* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Network Security - Delmar Cengage Learning
Survey
Document related concepts
Internet protocol suite wikipedia , lookup
Computer network wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network tap wikipedia , lookup
Wireless security wikipedia , lookup
Airborne Networking wikipedia , lookup
Zero-configuration networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Deep packet inspection wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer security wikipedia , lookup
Transcript
Network Security Chapter 17 Chapter Goals • • • • • • • Understand the need for security policies Understand security threats Understand types of attacks Understand security analysis Understand attack tools Understand network security defenses. Understand what to do if you have been attacked Network Security • • • • • • Many security experts consider the term network security an oxymoron. Securing a non-networked computer is difficult, but securing a networked computer sometimes seems impossible. Connecting systems to a network opens all sorts of avenues for security compromise, and much like drivers on New Year’s Eve, the security of one sysadmin’s hosts is often at the mercy of the security practices of other administrators on the network. In addition corporate management is often oblivious to security concerns. Before the administrator can implement steps to secure enterprise systems, someone has to create policies regarding issues such as acceptable levels of vulnerability, acceptable levels of risk, and levels of necessary security. The policy group needs to determine if convenience of use outweighs data security. – WARNING: This chapter is intended as a primer on network security. System administrators who intend to connect systems to the Internet securely will need to read further. Network Security • Policies – Long before a sysadmin begins implementing security measures, someone in a position of authority should have put pen to paper and created security policies for the site. – Without approved policies, the sysadmin is acting without the authority to enforce any rules/changes that need to be made to ensure the security of systems/data. This is the subject of many books. – Because each enterprise has different needs and goals, it is not possible beyond the range of best practice to stipulate what your policies should include. – Each set of policies should be customized for the site. About the only guideline that seems to be somewhat universal is that the policies should stick to the KISS principle: Keep it simple, stupid! – Very detailed, wordy policies are often not read/understood by users. Worse yet, a certain class of users reads the policy with the idea “what can I get away with” in the back of his mind. Network Security • Acceptable Use Policy – One policy every site should create is an acceptable use policy(AUP). – Some sites spell out the details of every acceptable and unacceptable action on the part of users in an AUP document. – Some sites reference other documents for details, and use the AUP for general guidelines and to make the broad statement that users should abide by the rules in the referenced documents. – Because the officers of the enterprise should approve the AUP, a simple one-page document that references other rules and regulations is often the smart way to go. – Such an AUP should rarely require change, so the officers should not have to discuss this document very often. However, the actual “rules of conduct” (the implementation of the policy) may change frequently, without the need for management approval. – Most AUP policies remind users that the computing resources of the enterprise are supposed to be a friendly, ethical community. Network Security – Actions that might be considered hostile are not welcome. Such actions might include (but not be limited to) the use of network sniffers, abusive email, denial-of-service attacks, visiting certain types of web sites from corporate hosts, perusing other users’ files or e-mail without permission, forging e-mail, profit-making activities, or masquerading as someone else on-line. – The policy should point the user to another document that paints a broader picture of the activities explicitly prohibited, and the consequences of such actions. • Enforcement – Policies are useless unless they can be (and are) enforced. – Many sites have their legal counsel read and approve the document before it becomes part of corporate standards. This step helps ensure that the policy would withstand a legal test, and that the policy makers did not “take the law into their own hands” and/or create a document that could be fodder for litigation. Network Security – Even if the policy is “legal,” and has been blessed by the appropriate deities, someone has to enforce the rules. This “someone” is often the system administrator. – This is one of the more unpleasant parts of the system administrator’s job. Anytime the system administrator can hand this task off to others, it is usually tempting to do so. – The sysadmin may have to collect the evidence, and show why the incident is against the policies, but it is always nice when someone else is tasked with “enforcing” the policy based on the evidence. • Implementing Security Policy – Once the site has agreed upon a security policy, the administrator needs to assess potential threats to the site and implement a strategy to minimize such threats. The following is a recommended general procedure for assessing and ensuring host security. Network Security 1. Make sure hosts are up to date with the most current vendor patches. 2. Survey your hosts to determine what services they offer. 3. Once you know what services are offered, determine which services are mission critical and which are not required. 4. When you have sorted out the required/unwanted service list, turn off unwanted services by editing start-up scripts and/or the [x]inetd.conf file. 5. Once the unwanted services are turned off, you need to determine how you can protect the required services. 6. With access to services protected, you should look at what type of information the services pass on to the network. 7. Monitor security mailing lists such as bugtraq – available at: http://www.securityfocus.org/ Watch for vulnerability announcements for any service your systems provide, and obtain/install bug fixes as soon as they are made available by the vendor of the service software. 8. Monitor your log files and watch for signs of suspicious activity. Threats • Before exploring how to secure a networked environment, let’s examine the types of threats you might find in such an environment. • Is data the item at risk? • Is the business at risk? • Are resources at risk? • How do the bad guys gain access? • Simply being aware of potential threats is a good thing, but formal risk analysis requires that you also know how likely a given threat is and/or the impact such an occurrence might have on the business. • You want to get the “most bang for your buck” when spending money on security matters. Protecting against an unlikely threat is not a wise investment. For more information on risk management, visit http://csrc.nist.gov/publications/ nistpubs/800-30/sp800-30.pdf • The System Administration, Networking and Security Institute (SANS) publishes a “top 20” list of security problems. Threats • Who Is Attacking Us? – A key question that should be considered before jumping into the security chapter is “who is interested in attacking my site?” What do I have on my computer that is so interesting? – It is very difficult to guess the motives or identities of external attackers. Unfortunately, not all attacks come from outside the enterprise. – When an internal attack occurs, and is detected, the corporation will usually take action to discipline the attacker. Other than reprimand, this can include termination of employment, criminal proceedings, and/or civil litigation. – Internal attacks can be much more difficult to detect than external attacks, as they occur inside corporate defenses. Much of corporate monitoring and data collection is performed at the border with the outside world. – Although external attacks may be more easily detected, punishment of the perpetrator is often nearly impossible. Threats • Who Is Attacking Us? – External attacks are often undertaken from third-party sites. The attacker is hiding behind someone else’s system to attack your site. – Even if you can trace the attack to the third-party site, you have to rely on that site to track the attacker to the next site he hides behind. – If you get extremely lucky, and gather enough evidence to positively identify the perpetrator, punishment will often be impossible, as the perpetrator is a foreign entity. – Worse yet is the fact that many companies will refuse to press charges, as they do not want the negative publicity. – As far as security work goes, the best policy is to treat all attacks, whether internal or external, the same. – You need to collect evidence with the idea in mind that the case will go to court. This means that the sysadmin needs to know and understand the legal issues involved with the rules of evidence. Threats – Every step taken to identify the attack and track the perpetrator needs to be handled within the limits of the appropriate laws. – If your enterprise has in-house legal counsel, it would be wise to involve them from the very first signs of an attack. • Theft of Data – One of the important classes of threats is theft (or attempted theft) of information from compromised computers. – Sometimes this may be part of an espionage activity by a party outside the enterprise. – Sometimes it may be a disgruntled employee trying to see how much money employee X makes. – Even activities such as reading someone else’s e-mail as it goes by on the network, or reading user files because they are improperly protected, might be considered “theft of data.” Threats – Protecting corporate data is one of the prime activities of the system administrator. – Ensuring that data is stored securely on the system is certainly part of the administrator’s responsibility. If the system administrator is also responsible for the network, the responsibility extends to ensuring that the network is secure, and that prying eyes cannot collect data from the network. • Theft of Assets – Another important threat is one that attempts to steal assets using corporate computers. – This could be the theft of credit card numbers, bank account information, or personal information about employees (identity theft). – Some enterprises consider corporate data and corporate assets as one entity. Others consider these two separate entities, and have separate rules governing access to each. Threats – Like theft of data, some portion of protection of assets falls on the shoulders of the system administrator. – Other portions of this task may fall on web administrators, network administrators, and others in the enterprise. But more often than not, the system administrator has the responsibility for the protection of this information. • Theft of Services – A very large percentage of system compromises are not carried out with the intent to steal assets or data from systems. – The vast majority of compromises are carried out to steal services from enterprise computers. – The attacker does not care what is on the computer, and may not even look to see what is there. She broke in so that she could use your computer to attack someone else. – If you join any of the hacker bulletin-board/IRC systems, you may be surprised to see others on the channel “trading” the fruits of their attacks. Threats – The attackers use your system to hide behind. They use your system to attack other systems. If they get caught attacking someone else, that “other” entity thinks you are responsible, as the attack came from one of your computers! The attacker packs up and moves to another compromised system to hide and start again. – Quite often, your systems are used in concert with other compromised systems to enact distributed denial of service (DDOS) attacks on some other entity. – When the attacker decides he has enough ammunition, he commands all of his compromised drones to attack some other site. – Huge streams of network traffic coming from many seemingly unrelated sites blind the site under attack. – The site is effectively “out of business” until administrators responsible for those systems can be convinced to shut down the attacking drones. This is often a very time-consuming and expensive problem. Threats • Local Versus Network Issues – The principal difference between network security and local security is the fact that you have some control over your local users, but you have very little or no control over users that come to your site through the network. – You can, however, exercise some level of control over which files and services your users have access to, and which of your users have access to a specific computer. – When you connect your computer to the network, you silently give much of your control to the designers who implemented the network, and to the network services your systems support. – You might quickly learn that not everyone on the Internet wants to be a friendly neighbor. Types of Attacks • How do the bad guys gain access to your hosts? – In many cases they exploit well-known security holes in the system software. The generic sequence of events in most attacks is as follows. • • • • • • Perform reconnaissance: Often through the use of network scans Determine points of weakness: Analyze the output from the scan Exploit weak points: Attack the weak points found by the scan Hide the evidence: Patch the hole and “root kit” the system so that others cannot see that the machine has been compromised • Burn, pillage, and loot: Use the compromised system for activities other than its intended purpose Sometimes these steps happen in very rapid succession (within seconds or minutes of each other). This is indicative of an automated scanning tool. Other times these steps may occur very slowly (over a matter of days or weeks). The slower scans are often intended to escape detection by staying “under the radar” of anyone watching error logs and other alarm systems. Types of Attacks • Host-provided Services – Hosts that provide services on the network do so according to rules that govern network communications. – For the TCP/IP protocol, hosts are required to use an Internet Protocol address to identify themselves. This IP address is similar to a street address; it tells other computers on the Internet where this host is located. All communications bound for this host are sent to the host’s IP address. • Extending the IP Address Through Ports – Hosts on the Internet often provide services used by other hosts on the Internet. For example, the telnet, ftp, mail, http (web service), and ssh utilities are services provided by typical hosts. These services may be provided using the Transmission Control Protocol (TCP services), or the User Datagram Protocol (UDP services). – These protocols provide a simple extension of the IP address scheme in order to provide “entry points” for network services. This extension is called a port. Every computer provides up to 65,536 TCP ports and up to 65,536 UDP ports where network services live. Types of Attacks • Persistent Services – Persistent services are started at boot time by init scripts. – These services bind themselves to a port, and are always running. When a remote system wants to connect to a service on the local host, it contacts the port number for the persistent service. – The persistent service (typically) creates a copy of itself, starts the copy running on an ephemeral port, and directs the caller to talk to the copy of the service running on the new port. – Typical persistent services are smtp (e-mail), httpd (WWW server), and inetd. The inetd daemon is a “super daemon.” It manages several other service daemons that are not persistent. Types of Attacks • inetd Services – The inetd daemon manages nonpersistent services. – These services are launched upon demand by inetd. – When the system boots, inetd reads its configuration file (/etc/inetd.conf or /etc/xinetd.conf) and binds itself to several ports. – When a request comes in for one of the inet-managed services, the inetd binary launches the real service daemon, and connects the caller to the service (much like an old manual telephone switchboard). – Typical inet-controlled services include tftp, ftp, telnet, rlogin, rsh, and ssh. Types of Attacks • RPC Services – Another method of providing network services is via the Remote Procedure Call (RPC) interface. – Calling programs contact the rpcbind (sometimes called the portmapper) process to ask if the host provides a specific service. – The rpcbind daemon checks its configuration files to see if the service is being offered, and if so redirects the caller to the port where the requested service is listening. Types of Attacks • Preventing Unauthorized Access to Services – One way hackers gain unauthorized access to your systems is to contact the services your computer is providing. For this reason, one of the best defenses against unauthorized access is to disable services you do not need to provide. – Another good defense against unauthorized access to your computers is to put a wrapper around the service. – The wrapper checks to see if the caller is authorized to connect to the service. One tool that provides this wrapper service, the tcp_wrapper utility. – How do hackers find what services your computer is providing? They use a tool that can scan the network, probing each of the 131,072 ports on every IP address. These tools are known as port scanners, and they are used to implement network scans. Types of Attacks • Network Scans – One method of performing reconnaissance is to scan the “target” network. – Each of the scanning tools released does a little bit more, or a little bit better job, than its predecessor. The types of tools and the success they provide are frightening. – One of the things a sysadmin should do is download these tools and try them against his own hosts. This allows the administrator to harden the network based on the finding of the tools. – Knowledge of these tools also helps the administrator understand what type of information the attacker is trying to gather, and what clues the system will give when under attack by someone else using this tool. Types of Attacks • Low and Slow – One of the most worrisome types of network scans is one that is barely perceptible. – The attacker works very slowly, and very methodically, to gather information about the target. – These scans are worrisome because someone is trying to gather information very discreetly. They are trying to stay below the system administrator’s radar (low), so they are very patient (slow). The attacker is often a skilled and very determined foe. – Typically these attacks often lead to theft of important data or assets from the target site. – These attacks can be very costly to the enterprise. If someone manages to steal all of the corporate secrets, the company could be out of business. – Worse yet, if the attack is detected, and word leaks to the news media, the site’s customers (and possibly shareholders) may abandon the company due to lack of confidence. Types of Attacks • Fast and Noisy – The alternative to a low and slow scan is a fast and noisy scan. – The tools employed for these scans can map out an entire Class B network space in a matter of minutes (fast). – Well-instrumented target systems should spew reams of warning messages when these scans hit (noisy). – Many times the scanning tools used in a fast and noisy attack have the ability to compromise a system as soon as vulnerability is found. Although these tools are very efficient, they give you plenty of warning that they have visited your site. – Quite often the attacker is looking to compromise as many systems as possible to use for attacks on others, or as an army of drones in an upcoming attack. – The attacker is often somewhat skilled in computing. They may have developed their own attack tool, and used your site as a test to see if it worked in the wild. – These attacks can be very bothersome for the system administrator. Someone has to clean up the mess made by the attackers. This often means collecting forensic evidence, determining how to protect against such attacks in the future, and then rebuilding the infected systems from distribution media. Types of Attacks • Script Kiddies – Script kiddiez and ankle biterz are just two of the demeaning epithets for attackers perceived as possessing few real computer skills. – The scripted attacks are often fast and noisy. The attackers often use someone else’s scanning tools that they downloaded from the Internet, and the attacker may not even understand how the tool works. – Many times the attacker “saw this tool on the net and decided to try it out.” Once they compromise a system, the attackers usually do not look for data to steal; the system was hacked for sport, and/or to use in attacks against other sites. – These attacks are often the most vexing for the system administrator. • The scripts used in the attack have little mercy. • The attack tools blindly replace system binaries as part of their attempt to be stealthy once the system has been compromised. • If the purpose of the attack is to assimilate a drone, or otherwise attack other hosts, the tool makes no attempt to limit its consumption of resources. Types of Attacks • Buffer Overflows – Many scripted attacks scan an entire network looking for a specific service to compromise. These attacks often look for a version of a network service known to have a security flaw. Quite often the flaw the attack seeks is a buffer overflow. – Buffer overflow attacks take advantage of poor coding practice on the part of the network service developer. • The developer did not take the time/effort to ensure that data read by the program/service would actually fit into the container provided to hold that data. • When too much data is provided to such a program, the data overflows the buffer (container). • If the vulnerable program operates with special privileges, this often allows the attacker to craft an attack that will give them access to your system with these elevated privileges. TIP: One of the best ways to protect against buffer overflow attacks is to limit services your hosts offer, and to keep up to date with security patches from your software vendors. Types of Attacks • Some operating systems provide a means of disabling “stack execution” on their systems. – Buffer overflow attacks often rely on the ability to overflow the buffer with code that lives on the program stack. – The code that overflows the buffer is typically a small program that will spawn a privileged shell. – Once the buffer overflow has been accomplished, and the program tries to exit, the exploit code is executed, and the attacker has access to the system. – These attacks rely on the stack allowing the execution of the exploit code. Types of Attacks • Disabling the ability to execute code from the stack can help defuse some of these attacks. – For example, if the following directives are placed in the Solaris /etc/system file, the system will prohibit many of the buffer overflow attacks from executing exploit code for the attacker. – These directives also command the system to log a message warning that someone attempted a buffer overflow attack. set noexec_user_stack=1 set noexec_user_stack_log=1 – Unfortunately, this method is not foolproof, as there are ways to defeat this security mechanism. – Fortunately, most of the “attack tools” do not (currently) implement methods to get around this defense. Types of Attacks • Other operating systems are compiled using special compilation techniques that are supposed to prevent buffer overflow attacks. – There is a special version of RedHat Linux (Immunix), compiled with a StackGuard compiler, that is supposed to stop buffer overflows. – Like the Solaris technique, this attempt has produced modest success, but the hacking community has found holes in this defensive strategy. – Defense in depth may be the only short-term hope for elimination of successful buffer overflow attacks. • NOTE: Buffer overflows also affect non-network services. Many buffer overflow exploits require that the attacker be logged in on your system. Once the attacker is logged in on a valid user account, he often exploits a buffer overflow in a setuid program to gain unauthorized privileges on the system. Types of Attacks • Social Engineering – One of the oldest, yet still widely successful, attack tools is social engineering. – Many security consultants make use of social engineering tactics when performing security audits. – One social engineering method has the attacker do something as simple as call an employee on the phone and ask for information that will help the attacker gain access to the computer. • Access to the computer makes the task of compromising the computer much easier to accomplish. – Another form of social engineering is “dumpster diving.” • The attacker goes through the company trash looking for slips of paper that might contain user names, phone numbers, e-mail addresses, and sometimes passwords. Sometimes the attacker gets lucky and finds network drawings, printouts of router filters, or other critical information that can assist in attack planning and execution. Types of Attacks • Social Engineering – The best way to protect against social engineering reconnaissance is to educate your users about security. Utilities that require frequent password changes, or that use one-time passwords, also help limit the success of social engineering attacks. A system administrator that looks for odd log-in locations/times of users can help detect such attacks. A good paper shredder is also a handy tool to have on hand to secure (several facets of) an office environment. Types of Attacks • Sniffers • • • Packet sniffers are multi-faceted attack tools. The attacker may use a sniffer to perform social engineering. – The attacker can listen to all conversations, and collect log-in names, passwords, and other information that will assist her when she decides to compromise a host. – Wireless networks are extremely susceptible to this form of attack. Administrators that come across the output from packet sniffers might need to contact hundreds of users and make them change their passwords. Packet sniffers may also be used as part of the orchestration of much more technically challenging attacks. – The attacker may capture secret encryption keys as she traverses the network. By recording the keys, and all communications using those keys, the attacker has means of decrypting the communication. – Sniffers can also be used to provide information on how the attacker might hijack a communication session, or masquerade as a trusted host to gain access to private information. Types of Attacks • Sniffers • Most of the time sniffers are nearly impossible to detect. The sniffer does not generate any network traffic. They merely sit and listen to everything that goes by on the network. • At some point the attacker contacts the sniffer, and collects the information for “off-line” analysis. If nobody notices the sniffer in action, it may be present on the network for months (or longer), collecting information for the attacker. System Security Analysis • Every system administrator should be concerned about the security of his or her systems, but how do you determine how much security is enough? What should you do to ensure that your systems are secure? • Defense in Depth – One way to view the security of a well-secured system is to compare it to the layers of an onion. – Security tools and techniques provide layers of protection from unauthorized use such that the inner layers may stop an attack that managed to get past outer layers. – This is often called “defense in depth.” From a security standpoint, defense in depth of a computer begins with a secure local system (the core), followed by a layer of checks using tools such as tripwire. A layer of password controls and monitoring is an essential layer of system security, as is an outer layer of carefully configured services. System Security Analysis – You also need to apply this defense in depth security model to the network equipment itself. • Routers and switches and other network gear should be secured using the layered defense strategy. • Secure hosts providing secured services to “secured users” on a secure network might allow a paranoid sysadmin to get a few hours of sleep at night. System Security Analysis • Patches – Before you attempt to test the security of your systems, it would be wise to install the latest patches available from the vendor. – Keeping up with patches is a time-consuming, tedious process, but it is also one of the best ways to keep your system secure. • Tripwire – Another thing you may want to do before testing your systems is update your tripwire databases, and make sure you will be able to catch any files that change as a result of the security testing. – Some of the test tools will attempt to create files on your system in order to “prove” that the tool was able to compromise the system. System Security Analysis • Tools – New security tools appear on the Internet every day. The tools discussed in the sections that follow are a miniscule sample of all that are currently available. These have withstood the test of time and remain popular and viable security assessment tools. – A vigilant sysadmin should also download and try many other tools. Knowing how these tools work helps the administrator secure systems against attacks. Watching messages generated by these tools should also help the administrator recognize when the tool is used to attack hosts. System Security Analysis • Entercept – The Entercept package is a server-based intrusion protection package. – The Entercept package is a multi-layer tool that protects applications, the operating system, and communications drivers. – This protection is provided via a set of behavioral rules, system call interception, and http (web server) call interception. The Entercept package is available at http://www.entercept.com/ System Security Analysis • Crack – Crack, although not a network scanner, is a very useful tool to have in the security toolbox. – Crack is a password cracker. Although some may argue that it is better to have a password program that will not allow users to choose “bad” passwords, a good password cracker can be a very useful tool. – If you think you have a good password program, periodic Crack scans can assess just how good the password program is. – Crack employs various encryption algorithms and dictionaries to try to break the passwords on the system. – Because the inner layer of defense in depth relies on strong user authentication, a good password cracker is essential. The Crack tool was developed by Alec Muffitt, and is available at ftp.cert.org System Security Analysis • COPS – Another tool that is not a “network” security scanner but is still a useful scanner is the Computer Oracle and Password System (COPS). – The COPS scanner attempts to break passwords, check file permissions on the system, and locate setuid/setgid programs. COPS was written by Dan Farmer, and is available at http://www.cerias.purdue.edu/ System Security Analysis • Center for Internet Security Scanner – The Center for Internet Security (CIS) scanner project is a program that may be used as a ruler to judge how your system measures up as far as security is concerned. – The CIS scanner checks your system against a list of settings known to provide reasonable security. • For each setting your system meets or exceeds, you score points. For each setting your system falls below the recommended setting, you lose points. • The final outcome of the scan is a score between 0 (low) and 10 (high), which provides a relative indication of how secure your system is. • The CIS scanner is available at http://www.cisecurity.org/ • The CIS site also contains tools for checking your system for the SANS Top 20 security problems. System Security Analysis • JASS – The Solaris Security Toolkit, informally known as the JumpStart Architecture and Security Scripts (JASS) toolkit, provides a mechanism for minimizing, hardening, and securing Solaris operating environment systems. – The primary goal of JASS is to simplify and automate the process of securing Solaris systems. JASS is available at http://www.sun.com/security/jass System Security Analysis • Nmap – The Nmap security scanner is one of the most widely used security scanning tools available. – Nmap is a port scanner that slices, dices, and otherwise wreaks havoc with your network. – Nmap can generate various types of packets that probe the TCP/IP stack on your systems. – Nmap can generate a list of open service ports on your system, penetrate firewalls, and even provide hauntingly reliable “guesses” at what operating system (complete with patch level and version number) is running on your host. – The Nmap security scanner is available at http://www.insecure.org/ System Security Analysis • Nessus – The Nessus project is a remote security scanner. – Nessus employs Nmap to perform some of the tasks it undertakes, but also has plug-in modules that can test for well-known security problems. – The Nessus developers are quick to develop modules used to test for the latest published security problems. – Because Nessus is a remote scanner, the administrator can configure the tool to scan the entire network and report on all hosts it finds. – Unlike many other scanners, Nessus does not rely on finding given services on their assigned ports. – Nessus will probe every TCP and UDP port on a system, and if it finds something will probe that port further in an attempt to determine what service it has found. – Nessus plug-ins are able to locate backdoor programs, DDOS agents, services that contain buffer overflows, insecurities in network file systems, database security problems, web server security problems, and many other common security holes. – The Nessus scanner is available at http://www.nessus.org/ System Security Analysis • Saint – The Security Administrator’s Integrated Network Tool (Saint is an updated version of the SATAN security scanner. – Saint is a web-based tool that can be configured to locate systems on the network, and scan them for well-known security problems. – Although the number of tests performed by Saint is smaller than the list of tests performed by the Nessus tool, Saint is still under active development, and is a reasonable tool to have in the security toolbox. – Saint is available at http://www.saintcorporation.com/saint/ System Security Analysis • dsniff – dsniff is a collection of tools for network auditing and penetration testing. The collection includes dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy. The tools passively monitor a network watching for interesting data. – dsniff also includes (arpspoof, dnsspoof, and macof) to facilitate the interception of network traffic normally unavailable to an attacker, due to layer 2 switching. – The remaining two components of the dsniff package are sshmitm and webmitm. • These utilities implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad hoc Public Key Infrastructure (PKI). System Security Analysis • Root Kits – Root kits are not tools for gauging the security of your network. – In fact, they are tools used by attackers to hide their presence on compromised systems. – The root kits come with Trojan versions of many system utilities. The real system utilities allow the administrator to list files, list processes running on the system, list active network connections, examine binary files for text strings, and perform similar functions. – Luckily, root kit detectors are also available on the Web. – The chkrootkit package checks for signs that a root kit has been installed on a system. – The chkrootkit package checks for over 30 types of root kits, and checks over 60 critical operating system command binaries to ensure that they have not been altered. In addition, the chkrootkit package checks for network interfaces running in promiscuous mode, checks the lastlog and wtmp files for signs that they have been edited, and checks for loadable kernel module root kits. The chkrootkit package is available at http://www.chkrootkit.org/ Defenses • Network Services – Computer systems offer a wide range of services to other entities on the network. – By default most of these services do not employ encryption to keep prying eyes from monitoring the information they make available on the network. – Most of these services do not (by default) create log entries detailing connections to the service. • Access Control Methods – One way to improve the security of system services is to limit access to the service. – This can be accomplished (at least) two ways: • (1) disable the service such that it is not available for use and • (2) implement a list of hosts/users allowed to use the service and force the system to check every inbound request for this service to ensure that the user/host requesting the service has permission to use the service. Defenses • Not Using It? Turn It Off – The easiest way to control access to a network service is to turn it off. Problem solved; if the service is not running, it cannot be compromised. – But this is not always an acceptable solution. On the other hand, there are wide ranges of services enabled by default, but these services are not required for normal operation of the system. • Simple Services – Almost every TCP/IP stack includes a group of services referred to as “simple services.” This group of services includes the time, chargen service, echo service, and discard services. All of these services listen on TCP and UDP ports. These services are not required for normal operation. • These services should be disabled. Under UNIX operating systems this can be accomplished by commenting them out of the /etc/inetd.conf file (/etc/xinet.d for Red Hat Linux) and then causing inetd to reread the startup files. • You can force inetd to reread startup files by invoking the following command. kill -HUP {PID for the inetd process} Defenses – On Windows systems, use the network control panel to remove the “simple TCP” services. – Some operating systems also provide the capability of performing a “trace” on every incoming network request. This is a good function to enable. • Under recent versions of Solaris you can enable this function by editing the file /etc/init.d/inetsvc and changing the invocation of the inetd program from inetd -s to inetd -s -t. • Under other operating systems you may need to enable the auth daemon, or in a few cases download and install the portable ident daemon (pidentd) The pidentd daemon is available at http://www2.lysator.liu.se/~pen/pidentd/ Defenses • Other Unnecessary Services – Each operating system ships with a number of inet services that may not be needed. – Services often disabled include : • • • • • • • • • • • tnamed, uucp, exec, rexd, comsat, finger, systat, netstat, time, sadmind, linuxconf, • • • • • • • • • • rquotad, rpc.rusersd, sprayd, walld, rpc.statd, ufsd, cachefsd, kerbd, gssd, and in.talkd. Defenses • Point and Shoot (Yourself in the Foot) – There are several system services known to be “bad things” to run. These services are known to be security problems, yet they are run for several bad reasons: there are no better solutions, time does not permit replacing them, “it has always been done that way,” and “we can’t afford the down time to fix them.” – Chief among these “bad things” that weaken security is to allow programs to pass information across the network in clear text. – Another nemesis is a service that does not require authentication of the remote user. – Yet another class of dangerous services is those that allow the remote user to alter the configuration of the local system. – When these services are compromised, you have shot yourself in the foot (as the old saying goes). – We all know better, but for one (bad) reason or another we do not remove the ammunition (fix the problem) before the trigger is pulled. Defenses • Plaintext Authentication – One type of service you should consider disabling is a class of services that perform plain-text authentication. • These services pass the user’s log-in name and password across the network as unencrypted data. • Anyone sniffing the network can collect this information and use it to gain unauthorized access to your systems. • Services that allow plain-text authentication include rlogin, rsh, telnet, ftp, http, imap, and pop. – Technically, it is a simple matter to disable these services. Comment them out of /etc/inetd.conf, or remove the binary program. – If the service is not installed on the system, or is not available, it cannot be exploited. Defenses • Plaintext Authentication – On Windows 2000 systems, make sure the following registry key is set to the value 0. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkSta tion\Parameters] "EnablePlainTextPassword"=dword:00000000 – Politically, attempts to disable these services are met with stiff resistance. – This is one of many instances in which strong policies can make the life of the system administrator easier. – If the site’s security policy forbids the use of services that require plain-text authentication, the administrator is free to disable these services. However, keep in mind that you may need to provide a secure replacement for many of these services. Defenses • Other Problematic Services – The services discussed in the previous section are services that should not be offered. – The system will function without these services, and/or there are secure versions of these services that can be installed in place of the insecure versions. • Trivial File Transfer Protocol – The Trivial File Transfer Protocol (tftp) is a simplified version of the ftp protocol. • The tftp protocol was originally intended for use as an aid to bootdiskless workstations. Once the diskless system located its server, the operating system was downloaded to the workstation using tftp. tftp comes with several built-in security problems. For starters, tftp does not require any authentication. Defenses • Common Desktop Environment – The Common Desktop Environment (CDE) is a windowing system. – The original implementation was developed by Hewlett Packard, and was named HP-VUE. More recently, Hewlett Packard, Sun Microsystems, and IBM have collaborated to bring the package to all of their operating systems. The package was renamed the Common Desktop Environment. – The CDE package includes several network daemons that facilitate use of the windowing environment across several hosts. – Several of these services have been found to be insecure. However, turning off all of these services may render the windowing environment unusable. – The following portions of the CDE environment may be turned off without completely disabling the environment. Some CDE functions may not operate with these daemons disabled. Defenses • Common Desktop Environment – – – – – rpc.ttdbserverd: tooltalkobject manager fs.auto: Font server kcms_serverd: Allows access to user profiles across a network. rpc.cmsd: Calendar manager dtspcd CDE subprocess control service Defenses • named – The named binary is an implementation of the Domain Name Service (DNS) daemon. – This daemon should be running only on hosts that provide your enterprise name service. – Several recent attacks have been released against named. Some of these attacks make use of buffer overflow compromises to give the attacker elevated privilege access to your system. – Other attacks use the DNS software to force the machine to participate in a distributed denial of service (DDOS) attack against other hosts on the network. • NOTE: There are several packages available for providing name service. Some of these packages have (so far) been more secure than others.. Defenses • Wrap It Up (tcpd) – Because it is impractical to disable all services, you need another way of limiting access to services such that only authorized users may use them. – If you could somehow convince every application to check an access control list before it allowed a remote user access to the service, you might have a chance of providing the service with some assurance of security. – The tcp wrapper program (tcpd) is a surrogate service daemon that can be used to protect other service daemons. • Protecting Programs Using tcpd Library Routines – The tcpd libraries provide a series of system calls programs can use to check whether a remote host has permission to contact a service running on the local host. When the service daemon is compiled, and linked using these libraries, it will check the /etc/hosts.deny file, and then the /etc/hosts.allow files, to determine whether the remote host has the appropriate permissions to use this service. Defenses • Protecting Programs Using the tcpd Daemon – The second method of protecting programs with tcpd is to force tcpd to “answer” anytime the service daemon’s port is contacted. – One way of doing this is to edit the inetd.conf file and “replace” the actual service daemon with a call to tcpd. – The tcpd program is called with the name of the actual service daemon as an argument. The tcpd binary checks hosts.deny, and then the hosts.allow files, to see if the caller has permission to contact the service daemon. – If permission is granted, tcpd starts the service daemon, and the conversation progresses normally. Typical entries in the /etc/inetd.conf file might look like the following. ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -i -o telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd Defenses • /etc/hosts.deny – tcpd relies on two text files to configure access to services. These two files provide two methods of protecting the system: • allow everything except what is explicitly denied, or • deny everything except what is explicitly allowed. – The /etc/hosts.deny file lists the services available, and the names/addresses of hosts not allowed to use the service. – A site that used the “allow everything except that which is explicitly denied” logic might have hosts.deny files with entries similar to: in.ftpd: insecure-host.plc.com in.telnetd: all – These two entries tell the tcpd package that the host insecurehost.plc.com is not allowed to contact the ftpd binary. The file also tells tcpd that all hosts are disallowed use of the in.telnetd program. – Sites that use the “deny all except that which is explicitly allowed” strategy might place the following in the /etc/hosts.deny file to disallow all contact from the outside to any service protected by tcpd: ALL: ALL Defenses • /etc/hosts.allow – The /etc/hosts.allow file performs the opposite function of the hosts.deny file. Entries in this file tell the tcpd package to allow access to the listed services. The following are example entries: in.fingerd: .nd.edu ALL: .plc.com sshd: ALL rpcbind: 172.16.0.0/255.255.0.0 rpcbind: 255.255.255.255 0.0.0.0 – These entries tell tcpd that all hosts in the nd.edu domain can finger at the local host, that all hosts in the plc.com domain may use any service on the local host that is protected by tcpd, and that any host that connects to the sshd service is allowed to use this service. – The last two entries tell tcpd that any host on the 172.16.0.0 network is allowed to contact the rpcbind (RPC port mapper) service on localhost. • Logging tcpd Messages – One of the nice features of the tcpd package is that it allows you to log all refused connection attempts via syslog. Defenses • Services Protected Using tcpd – It would be very difficult to compile a complete list of every program that could be protected by the tcpd package. – Luckily, most hosts only offer a few services, and most of these services are common TCP-based daemons. Some of the more common packages wrapped using tcp-wrapper are portmap, rlogin, rsh, telnet, ftpd, lpd, and finger. • Windows 2000 Access Control – Under Windows 2000, you can use the Network control panel to limit access to the system’s services. – Under the Internet Protocol TCP/IP item, click on the Properties button. Click on the ADVANCED button, and then select the Options tab. – Select the TCP/IP filtering entry, and then select Properties. Enter the port access information you desire, and then click on the Enable TCP/IP filtering (All Adapters) button to enable the filters. Defenses • Providing Services on Alternate Ports – Some sites attempt to secure their network services by providing services on nonstandard (alternate) ports. – Although this method may work for a while, it may not provide the desired protection in the long run. – Security through obscurity does not provide much protection against tools such as Nessus and Nmap. • These tools will be able to detect that something is listening on the port, and will report this fact to the attacker. The attacker can then probe the service in an attempt to determine what it is. Defenses • Alternate Versions of Service Daemons – Another way some sites improve the security of their systems is to employ alternate versions of network service daemons. – Several Open Source and commercial entities provide service daemons that have been hardened against attacks. – A few of the more common alternate service daemons are ftpd from wuftpd and pureftpd, telnet replacements from MindTerm and SecureCRT, and scp (a replacement for rcp that is distributed as part of many ssh packages). Defenses • Encrypt It – Another method of securing network services is to force the service to encrypt all communications with other hosts. – Although this method does not prevent a remote host from using the service, it does make it more difficult for someone running a sniffer to determine what the hosts are saying to each other. NOTE: If the “encrypted service daemon” contains a buffer overflow, it may still be possible for an attacker to gain access to the system. Older versions of the ssh program suffered such a fate. You should consider wrapping encrypted services with tcpd, or compiling these services using the tcp_wrapper libraries, when possible. Defenses • ssh – One solution to the clear-text problems of the r commands and the threat of snooping is to use a secure communications program that encrypts all data for transit. The ssh package is used at many sites as a drop-in replacement for the r commands, ftp, and telnet. – Because there are also ssh clients for Windows and MacOS systems, the ssh package is useful for employees who require access to corporate computing facilities from remote sites (which may not be secure). The ssh package provides a secure remote communications channel. The ssh package can be obtained from http://www.openssh.org/ The ssh package includes complete configuration and installation directions. Defenses • PGP – The Pretty Good Privacy (PGP) package is a freely distributable public-key encryption package. PGP is available for UNIX, Windows, MacOS, Amiga, DOS, and most other operating systems. – PGP has become one of the most widely used e-mail encryption tools. The PGP vendor (Network Associates) recently decided to discontinue distribution of its commercial version of PGP. – Freeware versions remain available at http://www.pgpi.org/ A public domain version of PGP is also available. The Gnu Privacy Guard package, also known as GnuPG (or simply GPG), is a complete and free replacement for PGP. GPG is available at http://www.gnupg.org/ Defenses • Zebedee – Zebedee is a package that allows you to establish an encrypted, compressed “tunnel” for TCP/IP or UDP data transfer. – This allows traffic such as telnet, ftp, and X to be protected from prying eyes, as well as providing, via data compression, improved performance over low-bandwidth networks by compressing the encrypted data before sending it across the network. Zebedee provides full client and server functionality under UNIX/Linux and Windows. – Zebedee employs algorithms that are either unpatented or for which the patent has expired. Zebedee is available from http://www.winton.org.uk/zebedee Defenses • Stunnel – Stunnel is another program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer). – Stunnel is available for both UNIX and Windows. – Stunnel can allow you to secure non-SSL aware daemons and protocols (such as POP, IMAP, and LDAP) by having Stunnel provide the encryption. – The Stunnel source code is not a complete product; that is, you still need a functioning SSL library such as OpenSSL or SSLeay to compile Stunnel. This means that Stunnel can support whatever your SSL library can, without making any changes in the Stunnel code. Stunnel is available at http://www.stunnel.org/ Defenses • One-time Passwords in Everything – The One-time Passwords in Everything (OPIE) package is a password-hardening tool. It is particularly useful when the remote host does not offer any encrypted forms of remote user authentication. – A standard exists for one-time password systems (RFC1938), and OPIE is one of the tools that implement this standard. OPIE is a successor to the S/Key tool from Bellcore (now called Telecordia Technologies). Defenses • Secure Remote Password – The Secure Remote Password (SRP) package is another tool that can be used to encrypt network traffic. – SRP is a lesser-known alternative to ssh. If both ends of the connection agree that they can use the SRP protocol, the connection is encrypted transparent to the user. – This approach allows the user to keep using her favorite commands, and allows the sysadmin to do something other than install new versions of ssh every week. • The downside of SRP is that it introduces yet another password file. The /etc/tpasswd file contains the SRP version of each user’s password. The sysadmin needs to replace the system’s password program with a program from the SRP distribution. This new version of password synchronizes the /etc/passwd and /etc/tpasswd files. SRP is available at http://srp.stanford.edu/ Firewalls • Another approach to limiting access to your hosts is to pass all network traffic through a filtering router and/or firewall. • This approach constitutes an attempt to deal with all possible avenues of access by carefully controlling the network traffic as it passes through network electronics. • An advantage of this method is that it provides some measure of security for all services, including those added later or services created by individual users. • A disadvantage of this approach is that the inspection of packets impedes the traffic flow across the network.. Firewalls • The hosts inside the enterprise are protected by two firewalls. – The border router often provides filtering to eliminate some of the attacks headed for the corporate network. – This router is between the outside world and a set of “bastion hosts” on a network, referred to as the demilitarized zone (DMZ). – The firewall is placed between the DMZ and the internal network. – Instead of using two separate devices to implement this scheme, some sites use one router or firewall with three interfaces (to connect to the outside, the DMZ, and internal networks). Firewalls • Classification of Firewalls – There are three general firewall classifications (listed in order of increasing security): packet-filtering (plain and stateful) firewalls, circuit proxy firewalls, and application proxy firewalls. • Packet Filters – A filtering router/firewall conditionally passes network traffic between networks. The router filters are rules developed by the network manager. – These rules tell the router which packets should be allowed to pass, and which packets should be rejected. Depending on the particular router, it may be able to pass traffic based on the source or destination IP address, the source or destination port number, or other information contained in the packet. – A filtering router restricts access to a service on a system by allowing (or disallowing) network traffic to enter (or leave) the network. Firewalls • Classification of Firewalls – Stateful Filters • There are certain types of network traffic that are very problematic for firewall systems. • Among this traffic are so-called protocol benders, such as ftp and traceroute, and fragmented packets. Stateful firewalls boast the capability to handle these odd conversations. • Protocol Benders – The ftp protocol is particularly troublesome for firewalls. – The ftp protocol uses a pair of connections to transfer files. – One connection, initiated by the client, is used to send commands to the ftp service host. » This connection is generally made between an ephemeral port on the client and TCP port 21 on the server. – When the client asks for a file from the server, the server opens a connection to the client system’s TCP port 20. Firewalls – A nonstateful firewall might not allow the server to open this port, as the idea of a firewall is to block unwanted connections from external hosts. – A stateful firewall keeps track of conversations initiated by hosts “behind” the firewall. – When such a host opens an ftp connection to an external system, the firewall keeps track of this connection in a special state table. – When the remote ftp server attempts to open the ftp data connection on port 20, the firewall consults its open connection table and allows/disallows the connection to proceed based on the information found in the table. Firewalls • Fragmented Traffic – Another type of traffic that is a problem for many firewalls is a conversation that includes fragmented packets. – Packet fragmentation occurs as a natural part of transmitting data across the network. As large packets are forwarded to networks that only transport small packets, the packet is fragmented into smaller pieces for transport. The destination host is supposed to reassemble these fragments into a complete packet. Intermediate routers are not supposed to reassemble these packets as they traverse the network. – Unfortunately, the hacker community also determined that it could fragment attack packets into small pieces, and sneak them through many firewall systems. – When the target host reassembled the attack packet, the hacker could compromise the system. – Stateful firewalls can reassemble fragmented packets and then determine if they should be allowed to pass through the firewall. Firewalls • Nonstateful Firewalls – With an understanding of stateful firewalls, the definition of a plain (nonstateful) firewall is pretty easy to discern. – Plain firewalls do not keep any state information regarding current connections. These firewalls are incapable of detecting problems that deal with fragmented packets or protocol bender applications. • Application Proxy Firewalls – Another firewall design is called the application proxy. – An application proxy does not allow any traffic through the firewall. – The application proxy behaves as a server to clients on the trusted network, and as a client to servers outside the trusted network. • A client on the trusted network sends connection information to the proxy firewall. The firewall applies its policy rules to determine whether to allow the requested connection. • If the request is permitted, the proxy firewall will send the request to the destination. • The source IP address on the packets sent to the remote host will be that of the firewall, not that of the original client. Firewalls – By operating at the application layer, application proxy firewalls provide finer granularity when it comes to policy rules. • For example, specific URLs can be blocked from certain subnets, or FTP clients can be restricted from performing a Put, but permitted to execute a Get. • An added advantage of application-layer proxy operation is the ability to require strong authentication before allowing the connection to proceed. • Application proxy firewalls also possess the ability to create detailed logs of security events. – One drawback to the application proxy is that proxies must be provided for each application. – Several Internet applications –(including FTP, e-mail, and news) are bundled into most browsers. These applications can be handled by configuring the browser to talk to the firewall. Custom applications and network applications not bundled into a browser will require custom firewall configurations. Firewalls – Although application proxy firewalls provide the highest level of security and finest-grain control, they can also be the most complex to configure. In addition, because they act as relay agents for all clients on the network, performance can be problematic. • Circuit Proxy Firewalls – Circuit proxy firewalls are a variant of application proxy firewalls. Circuit proxy firewalls relay TCP and UDP connections between (trusted and untrusted) networks after authenticating end points. – The best-known implementations of circuit-level gateways employ an IETF standard protocol, SOCKS. SOCKS firewalls require modifications to applications or to client TCP/IP stacks. Most browsers have built-in SOCKS support, and modified protocol stacks are also available for various flavors of UNIX, various flavors of Windows, and MacOS. – Circuit proxy firewalls require a significant administrative effort to implement in a sizable enterprise. Firewalls • Types of Firewalls – Under each classification of firewall there are two types of firewalls. • Host-based Firewalls – Host-based firewalls are programs installed on each computer. These programs intercept traffic that comes in to the host via the network interface. The package checks a rules file to see if this packet should be allowed to continue its journey to the system’s TCP/IP stack for processing. – If the packet is on the “allowed” list, it is passed to the TCP/IP stack for normal processing. If the packet is not on the “allowed” list, the firewall package may log a copy of the packet complete with an error message, and set off alarms. The firewall package should not allow such packets to be passed to the TCP/IP stack. Firewalls – ipchains • The ipchains utility employs an ordered set of rules to determine if the packet should be allowed to pass to the host’s TCP/IP stack for further processing. • The ipchains package defines three default chains, but the administrator is free to declare other chains in addition to the following three default chains. – Input: This set of rules examines every packet bound for this host. – Output: This set of rules examines every packet originating on this host. – Forward: This set of rules examines every packet that must be forwarded to another host on the network. Firewalls • The ipchains rules result in one of the following actions. – Accept: The packet is okay; allow it to pass to the appropriate chain. – Deny: The packet is not okay; silently drop it in the bit bucket. – Reject: The packet is not okay; but inform the sender of this fact via an ICMP packet. – Masq: Used for IP masquerading (network address translation). – Redirect: Send this packet to someone else for processing. – Return: Terminate the rule list. NOTE: The ipfw (ipfilters/iptable) package under BSD operating systems provides similar functionality to ipchains. Consult the manual page for ipfw for more information on this package. Firewalls TIP: An easy-to-use interface to ip chains, called brickhouse, is available for MacOS X. See http://personalpages.tds.net/~brian_hill/brickhouse.html Brickhouse makes creating rules easier by including common settings and common names for specific protocols and sockets. – BlackIce Defender • The BlackIce Defender package is one of a plethora of personal firewall utilities for Windows operating systems. It operates in a manner similar to ipchains/ipfw. • The user builds a set of rules the system uses to determine if a packet should be allowed to continue to the IP stack. Other packages that provide the same functionality are Personal Firewall and Network Ice. Firewalls • Tiny Firewall – The Tiny Software company produces several host-based packages that are highly recommended. – The Tiny Firewall package is a host-based firewall package for Windows operating systems. Like the other host-based firewalls, the user builds a series of filters to protect the host from external connections. – Another offering from Tiny Software is the Tiny Trojan Trap. The Trojan Trap provides protection from active content such as Java, e-mail, ASP, and macro viruses. The tiny tools are available at http://www/tinysoftware.com/ Firewalls • Dedicated Firewalls – Dedicated (network based) firewalls are specialized systems that attempt to protect entire networks as opposed to protecting a single host. These devices are placed between two networks. – The firewall system is loaded with configuration files that specify what types of packets should not be allowed to pass through the device to the other network. – There are several types of dedicated firewall systems, including packet filtering firewalls and proxy firewalls. Firewalls • Firewall Policies – Along with the types of firewalls, there are two general firewall policies: • allow everything except that which is explicitly denied, and • deny everything except that which is explicitly allowed. – The first policy requires a lot of operator fine-tuning, and can be problematic to implement. The “allow all but that which is denied” policy generally requires considerable computational horsepower in the router. – The “deny all but that which is allowed” policy is usually easier to implement, less prone to operator errors, and typically does not require as much computational power on the part of the router. Firewalls • Drilling Holes in the Firewall WARNING: Even at their best, firewalls do not provide a complete answer to the network security problem. Firewalls do not provide security to individual hosts. They do not protect hosts on the “secure” network from “inside” attacks. A single hole in the firewall may allow attackers access to all hosts on the “protected” network. Mistakes in the configuration of a firewall may go unnoticed without other security measures in place. Resist the temptation to open a hole through a firewall without studying the possible impact on the security of the enterprise. – A firewall’s purpose in life is to block network traffic. – The best firewall might be one that does not let any packet through. This is somewhat akin to being disconnected from one of the networks. – Unfortunately, this makes doing business on the Internet very difficult. Most companies will not allow such a firewall to be installed. Therefore, once we install a firewall on a network, we immediately begin drilling holes through the wall to allow some information to pass through the barricade. Firewalls – Some firewalls allow very few types of information through. This generally means that these firewalls have had minimal holes drilled through them. – Other firewalls allow data to flow in and out of the organization, as as if there were no firewall present. This generally means that the firewall has had numerous holes drilled through it. In this case, you may as well not bother with the expense of the firewall. • Virtual Private Networks – Virtual private networking (VPN) allows users to build an encrypted connection across an unencrypted link. Many corporations employ VPN technology to allow users to pass data through firewalls. – To establish a VPN connection, both ends of the link must agree on encryption keys. – The VPN routers may be separate devices, or their functionality may be built into other pieces of network equipment. Firewalls – The VPN devices may be in-line, or may reside on bastion networks. When a connection is requested, the remote host contacts its VPN router, and asks for a connection to the local host. The VPN routers build an encrypted tunnel across the unencrypted network. The VPN routers are essentially a proxy service. – When the two hosts communicate, the encrypted packets are intercepted by the VPN routers, and decrypted. – The content of these packets is sent to the end hosts involved in the communication. – Note that the encrypted traffic is allowed through the firewall unimpeded; therefore, the security of the entire network relies on the security of the hosts using the VPN. If one of those hosts is compromised, all hosts on both networks are vulnerable to compromise! Firewalls • IPSEC – Ipsec is an IP protocol security package. PSEC is a series of protocols that allow the implementation of encryption over an IP connection. – IPSEC, in reality, is the base that most virtual private networks are built on top of. The IPSEC package allows for the following two modes of operation. – The headers of the packet are not encrypted, but the data in the packet is encrypted. – The entire packet is encrypted, and encapsulated within an unencrypted packet. • IPSEC requires that the administrator configure the following databases. – Security Policy Database (SPD): Database of security policies that may be applied to an IPSEC device. For example, an SPD might contain information that means: to access network 10.2.3.4, use 3DES for encryption with HMAC-MD5 for authentication. – Security Association Database (SAD): Database that contains the information for each currently established IPSEC link. Firewalls • IPSEC relies on/provides the following services. – Internet Key Exchange (IKE): Method of distributing encryption key information. This piece of the puzzle is still under development. RFC 2409 is the standard for IKE, and is currently under consideration. – Authentication Header (AH) protocol: Protocol used when the desire is to encrypt just the transport layer header, and data. – Encapsulating Security Payload (ESP) protocol: Protocol used when the entire packet is encrypted, and encapsulated within a nonencrypted packet. NOTE: IPSEC will have an impact on the processing speed of the system’s IP stack! Firewalls • Network Address Translation – Network Address Translation (NAT) was originally developed as a way for sites using private address space to allow hosts to communicate over the public network. The address translation is a proxy service that maps the internal (private) address to an external (public) address. • As packets pass through the NAT router, the packets are modified to replace the private address with the public address of the router. • The router keeps a table detailing ongoing conversations. When a packet arrives from a remote host, the router checks the table to see which host was communicating with the remote system. • The router then alters the IP addresses, and forwards the packet to the internal host. The NAT box provides a proxy translation service. Firewalls – The use of NAT technology is growing rapidly due to the growing base of DSL and cable modem Internet connections. • Cable modem and DSL networks are prime playgrounds for hackers, and there are hundreds of thousands of systems connected to the Internet that are ripe for the hacking. • This is true because most home computer users do not realize they need to do something to secure their computer from the denizens of the Internet. One way to protect home computers (and corporate computers as well) is through the use of NAT. Network Stack Options • The TCP/IP protocol suite was not developed with today’s attacks in mind. • Many portions of the protocol suite provide extremely fertile environments for attackers to explore and take advantage of. • Although it is important for the sysadmin to understand these weaknesses, it is nearly impossible to catalog even a small portion of the attacks possible due to gray areas in the specifications and/or inconsistencies in stack implementations. • The IP protocol defines several optional services hosts may make use of during a communication session. • Many of these options are rarely seen in the wild. Some of these options are used to collect data about a target network, or to finagle ways of getting information to hosts on the target network. IP Options • IP Forwarding – IP forwarding is the process of forwarding IP packets from one network segment to another based on the protocol layer address of the destination. Routers and multi-homed hosts do this routinely. – Sometimes sysadmins know that the hosts in their domain are forwarding packets, and sometimes users forget to tell the administrator they configured their hosts to do this. Therein lies the problem. – Attackers have learned that they can sometimes circumvent firewalls and other monitoring devices using misconfigured devices that provide IP forwarding. – For this reason, the sysadmin might decide to explicitly disable this capability on systems within the enterprise. IP Options Source Routing • Source routing is another option that is rarely generated (on its own) by the TCP/IP protocol stack. • Intended as a way for administrators to reroute traffic around failures, this option has earned favor as a stealthy attack mechanism. • The source routing option allows the sender to specify a loose or strict route from host A to host B. • A loose route is a list of devices the sender wants this communication to go through on the way to the final destination. The network equipment may decide to add stops along the way. • A strict source route is the exact route the sender wants this communication to traverse. • Because source routing allows the sender to avoid monitoring devices, and may allow them to divert traffic to undesirable locations, it is wise to disable this function, or at a minimum to monitor it closely. IP Options • ICMP and ICMP Redirects – The ICMP protocol is intended to act as a network control protocol. – Recent attack tools have pointed out that the original intent of several types of ICMP packets is not the only use for such packets. – A router usually issues an ICMP redirect to inform a host of an alternate path to a destination. – Attackers have learned to use this method to cause hosts to redirect all communications through another host. – In effect, the attacker tells the system “send everything to me, and I’ll deliver it for you.” – The result is that the attacker has access to all communications sent from host A to host B through this intermediary. IP Options • Fun with Broadcasts – Broadcast packets are an essential part of the IP version 4 protocol. – Not surprising, the hacker community has found ways to use broadcast packets as attack tools. – One “famous” attack was implemented by sending a forged ping packet to a directed broadcast address. – This caused all hosts on the network to reply to the “sender.” – Unfortunately, the sender’s address was forged, so the reply packets (tens of thousands of them) all went to an unsuspecting target. – For example, ping 172.16.255.255 would have caused all hosts on the 172.16.0.0 network to reply. – This attack was called the “smurf” attack. Other forms of this attack have used the local broadcast address (255.255.255.255) and directed subnet broadcast addresses (for example, 192.168.10.255). – To minimize the ability of her site’s hosts from responding to this type of attack, the administrator needs to disable the host’s ability to respond to broadcast pings. IP Options • Session Hijacking – Session hijacking is a technique whereby the attacker monitors TCP packet sequence numbers, and predicts the next sequence number. – Using this technique it is possible to take over (hijack) a session between two hosts. – This method was extremely successful against some operating systems, as the algorithm that was used to generate “random” sequence numbers was not random at all! – Most vendors currently ship their systems with relatively weak sequence number generators. – Fortunately, vendors give the administrator a method of forcing the system to use much stronger sequence numbers. IP Options • Other Stack Attacks – Multi-homed hosts have been used to forward spoofed packets to the network. If your stack offers the option of hardening multi-homed systems, it is recommended you take advantage of these options. – SYN floods are a method used to tie up the resources of the system. A remote host sends thousands of SYN packets to initiate TCP connections, but the sender never completes the three-way TCP handshake. – This leaves the local host in a state of confusion. The host needs to hold these connections open until the other end responds, or the connection times out. This may exhaust the resources of the local host. – One attack type not handled by modifying driver parameters is IP spoofing. These attacks make use of a trust relationship between two systems and the ability to predict the sequence numbers used in a TCP connection. – To reduce the predictability of sequence numbers, some operating systems implement a better system of creating initial sequence numbers, as recommended in RFC 1498. IP Options • Hardening the Stack – The following sections list default settings and methods of “hardening” (generally disabling) for the previously outlined problems. – These constitute only a partial list of TCP stack variables that may be tuned in order to harden an operating system’s IP stack. – Refer to your host’s documentation for more information on the stack implementation for a specific operating environment. – NOTE: Most operating system vendors provide tools and technical white papers that describe their TCP/IP stack implementation, and how to harden their respective stacks. – For example, the JASS toolkit for Solaris includes a script for checking/configuring a huge number of stack variables. Contact your OS vendor for the most up-to-date and comprehensive list of stack variables for your systems. IP Options • IP Forwarding • The following are IP forwarding hardening strategies. – Solaris: Default setting (disabled), harden with • ndd –set /dev/ip ip_forwarding=0 – HPUX: Default setting (enabled on multi-homed hosts), harden with • ndd –set /dev/ip ip_forwarding=0 – Linux: Default setting (host disabled, gateway enabled), harden with • gateway_enable=0 in /etc/rc.conf – Windows: Use the network control panel to disable IP forwarding, or set the following registry key to 0. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\IPEnableRouter=0 IP Options • Source Route Handling • The following are source route-handling hardening strategies. – Solaris: Default (setting enabled), harden with • ndd –set /dev/ip ip_forward_source_route=0 – HPUX: Default setting (enabled), harden with • ndd –set /dev/ip ip_forward_source_route=0 – Linux: Default setting (ignored), harden with • echo 0 >/proc/sys/net/ipv4/conf/interface/accept_source_route=0 – BSD/MacOSX: Default setting (ignored), harden with • forward_source_route=0 in /etc/rc.conf • accept_source_route=0 in /etc/rc.conf IP Options • ICMP Redirect Handling • The following are ICMP redirect-handling hardening strategies. – Solaris: Default setting (enabled), harden with (N/A) – HPUX: Default setting (enabled), harden with (N/A) – Linux: Default setting (Host enabled, gateway disabled), harden with • echo 0 >/proc/sys/net/ipv4/conf/interface/accept_redirects=0 – BSDI/MacOSX: Default setting (enabled), harden with • icmp_drop_redirect=0 in /etc/rc.conf; • icmp_log_redirect=1 in /etc/rc.conf – Windows 2000: Set the registry values for EnableICMPRedirect and EnableICMPRedirects to 0, as follows. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Pa rameters\EnableICMPRedirect=0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Pa rameters\EnableICMPRedirects=0 IP Options • Broadcast Ping Handling • The following are broadcast ping-handling hardening strategies. – Solaris: Default setting (enabled), harden with • ndd –set /dev/ip ip_respond_to_echo_broadcast=0; • ndd –set /dev/ip ip_forward_directed_broadcast=0 – HPUX: Default setting (enabled), harden with • ndd –set /dev/ip ip_forward_directed_broadcast=0 – Linux: Default setting (enabled), harden with • echo 0 > /proc/sys/net/ipv4/ip_echo_ignore_broadcasts – BSDI/MacOSX: Default setting (disabled), harden with • icmp_bmcastecho=0 in /etc/rc.conf IP Options • TCP Sequence Number – The following is a TCP sequence number hardening strategy for Solaris. • Solaris: Default setting (weak protection), harden with – ndd –set /dev/tcp tcp_strong_iss=2 • Multi-homed Packet Spoofing – The following is a multi-homed packet-spoofing hardening strategy for Solaris. – Solaris: Default setting (enabled), harden with » ndd –set /dev/ip ip_strict_dst_multihoming 0 • SYN Floods – Solaris: Default setting (enabled(, harden with » ndd –set /dev/tcp tcp_conn_req_max_q0 10240 – NOTE: On versions of Solaris prior to 2.6, use » ndd—set /dev/tcp TCP_CONN_REQ_MAX 1024. IP Options • Windows 2000: Set the following keys in the registry entry as specified. Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Value name: SynAttackProtect=2 Value name: EnableDeadGWDetect=0 Value name: EnablePMTUDiscovery=0 Value name: KeepAliveTime=300000 Value name: NoNameReleaseOnDemand=1 Value name: tcpmaxconnectresponseretransmissions=2 Value name: tcpmaxdataretransmissions=3 NOTE : You must be using Windows 2000 Service Pack 2 (SP2) or later to use the NoNameReleaseOnDemand value. Network Monitoring • Monitoring the network is a never-ending task. • The sysadmin must be ever vigilant in order to catch the wily attacker. • But there are several ways of monitoring the network, from simple log file monitoring to using management tools such as SNMP and RMON to the high-end intrusion detection systems (IDSs). • Along the way, some sites even employ sacrificial honeypot systems that are easy to compromise. • By monitoring what the bad guys do to the sacrificial lamb, the administrator has a pretty good idea what they have done to, or are trying to do to, other systems at the site. System Monitoring • Log Files – One of the easiest ways of monitoring your network is to configure all of your systems to send syslog messages to a central syslog server. – This allows you to monitor all systems from one host. It also makes life for the attacker more difficult. – Many times the attacker will edit the log files stored on the compromised host. They will remove all signs that they ever logged in on the host. – But the attacker may not notice that the messages were also sent to another host. And if they do notice, they now have to compromise a second host in order to completely cover their tracks. • syslog – The syslog file is the primary log file under most versions of UNIX. This file receives copies of all system messages generated by the syslog utility. The syslog file, placed in different locations (e.g., /var/log/syslog, /var/adm/syslog, and /var/syslog) per different versions of UNIX, is the most important file to monitor. Log Files • NOTE: The syslog daemon is controlled by a configuration file, /etc/syslog.conf, which can be modified to increase the detail of recorded log file messages, and optionally to display messages on the system console, or broadcast to the terminals, of specific users. syslog is also a network service, and logging can be directed to another machine (such as a central logging server). • By default, Solaris does not record unsuccessful log-in attempts. To enable this logging, add the following line to /etc/syslog.conf. auth.info /var/log/authlog • This statement informs the syslog daemon to record the events tagged as “LOG_AUTH” with a severity of “INFO” or higher in the file /var/log/authlog. The next step is to create this file and the corresponding loginlog file. The following commands accomplish this. touch /var/adm/authlog /var/adm/loginlog chown root /var/adm/authlog /var/adm/loginlog chmod 600 /var/adm/authlog /var/adm/loginlog chgrp sys /var/adm/loginlog Log Files • • • • • WARNING: An attacker who has gained unauthorized access to a machine you manage will most likely know about these log files and will modify them to remove any indication of his/her actions. Log file monitoring needs to be performed in concert with tools such as ASET and tripwire to provide a high level of assurance that unauthorized access is discovered. Another feature of syslog is remote logging. Any of the information logged by syslog can be transmitted to another syslog process on another system. This allows for log information to be centralized. This has several benefits, including ease of monitoring and making it more difficult for an attacker to hide his or her tracks. The following is an example of a line from syslog.conf that sends the log messages to the mail facility at level debug or greater to a remote system. Note that instead of a file name the notation @ followed by a host name is used. mail.debug @log.astrocorp.com Log Files • sulog – The log file produced by the su command is another item a system administrator should check on a routine basis. – The command logs both successful and unsuccessful attempts to obtain root privileges. – Successful su attempts have a plus symbol (+) listed after the date and time; unsuccessful attempts show a hyphen or minus sign () after the date and time. – Unsuccessful su attempts should be investigated thoroughly. – Any attempts made by persons not authorized to perform system administration tasks might be a sign of a security breach. Log Files • Other Log Files – The following are system log files that should be routinely checked. • [as]ppp.log: PPP software logs errors and connections here. Watch for failed connections as indicators of problems. • syslog: Here, by default, the syslog service writes error messages produced by sendmail. Watch for errors of all types. • messages: By default, the syslog service writes error messages from a number of different daemons to this file. Watch for errors of all types. • maillog: Optional sendmail log file. Check this file for signs of unauthorized e-mail relay, or attempts to gain access to the system via the SMTP service. • cron/log: By default, the cron daemon logs a message when it runs a scheduled cron job. Watch here for proper operation of scheduled jobs. Log File Parsers • Log File Parsers – If you decide to make your systems log everything to a central log file server, you might want consider the use of tools for summarizing the data you have collected. – At a moderately large site, the log information collected can be quite lengthy and difficult to visually parse. – Several tools are available for parsing these combined syslog files and automatically generating alarms when certain types of messages are logged. • swatch – One popular syslog parsing tool is swatch. swatch can actively monitor a log file and look for patterns. – When swatch finds a matching pattern, it can display messages or run commands, such as sending e-mail to alert the system administrator. swatch can be found at http://www.stanford.edu/~atkins/swatch/. Log File Parsers • logcheck – logcheck is a log parser distributed by Psionic Corporation. logcheck is available for multiple versions of UNIX, at http://www.psionic.com/abacus/logcheck/ • Intrusion Detection Systems – Intrusion detection systems (IDSs) are similar to firewalls. – The difference is that IDS systems do not (typically) block traffic. – The IDS system monitors every packet that traverses the network. – The IDS compares every packet to a set of rules that specify what the administrator believes are bad (dangerous) packets. – If a bad packet is found, it is logged. The logging may be in real time, in which case an alarm may be set off. – More often than not, the log is processed at a later date, so real-time alarms are not available. – Many IDS systems do not perform content filtering. They simply look at packet headers to determine if the packet is dangerous or not. Log Files – IDS systems that perform content filtering are available, but you may want to check your company’s rules about the use of these systems, as some may consider them an invasion of privacy! – Several IDS packages are available free from the Internet. – There are also many commercial IDS systems available. – The following sections describe some of the more popular IDS systems. See http://www.networkintrusion.co.uk/N_ids.htm/ for more information on IDS freeware and commercial offerings. • tcpdump – tcpdump was originally developed by Van Jacobson’s TCP/IP research group at Berkeley. – tcpdump is a rules-driven packet sniffer. – If the rules are simple (catch everything), tcpdump can capture everything that goes by on the network, and log it to a file. Log Files – The log file can them be played back through a different set of filters to pull out the “interesting” packets. The SHADOW IDS http://www.nswc.navy.mil/ISSEC/CID/ is one IDS system that employs tcpdump to collect raw packets for analysis. tcpdump is available at http://www.tcpdump.org/ – NOTE: The SHADOW IDS system is not a real-time IDS. The information is collected and stored for a short interval (typically an hour) and analyzed off-line. Although this near real-time operation may be useful for collecting archives of conversations, it would not be acceptable for many commercial sites. Log Files • SNORT – SNORT is a rules-driven IDS package. SNORT loads a set of rules and compares every packet to the rules. – If the packet matches a rule, the packet is logged. – SNORT has the ability to log the captured packets in tcpdump format, but by default it generates a text file containing the alerts. – There are several add-on utilities that can parse SNORT logs, and generate web pages containing the output. – SNORT also has the ability to send resets to the attacker (active response), to close connections. SNORT is available at http://www.snort/org/ Log Files • bro – bro is another rules-driven IDS system. – bro contains a powerful description language used to create capture filters. – Although the bro language is very powerful, and makes for a nice IDS package, many sysadmins find it cumbersome to work with, as it is yet another language to remember. bro was developed at Berkeley, and is currently available at http://www-org.ee.lbl.gov/broinfo.html/ • Commercial IDS Systems – Several companies produce IDS systems. Among these are Cisco, Internet Security Systems, Network Flight Recorder, and Check Point Software Technologies. It seems that every day another offering pops up on the market. The following offerings are well-respected commercial IDS systems. Log Files • Network Flight Recorder (NFR) is a commercial IDS system produced by Network Flight Recorder. Information is available at http://www.nfr.com/ • RealSecure is a commercial IDS system developed by Internet Security Systems (ISS). • Enterasys Dragon is a series of tools, applications, and hardware that forms the basis of one of the top commercial IDS systems. Information on the Enterasys Dragon IDS is available at http://www.enterasys.com/ • Cisco IDS (Formerly NetRanger) is Cisco’s second generation IDS system. Information on Cisco IDS is available at http://www.cisco.com/go/ids/ Honeypots • Honeypots – Honeypots are specially instrumented “bait” for attackers. – The honeypot appears to the attacker to be a normal system on the network. – The honeypot is not secure; in fact, it is often configured to be anything but secure. – The idea behind the honeypot is to allow the attacker to break in, and then log everything the attacker does while on the system. – By monitoring every keystroke the attacker types, the sysadmin can learn a little bit about the skills of the attacker, the tools the attacker employs, and possibly the attacker’s motives. – The deception toolkit (dtk) is one honeypot package. The dtk package is available at http://www.all.net/dtk/ – Others include BackOfficer Friendly, Mantrap, CyberCop Sting, and Spectre. Consult http://www.networkintrusion .co.uk/honey.htm/ for more information on honeypot systems. Simple Network Monitor Protocol • SNMP – The Simple Network Monitor Protocol (SNMP) is an optional part of the TCP/IP package on most operating systems. – The SNMP protocol defines packet types that allow a management host to poll client hosts (agents) in order to collect data about the client. – The data collected is often performance information related to network interfaces on the host. – This includes packet counts, byte counts, and error counts per interface. The SNMP package on most systems has been found to be very insecure. – It is recommended you disable SNMP unless you absolutely need to run it. Simple Network Monitor Protocol • SNMP – SNMP also allows a method for using SNMP to configure remote devices. – This requires that a “write-community” (password) string be enabled on the remote host. – The SNMP management station authenticates itself to the remote host using the write-community string, and proceeds to write new configuration information to the remote client. – This is a very dangerous capability! – The variables that can be set include IP address, gateways, name servers, and other important IP information. Simple Network Monitor Protocol – This capability should be disabled unless it is critical to the operation of your network! – SNMP operates on data structures called management information bases (MIBs). – Every network device manufacturer provides MIB definitions for its products. The SNMP management information station uses the MIB to determine what information is available in read/write form for the agent system(s). – WARNING: Several security problems have been found with the SNMP protocol. Make sure you read all CERT and manufacturer security notes about SNMP before enabling it on your systems! – The Remote Monitor protocol (RMON) is built on top of an SNMP MIB. – RMON allows even more information to be collected from the host, including memory use, CPU utilization, disk space utilization and throughput, application layer statistics, number of users, processor load, and input/output statistics. Forensics • Forensics is the science of collecting evidence and assessing its meaning. • Computer forensics generally deals with collecting evidence after a host has been compromised. • The legal concepts of “chain of evidence” and “preservation of evidence” are also important facets of forensics. • Depending on several factors, it may be necessary to have someone on the system administration staff trained in the legalities of the collection of evidence, or to keep an organization trained in forensics on retainer in the event your hosts get hacked. When You Think You Have Been Hacked • The first thing to do when you think you have been hacked is to take a deep breath and relax. You might as well relax for a minute before you dive into the hunt. • Once you have caught your breath you need to think about how you plan to approach the problem. • You think a system has possibly been compromised. • Anything you do that might change the state of the machine might destroy valuable evidence. • Even the act of logging in on the machine to look around may compromise the legal value of the evidence, as log files record the fact that you logged. • This same log file might contain information detailing the IP address of the machine that compromised the host. • However, by logging in you may cause this information to be tainted, as you altered the evidence. When You Think You Have Been Hacked • Even the act of performing a file system backup can alter evidence. – The backup program “touches” each file. – This changes the access time on a file, thereby tainting it as evidence. – Special programs are available for performing backups that do not alter any access information for the files. – You might consider checking out the Coroner’s Toolkit (TCT). – The toolkit is a collection of utilities that can help determine what happened, when it happened, and how it happened. – The toolkit is available at http://www,fish.com/security/ • NOTE: The TCT tool is not “court proven” at this point in time. If you want to ensure that your evidence is court eligible, you might want to look at the Encase product from Guidance Software. Information on the Encase software is available at http://www.encase.com/ When You Think You Have Been Hacked • You should also try to avoid letting the intruder know that you are watching. • This is one place an IDS system can be extremely valuable. • You create a set of filters to monitor all communications to and from the suspect host. • By monitoring from another host, you are not disturbing evidence already on the compromised host’s disk drive. When You Know You Have Been Hacked • Again, the first thing to do when you know you have been hacked is to take a deep breath and relax. • You might as well relax for a minute before you dive into the task of forensics and remediation. • Every site should have a well-documented disaster recovery plan that includes a plan for dealing with attacks and compromised hosts. • This plan should include the following elements. When You Know You Have Been Hacked • • • • • • • • • How to react to the attack Collection of information about the attack Determining what level exposure this incident has caused Rules to determine when to disconnect this system from the network, or the entire site from the network A uniform recovery plan How the recovery plan will be communicated to users Steps involved in implementing the recovery plan Information regarding how to report the incident to the appropriate authorities An incident response team should be formed to deal with all compromises. This ensures that every compromise is handled using the same procedures. In the event this becomes a legal case, the uniformity may be helpful. This team might want to use the CERT incident reporting form, available at www.cert.org/ , to standardize the information collection and reporting process. Summary • Securing networked systems is a challenge, especially for systems connected to the Internet. • The current Internet provides an environment rich in potential threats, including automated scans and attacks. • Almost every OS provides numerous network services, each with the potential of offering unauthorized access. • This chapter discussed several methods of securing a networked system. • The use of firewalls and/or filtering routers can provide a site with a first line of defense against unauthorized access. • Turning off services wherever possible affords the best security. • When services are required, careful attention to access methods and controls, and continual monitoring for unauthorized access, can help make a networked system more secure. Resources • • • • • Chapman, Brent, and Elizabeth D. Zwicky, Building Internet Firewalls. Sebastopol, CA: O’Reilly & Associates, 1995, (ISBN 1-56592- 124-0). -– (Covers the setup and maintenance of firewalls.) Computer Emergency Response Team (CERT);, http://www.cert.org/; [email protected]; 1-412-268-7090. -– (The national contact for computer security. This web site contains a wealth of information on security matters, and pointers to the security software mentioned in this chapter.) Computer Incident Advisory Capability (CIAC);, http://ciac.llnl.gov/; [email protected]; 1-510-422-8193. -– (Government and education contact for computer security. Provides an excellent mailing list, with updates on the latest security problems and their solutions.) ftp://coast.cs.purdue.edu/pub/-– (A well- known FTP archive for security tools, including TCP wrappers, tripwire, nessus, nmap, and satan. Garfinkle, Simson, and Gene Spafford, Practical UNIX and Internet Security, 2d edition., Sebastopol, CA: O’Reilly & Associates, 1996, (ISBN 156592-148-8).. -– (A detailed and complete guide to security for UNIX systems connected to the Internet.) Resources • • • • • Garfinkle, Simson, and Gene Spafford, Web Security and Commerce. Sebastopol, CA: O’Reilly & Associates, 1997, (ISBN 1-56592-269-7). -– (Targets web server security and security of transactions executed over the Web.) McClure, Stuart, Joel Scambray, and George Kurtz, Hacking Exposed: Network Security Secrets & Solutions, Third Edition,3d ed., Stuart McClure, Joel Scambray, George Kurtz, September 26, 2001,New York: McGraw-Hill Professional Publishing;, 2001, ISBN: 0072193816. Northcutt, Steven, Network Intrusion Detection: – An Analyst’s Handbook,. 2nd edition, Steven Northcutt, 2d ed., New Riders Books, Indianapolis, IN: New Riders, ISBN 0-7357-1008-2. Pomeranz, Hal (ed.), Solaris Security: Step by Step. Colorado Springs, SANS Institute, 1999; (719) 599-4303 or [email protected]– (A very thorough checklist of procedures for tightening the security of a Solaris system. Step-by-step guides for Linux, Windows, routers, and intrusion detection are also available format http://www.sans.org/ www.cs.purdue.edu/homes/spaf/hotlists/ csec-top.html. -– (Professor Gene Spafford’s well-maintained Purdue list of security-related web sites.)