be applied carefully. Informing and training is not completed adequately
in most companies, but it is the second layer which has high importance.
LAN
LAN in security layer defines equipments, data assets and some of the monitors and
control procedures. It is the local network which is maintained automatically with
electronically equipments.
Internal Demark
It is the connection between local LAN and firewall to provide a buffer zone between
LAN and WAN. It is the second protection level in the local area after the external
firewall. DMZ can be given as an example for this layer.
Gateway
Gateway defines transparent firewall service to all WAN services. It monitors and
controls OSI Network layer functions. It is basically transparent to users and
applications. Firewall services, proxies and NAT are in this layer. Properties of the
packets are examined and controlled for the security policy.
Filter
It is the connection between firewall and WAN to separate LAN from WAN
connectivity. Basic Firewall filtering for network protocol is applied.
External Demark
Lowest layer is the connection to an external device, that we do not have direct
control such as telephone circuit, external data line, etc.
POLICY
PERSONAL
LAN
E-net
EXTERNAL-D
E-net
GATEWAY
E-net
PACKET FILTER
X.25
EXTERNAL-D
Unix Security Basics
Security policy is the base stone of such security programs. It is the living
documentation about events and guidelines. Since all other implementation depends
on this upper layer, preparing a policy document and updating security plan is the
most crucial point.
Policy should not cover all lower layer details. Simple and general plan is preferable
for better quality.
Security Policy
• living documentation indicating events and guiding actions
• higher level view of authorized response
Unix Network security plan can be categorized in five concepts.
First one is
preventing security holes or closing possible services in terms of vulnerability and
risk analyzes. Other aspects include detecting, testing, logging and recovering which
are the actions in case of an attack event.
Categories:
•
Locking Down - prevent intruders from being able to get into your
systems.
•
Logging - clues as to what's going on in your system
•
Detecting – automatically alert you about changes in the system
•
Testing - check the external security of the machines
•
Recovering - recover in-place a compromised system.
Preventing intruders from being able to get into the system includes securing
network, turning of unnecessary services, securing running services, providing a
secure access, securing Unix network and filesystem.
Overall network structure should be designed according to the risk of the system.
Firewall definitions and secure network zones must be provided for critical system.
Moreover, a separate network from others where treats are possible is always
suitable for monitoring and administrative tasks.
Secure network
• Separation of private and public network
• Filtering and controlling protocols between network
Unnecessary services increase the possibility of vulnerabilities. Thus, configuring
internet services, restricting remote access and managing all running services must
be accomplished for all systems.
Turn off unnecessary services
•
inittab
•
inetd
•
rc.*
Application in the system must be secure; they must also be configured within the
overall security and network architecture. Securing the communication, applying
password policies, and checking for vulnerability updates are some tasks as a
checklist.
Secure running services
• Add cryptographic capabilities to needed services (i.e. SSL to web servers,
encryption to databases).
• Use latest versions (especially for larger services like sendmail, bind, or
apache)
•Change any default passwords used to manage services (databases, etc)
• Make services are running with the least authority (non-root user)
Communication must be encrypted for confidentiality and integrity.
Managing
internet services and restricting, controlling remote access is required. Also there
must be a password policy for pushing users to apply policy and programs.
Secure access
• SSH (OpenSSH)
• tcpwrapper (/etc/hosts.allow /etc/hosts.deny)
• use shadow passwords
• user password management, policy for passwords
• limit superuser access
• limit physical access
Network services specific to Unix system such as NIS and NFS may lead to security
holes, they need special importance.
Secure Unix network
•verify NFS access
• verify NIS maps are only root writable
• restrict r commands (rsh, rexec, etc.)
Unix filesystem is flexible for many operations but it must be configured
appropriately not to cause open defects in the filesystem that may lead to system
vulnerabilities.
Secure UNIX filesystem
• verify all programs and shells scripts with SUID and SGID
• verify appropriate filesystem permissions
• verify system backups and restore procedures
Logging
System logs provide invaluable information about services and overall system.
Centralizing log management also enhances the system security. Some issues about
logging are cited related to processing and managing log files.
•syslogd
increase log level, log to separate filesystem
•tcpwrappers
inetd registered services to allow, deny and log each connection
• smtp, httpd, ftp logs
• automated analysis of logs
• automated log rotation
• process accounting
Moreover, critical systems utilize some software packages to log incoming TCP
packages, detect port scans and action according to the behavior of possible
intruders.
Software tool:
PortSentry: detect port scan and update /etc/hosts.deny
Perro : logging incoming IP/TCP, IP/UDP, IP/ICMP packets
Detecting
Automatically alert changes in the system will enable administrative people to control
and protect system. An attacker is able to change all system commands and hide
processes and connection in which administrator will be unable to understand that
system is broken. There are rootshell toolkits to detect such kind of manipulations.
Preferred option is to checksum all critical applications and packages and watch for
changes in the files to understand about any kind of hacking probability with rootkits.
• rootshell detects root-kits
root-kit tools: replacement programs for all standard utilities
• ifstatus : check NIC’s for promiscuous mode
• lsof : list open files for running processes
• tcpdump: network packet analysis
• Tripwire : detect file replacement
• lpchk, rpm: detect changes in installed packages
Testing
Testing resistance of your system must be done before any intruders makes
successfully and get into the systems. Security concept is getting importance and
new and intelligent testing and checking applications are being utilized in the market.
Some known programs are listed for testing basic problems that may be forgotten by
mistake.
•
secure-sun-check - checks for common SunOS security configuration
problems
•
SecureScan - checks for IRIX security problems
•
pmap_tools - tool suite to check for portmap, rpc, rpcbind vulnerabilities
•
nmap - multi-level security scanner
•
ISS - multi-level security scanner
•
Fremont - a network discovery tool
Case Study: Hardening Solaris
SUN Solaris is one of known Operating System which has a wide range of service
implementation in industry. First of all installation of the new machine must be done
within the care of security constraints. Installing the minimal software is always a
better since most of the development and desktop tools have defects. Since every
package has a potential for a treat, installing only required packages and discarding
unnecessary applications is the advised strategy.
Partition structure is defined in the installation and it is important to have a separate
/var partition where log files will reside. In order to eliminate a denial of service
attack in which too many log messages fill up the partition space, especially root
partition should not be designed to contain any increasing log files.
After the installation, recommended patches should be applied immediately. If a
machine is connected to network and has some basic announced vulnerability, it can
be easily attacked with intruders.
Installation:
• Load the minimum installation
• The less software that resides on the box, the fewer potential
security
exploits or holes (Core installation)
• Separate /var partition (denial of service if fill up; logging, email)
• Install recommended patches
After the installation, unnecessary services should be closed and init level must be
reconfigured to activate only required programs.
NFS, autofs, print service,
sendmail, snmp, and dtlogin are possible applications which must be used carefully
not to have an attack disaster.
Eliminating Services:
• /etc/inetd.conf (eliminate unnecessary services)
• /etc/rc2.d /etc/rc3.d
S73nfs.client S74autofs S80lp S88sendmail S71rpc S99dtlogin S15nfs.server
S76snmpdx
System log mechanism should be initiated. It is advised to keep log files of as much
detail as possible. Log messages are inevitable because they are usually the only
way of gathering information about a suspicious case. An intruder may change or
delete log messages. Thus, centralized log mechanism will enhance the security
model of the system. There are useful tools for obtaining and generating alert
messages such as syslog-ng (syslog next generation), swatch, rtail, php-syslog-ng
and logcheck.
Logging:
• /var/adm/loginlog
• /var/adm/sulog
• /etc/ftpusers
Network is the must crucial resource for security aspects of the computes. Inet
daemon must be configured to filter connections and log of authenticated and
unauthenticated access. TCP wrapper is a tool which is capable of managing network
connections.
Another security hole is the remote login commands. They are used to access and
run command in a remote computer. Configuration of this service must be
accomplished and should not be skipped. It is usually a good idea to create .hosts
and .netrc files as empty and zero permission for superuser, so no one will be able to
change and access as administrator from r-commands.
/etc/hosts.allow, /etc/hosts.deny defines the access list for the overall system.
/etc/hosts.equiv is the configuration of r-commands for all users expects the
superuser.
Connection:
• TCP wrapper, configure inetd.conf for services
logs: /var/adm/tcpdlog
/etc/hosts.deny /etc/hosts.allow
• SSH connection
• configure access of r commands
.rhosts, .netrc, and /etc/hosts.equiv.
Solaris has a flexible network stack; according to the characteristics of the service
that will run, IP module should be configured. Another important point is the buffer
overflow attacks. System administrator should be aware of such vulnerabilities and
recover potential detected programs.
Binaries which have suid bit are able to access with the rights of superuser. Thus,
search and check all such programs to be sure about open gates for the access.
Solaris has a security toolkit, JASS; in order to enhance the quality of security
mechanism JASS can be used.
•Configure IP module, ndd
•configure /etc/system for user stack (buffer overflow)
•Check suid root binaries
•Utilize Solaris Security toolkit (JASS)
Reference
S. Garfinkel, A. Schwartz, G. Spafford. Practical Unix and Internet Security. O’Reilly, Feb 2003
http://securityfocus.org
http://www.cert.org
http://www.sun.com/documentation/
http://www.auscert.org.au/Information/Auscert_info/papers.html
Grampp, F. T., and R. H. Morris. "UNIX Operating System Security," AT&T Bell Laboratories
Technical Journal, October 1984.
Bellovin, Steve and Bill Cheswick. Firewalls and Internet Security. Addison-Wesley, 1994
R. Reinhardt. An Architectural Overview of UNIX Network Security, ARINC Research
Corporation, 1993
L. Spitzner. Armoring Solaris-Preparing Solaris for a firewall, spitzner.net, 2001