View
214
Download
1
Category
Preview:
Citation preview
CIT 500: IT Fundamentals
Security and System Administration
1
Topics
1. Security Fundamentals2. Threats3. Firewalls4. Port scanning5. Apache Administration
2
What is Security? Security is the prevention of certain types of
intentional actions from occuring in a system.– These potential actions are threats.– Threats that are carried out are attacks.– Intentional attacks are carried out by an attacker.
– Objects of attacks are assets.
3
Goals of Security
Prevention– Prevent attackers from violating security policy
Detection– Detect attackers’ violation of security policy
Recovery– Stop attack, assess and repair damage
Survivability– Continue to function correctly even if attack succeeds
4
Components of Security
Confidentiality– Keeping data and resources hidden. Privacy.
Integrity– Preventing unauthorized changes to data or
resources.
Availability– Enabling access to data and resources
5
Confidentiality
AuthenticationPasswords, mother’s maiden name
CorporationsTrade secrets, e.g., the formula for Coca Cola.
DatabasesSSN, Driver’s license
GovernmentsNational securityEmbarrassing information: www.thememoryhole.org
6
Integrity
Data Integrity– content of the information.– ex: 2005 Walmart $1.5 million bar code scam.
Origin Integrity (authentication)– source of the information.– ex: 1997 Kurt Vonnegut MIT commencement
address email. Vonnegut was not the 1997 speaker and the content wasn’t his.
Prevention vs Detection7
Availability
Prevent loss of system access.
Denial of service attacks common.– Easy to launch, difficult to track down.– In 2000, a 15-year old (mafiaboy) took down
Amazon, CNN, Dell, eBay, and Yahoo.– Can be just part of another attack.
8
States of Information
1. StorageInformation not currently being accessed.
2. ProcessingInformation currently being used by processor.
3. TransmissionInformation in transit btw one node and another.
9
Security Measures
Technology.– Hardware/software used to ensure confidentiality,
integrity, or availability.
Policy and practice.– Security requirements and activities.
Education, training, and awareness.– Understanding of threats and vulnerabilities and
how to protect against them.
10
How to evaluate security solutions?
1. What assets are you trying to protect?2. What are the risks to those assets?3. How well does the security solution mitigate
those risks?4. What other risks does the security solution
cause?5. What costs and trade-offs does the security
solution impose?
11
Aspects of Risks
To evaluate a risk, we need to evaluate both:– Probability of risk occurring.– Cost incurred by risk if it occurs.
Minimize product of probability and cost.Risks are impacted by environment.
– Building a house in a flood plain incurs additional risks beyond that of house itself.
– Similarly, installion and configuration options impact risk of software systems.
12
Digital Threats
• Theft• Vandalism• Extortion• Con Games• Fraud• Stalking• Voyeurism
13
Digital Threats: What’s DifferentAutomation
– Salami Attack from Office Space.Action at a Distance
– Volodya Levin, from St. Petersburg, Russia, stole over $10million from US Citibank. Arrested in London.
– Operators of CA BBS tried and convicted in TN court because TN had d/led pornography f/ CA.
Technique Propagation– Criminals share techniques rapidly and globally.
14
Survival Time
15
Current Threat Information
• SANS Internet Storm Center• Bugtraq• CERT• Packet Storm• Risks Digest
16
What Are Our Defences?• Firewalls • Virus Scanners • Spyware Scanners • Patches • Backups
Prevent
Detect
Respond
Recover
17
What is a Firewall?A software or hardware component that restricts network communication between two computers or networks.
In buildings, a firewall is a fireproof wall that restricts the spread of a fire.
Network firewall prevents threats from spreading from one network to another.
18
Internet FirewallsMany organizations/individuals deploy a firewall to restrict access to their network from Internet.
Slide #19
Packet FilteringForward or drop packets based on TCP/IP header information, most often:– IP source and destination addresses– Protocol (ICMP, TCP, or UDP)– TCP/UDP source and destination ports– TCP Flags, especially SYN and ACK– ICMP message type
Routers can also make decisions based on:– Network interface the packet arrived on.– Network interface the packet will depart on.
20
Filter Actions
Pass– Forward acceptable packet on to destination.
Drop– Drop unacceptable packets.
Log– Record action taken on packet.– Use syslog to log to internal loghost.
21
Linux Firewall: iptables
iptables is a firewall built into the kernel– Use iptables command to configure.– Configuration will be reset on reboot.– Use iptables –L to list configuration.
Red Hat Linux keeps permanent configuration– /etc/sysconfig/iptables– RH-Firewall-1-INPUT chain contains rules– To change: service iptables restart
22
iptables
iptables [-t table] cmd [matches] [target]Commands:
-A chain rule-spec: Append rule to chain.-D chain rule-spec: Delete a rule from chain-L chain: List all rules in chain.-F chain: Flush all rules from chain.-P chain target: Set default policy for chain.-N chain: Create a new chain.-X chain: Remove a user-defined chain.
23
iptables Matches
-p protocol: Specify protocol to match.tcp, udp, icmp, etc.
-s address/mask: Source IP address to match.-d address/mask: Dest IP address to match.--sport: Source port (TCP/UDP) to match.--dport: Dest port (TCP/UDP) to match.
24
iptables Extended Matches
-m match: Specify match module to use.Example: limit
Only accept 3 ICMP packets per hour.-m limit --limit 3/hour -p icmp -j REJECT
Example: stateUseful stateful packet filtering.-m state --state NEW: match only new conns-m state --state ESTABLISHED: match only established
connections.25
iptables Targets
-j ACCEPTAccept packet.
-j DROPDrop packet w/o reply.
-j REJECTDrop packet with reply.
-j RETURNReturn from this chain to calling chain.
-j LOGLog packet; chain processing continues.
26
Chain Targets
-p ICMP -j DROP
-p TCP -j test
-p UDP -j DROP
INPUT
-s 192.168.1.1
test
-d 192.168.1.1
Rules are followed in order from top until one matches. If a rule matches,the action specified after -j is performed:
-j test Process packet with rules of the test table.-j LOG Log the packet.
All other actions stop rule processing and specify the final packet destination.
27
Creating a Packet Filter
1. Create a security policy for a service.ex: allow only outgoing telnet service
2. Specify security policy in terms of which types of packets are allowed/forbidden
3. Write packet filter in terms of vendor’s filtering language
28
Example: outgoing telnet• TCP-based service• Outbound packets
– Destination port is 23– Source port is random port >1023– iptables will flag as NEW connection package– and store details of connection internally for
• Incoming packets– Source port is 23, as server runs on port 23– Destination port is high port used for outbound packets– iptables will flag as ESTABLISHED,RELATED package
29
Implementing the Filter with iptables
iptables –A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED –m tcp –d tcp --sport 23 -j ACCEPT
iptables -A INPUT -j REJECT
30
Example RH Firewall Configuration*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
# Do firewall processing using the RH-Firewall-1-INPUT table
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
# Don’t bother firewalling the lookpack (lo) interface
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
# Accept ICMP packets, including ping
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
# Multicast DNS is a UDP protocol on port 5353 using multicast address 224.0.0.251
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
# Accept new incoming SSH connections
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Accept packets continuing TCP connections first accepted with NEW above
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Reject anything that is not accepted above
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
31
Ping Scanning
• Method of identifying which machines are on network by sending a packet to each IP address in a network + checking for responses.
• Scan types– ICMP echo (the standard meaning of ping)– TCP port 80– TCP/UDP specific port– Fragmented packets
32
Ping Scanning> nmap -sP 10.17.0.0/24Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at
2004-04-05 13:57 EDTHost pc_elan.lc3net (10.17.0.1) appears to be up.Host 10.17.0.31 appears to be up.Host 10.17.0.35 appears to be up.Host sun02 (10.17.0.55) appears to be up.Host sun09 (10.17.0.64) appears to be up.Host pc208p01 (10.17.0.66) appears to be up.Host sun14 (10.17.0.80) appears to be up.Host 10.17.0.241 appears to be up.Host 10.17.0.247 appears to be up.Nmap run completed -- 256 IP addresses (54 hosts up)
scanned in 4.510 seconds
33
Port Scanning Method of discovering exploitable
communication channels by probing a machine on network to find which TCP and UDP ports it is listening on.
1. Use to verify functionality of firewall.2. Use to detect unauthorized servers.3. Bad guys use to find holes in defenses.
34
nmap TCP connect() scan> nmap -sT at204m02(1645 ports scanned but not shown are in state: closed)PORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind443/tcp open https515/tcp open printer2049/tcp open nfs4045/tcp open lockd5432/tcp open postgres5901/tcp open vnc-16000/tcp open X1132775/tcp open sometimes-rpc13Nmap run completed -- 1 IP address (1 host up) scanned in 43.846
seconds
35
Version Scanning
• Port scanning reveals which ports are open– Guess services on well-known ports.
• How can we do better?– Find what server: vendor and version– telnet/netcat to port and check for banner– Version scanning
36
Banner Checking> nc www.nku.edu 80GET / HTTP/1.1
HTTP/1.1 400 Bad RequestDate: Sun, 07 Oct 2007 19:27:08 GMTServer: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7aConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=iso-8859-1
127<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1>Your browser sent a request that this server could not understand.<P>client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /<P></BODY></HTML>
37
Version Scanning1. If port is TCP, open connection.2. Wait for service to identify self with banner.3. If no identification or port is UDP,
1. Send probe string based on well-known service.2. Check response against db of known results.
4. If no match, test all probe strings in list.
38
nmap version scan> nmap -sV at204m02(The 1645 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99)80/tcp open http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)111/tcp open rpcbind 2-4 (rpc #100000)443/tcp open ssl/http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)515/tcp open printer?2049/tcp open nfs 2-3 (rpc #100003)4045/tcp open nlockmgr 1-4 (rpc #100021)5432/tcp open postgres?5901/tcp open vnc VNC (protocol 3.3)6000/tcp open X11?32775/tcp open status 1 (rpc #100024)
39
OS Fingerprinting
Identify OS by specific features of its TCP/IP network stack implementation.– Explore TCP/IP differences between OSes.– Build database of OS TCP/IP fingerprints.– Send set of specially tailored packets to host– Match results to identical fingerprint in db to
identify operating system type and version.
40
nmap OS fingerprint examples> nmap –O at204m02...Device type: general purposeRunning: Sun Solaris 8OS details: Sun Solaris 8Uptime 10.035 days (since Sat Mar 27 08:59:38 2004)
> nmap –O 10.17.0.1…Device type: routerRunning: Bay Networks embeddedOS details: Bay Networks BLN-2 Network Router or ASN
Processor revision 9
41
Apache Web Server
Open source web server for any platform– Majority of Internet web sites run Apache.– Over 100,000,000 web sites in total.– Default server for Linux, MacOS.– Used in IBM WebSphere and other systems.
History– Started as set of patches for NCSA server in 1994.– Version 2 in 2002 was a complete re-write.
42
Web Servers
Provide access to static documents– Usually specified as files on filesystem.– Can apply ACLs to limit who can access.
Provide access to dynamic content– Server runs external program to access OR– Interpreter integrated into server runs code OR– Other program integrated into web server.
43
Apache Configuration
RHEL 5 uses a single configuration file/etc/httpd/conf/httpd.conf
File format# at start of line indicates a commentVariable Value sets Variable to the specified value<Directive>s surrounded by angle bracketsfollowed by text that applies only to the directive</Directive> ends a directive
44
Apache Configuration ExamplesServerTokens OS
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 120
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule include_module modules/mod_include.so
Include conf.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
UseCanonicalName Off
DocumentRoot "/var/www/html"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
45
Apache Modules
Modules provide custom functionalityYou only need to load the modules you use.Anyone can write new modules to add features.
Some popular modulesDeflate: compresses content before sendingPerl: embedded interpreter for Perl languagePHP: embedded interpreter for PHP languageSSL: provides encrypted connectionssuexec: run user programs as specified user account
46
Final Exam
Comprehensive coverage of all topics– Conceptual questions from notes– Lab questions using your virtual machine
Exam will be open book and notes– You can use your graded assignments
47
References
1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
2. Gordon Lyon, NMAP Network Scanning, Fyodor, 2008.3. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.4. Nicholas Wells, The Complete Guide to Linux System
Administration, Thomson Course Technology, 2005.5. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building
Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000.
48
Recommended