CIT 500: IT Fundamentals

Security and System Administration

1

Topics

1. Security Fundamentals2. Threats3. Firewalls4. Port scanning5. Apache Administration

2

What is Security? Security is the prevention of certain types of

intentional actions from occuring in a system.– These potential actions are threats.– Threats that are carried out are attacks.– Intentional attacks are carried out by an attacker.

– Objects of attacks are assets.

3

Goals of Security

Prevention– Prevent attackers from violating security policy

Detection– Detect attackers’ violation of security policy

Recovery– Stop attack, assess and repair damage

Survivability– Continue to function correctly even if attack succeeds

4

Components of Security

Confidentiality– Keeping data and resources hidden. Privacy.

Integrity– Preventing unauthorized changes to data or

resources.

Availability– Enabling access to data and resources

5

Confidentiality

AuthenticationPasswords, mother’s maiden name

CorporationsTrade secrets, e.g., the formula for Coca Cola.

DatabasesSSN, Driver’s license

GovernmentsNational securityEmbarrassing information: www.thememoryhole.org

6

Integrity

Data Integrity– content of the information.– ex: 2005 Walmart $1.5 million bar code scam.

Origin Integrity (authentication)– source of the information.– ex: 1997 Kurt Vonnegut MIT commencement

address email. Vonnegut was not the 1997 speaker and the content wasn’t his.

Prevention vs Detection7

Availability

Prevent loss of system access.

Denial of service attacks common.– Easy to launch, difficult to track down.– In 2000, a 15-year old (mafiaboy) took down

Amazon, CNN, Dell, eBay, and Yahoo.– Can be just part of another attack.

8

States of Information

1. StorageInformation not currently being accessed.

2. ProcessingInformation currently being used by processor.

3. TransmissionInformation in transit btw one node and another.

9

Security Measures

Technology.– Hardware/software used to ensure confidentiality,

integrity, or availability.

Policy and practice.– Security requirements and activities.

Education, training, and awareness.– Understanding of threats and vulnerabilities and

how to protect against them.

10

How to evaluate security solutions?

1. What assets are you trying to protect?2. What are the risks to those assets?3. How well does the security solution mitigate

those risks?4. What other risks does the security solution

cause?5. What costs and trade-offs does the security

solution impose?

11

Aspects of Risks

To evaluate a risk, we need to evaluate both:– Probability of risk occurring.– Cost incurred by risk if it occurs.

Minimize product of probability and cost.Risks are impacted by environment.

– Building a house in a flood plain incurs additional risks beyond that of house itself.

– Similarly, installion and configuration options impact risk of software systems.

12

Digital Threats

• Theft• Vandalism• Extortion• Con Games• Fraud• Stalking• Voyeurism

13

Digital Threats: What’s DifferentAutomation

– Salami Attack from Office Space.Action at a Distance

– Volodya Levin, from St. Petersburg, Russia, stole over $10million from US Citibank. Arrested in London.

– Operators of CA BBS tried and convicted in TN court because TN had d/led pornography f/ CA.

Technique Propagation– Criminals share techniques rapidly and globally.

14

Survival Time

15

Current Threat Information

• SANS Internet Storm Center• Bugtraq• CERT• Packet Storm• Risks Digest

16

What Are Our Defences?• Firewalls • Virus Scanners • Spyware Scanners • Patches • Backups

Prevent

Detect

Respond

Recover

17

What is a Firewall?A software or hardware component that restricts network communication between two computers or networks.

In buildings, a firewall is a fireproof wall that restricts the spread of a fire.

Network firewall prevents threats from spreading from one network to another.

18

Internet FirewallsMany organizations/individuals deploy a firewall to restrict access to their network from Internet.

Slide #19

Packet FilteringForward or drop packets based on TCP/IP header information, most often:– IP source and destination addresses– Protocol (ICMP, TCP, or UDP)– TCP/UDP source and destination ports– TCP Flags, especially SYN and ACK– ICMP message type

Routers can also make decisions based on:– Network interface the packet arrived on.– Network interface the packet will depart on.

20

Filter Actions

Pass– Forward acceptable packet on to destination.

Drop– Drop unacceptable packets.

Log– Record action taken on packet.– Use syslog to log to internal loghost.

21

Linux Firewall: iptables

iptables is a firewall built into the kernel– Use iptables command to configure.– Configuration will be reset on reboot.– Use iptables –L to list configuration.

Red Hat Linux keeps permanent configuration– /etc/sysconfig/iptables– RH-Firewall-1-INPUT chain contains rules– To change: service iptables restart

22

iptables

iptables [-t table] cmd [matches] [target]Commands:

-A chain rule-spec: Append rule to chain.-D chain rule-spec: Delete a rule from chain-L chain: List all rules in chain.-F chain: Flush all rules from chain.-P chain target: Set default policy for chain.-N chain: Create a new chain.-X chain: Remove a user-defined chain.

23

iptables Matches

-p protocol: Specify protocol to match.tcp, udp, icmp, etc.

-s address/mask: Source IP address to match.-d address/mask: Dest IP address to match.--sport: Source port (TCP/UDP) to match.--dport: Dest port (TCP/UDP) to match.

24

iptables Extended Matches

-m match: Specify match module to use.Example: limit

Only accept 3 ICMP packets per hour.-m limit --limit 3/hour -p icmp -j REJECT

Example: stateUseful stateful packet filtering.-m state --state NEW: match only new conns-m state --state ESTABLISHED: match only established

connections.25

iptables Targets

-j ACCEPTAccept packet.

-j DROPDrop packet w/o reply.

-j REJECTDrop packet with reply.

-j RETURNReturn from this chain to calling chain.

-j LOGLog packet; chain processing continues.

26

Chain Targets

-p ICMP -j DROP

-p TCP -j test

-p UDP -j DROP

INPUT

-s 192.168.1.1

test

-d 192.168.1.1

Rules are followed in order from top until one matches. If a rule matches,the action specified after -j is performed:

-j test Process packet with rules of the test table.-j LOG Log the packet.

All other actions stop rule processing and specify the final packet destination.

27

Creating a Packet Filter

1. Create a security policy for a service.ex: allow only outgoing telnet service

2. Specify security policy in terms of which types of packets are allowed/forbidden

3. Write packet filter in terms of vendor’s filtering language

28

Example: outgoing telnet• TCP-based service• Outbound packets

– Destination port is 23– Source port is random port >1023– iptables will flag as NEW connection package– and store details of connection internally for

• Incoming packets– Source port is 23, as server runs on port 23– Destination port is high port used for outbound packets– iptables will flag as ESTABLISHED,RELATED package

29

Implementing the Filter with iptables

iptables –A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED –m tcp –d tcp --sport 23 -j ACCEPT

iptables -A INPUT -j REJECT

30

Example RH Firewall Configuration*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

# Do firewall processing using the RH-Firewall-1-INPUT table

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

# Don’t bother firewalling the lookpack (lo) interface

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

# Accept ICMP packets, including ping

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

# Multicast DNS is a UDP protocol on port 5353 using multicast address 224.0.0.251

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

# Accept new incoming SSH connections

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Accept packets continuing TCP connections first accepted with NEW above

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Reject anything that is not accepted above

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

31

Ping Scanning

• Method of identifying which machines are on network by sending a packet to each IP address in a network + checking for responses.

• Scan types– ICMP echo (the standard meaning of ping)– TCP port 80– TCP/UDP specific port– Fragmented packets

32

Ping Scanning> nmap -sP 10.17.0.0/24Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at

2004-04-05 13:57 EDTHost pc_elan.lc3net (10.17.0.1) appears to be up.Host 10.17.0.31 appears to be up.Host 10.17.0.35 appears to be up.Host sun02 (10.17.0.55) appears to be up.Host sun09 (10.17.0.64) appears to be up.Host pc208p01 (10.17.0.66) appears to be up.Host sun14 (10.17.0.80) appears to be up.Host 10.17.0.241 appears to be up.Host 10.17.0.247 appears to be up.Nmap run completed -- 256 IP addresses (54 hosts up)

scanned in 4.510 seconds

33

Port Scanning Method of discovering exploitable

communication channels by probing a machine on network to find which TCP and UDP ports it is listening on.

1. Use to verify functionality of firewall.2. Use to detect unauthorized servers.3. Bad guys use to find holes in defenses.

34

nmap TCP connect() scan> nmap -sT at204m02(1645 ports scanned but not shown are in state: closed)PORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind443/tcp open https515/tcp open printer2049/tcp open nfs4045/tcp open lockd5432/tcp open postgres5901/tcp open vnc-16000/tcp open X1132775/tcp open sometimes-rpc13Nmap run completed -- 1 IP address (1 host up) scanned in 43.846

seconds

35

Version Scanning

• Port scanning reveals which ports are open– Guess services on well-known ports.

• How can we do better?– Find what server: vendor and version– telnet/netcat to port and check for banner– Version scanning

36

Banner Checking> nc www.nku.edu 80GET / HTTP/1.1

HTTP/1.1 400 Bad RequestDate: Sun, 07 Oct 2007 19:27:08 GMTServer: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7aConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=iso-8859-1

127<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1>Your browser sent a request that this server could not understand.<P>client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /<P></BODY></HTML>

37

Version Scanning1. If port is TCP, open connection.2. Wait for service to identify self with banner.3. If no identification or port is UDP,

1. Send probe string based on well-known service.2. Check response against db of known results.

4. If no match, test all probe strings in list.

38

nmap version scan> nmap -sV at204m02(The 1645 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99)80/tcp open http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)111/tcp open rpcbind 2-4 (rpc #100000)443/tcp open ssl/http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)515/tcp open printer?2049/tcp open nfs 2-3 (rpc #100003)4045/tcp open nlockmgr 1-4 (rpc #100021)5432/tcp open postgres?5901/tcp open vnc VNC (protocol 3.3)6000/tcp open X11?32775/tcp open status 1 (rpc #100024)

39

OS Fingerprinting

Identify OS by specific features of its TCP/IP network stack implementation.– Explore TCP/IP differences between OSes.– Build database of OS TCP/IP fingerprints.– Send set of specially tailored packets to host– Match results to identical fingerprint in db to

identify operating system type and version.

40

nmap OS fingerprint examples> nmap –O at204m02...Device type: general purposeRunning: Sun Solaris 8OS details: Sun Solaris 8Uptime 10.035 days (since Sat Mar 27 08:59:38 2004)

> nmap –O 10.17.0.1…Device type: routerRunning: Bay Networks embeddedOS details: Bay Networks BLN-2 Network Router or ASN

Processor revision 9

41

Apache Web Server

Open source web server for any platform– Majority of Internet web sites run Apache.– Over 100,000,000 web sites in total.– Default server for Linux, MacOS.– Used in IBM WebSphere and other systems.

History– Started as set of patches for NCSA server in 1994.– Version 2 in 2002 was a complete re-write.

42

Web Servers

Provide access to static documents– Usually specified as files on filesystem.– Can apply ACLs to limit who can access.

Provide access to dynamic content– Server runs external program to access OR– Interpreter integrated into server runs code OR– Other program integrated into web server.

43

Apache Configuration

RHEL 5 uses a single configuration file/etc/httpd/conf/httpd.conf

File format# at start of line indicates a commentVariable Value sets Variable to the specified value<Directive>s surrounded by angle bracketsfollowed by text that applies only to the directive</Directive> ends a directive

44

Apache Configuration ExamplesServerTokens OS

ServerRoot "/etc/httpd"

PidFile run/httpd.pid

Timeout 120

KeepAlive Off

MaxKeepAliveRequests 100

KeepAliveTimeout 15

LoadModule auth_basic_module modules/mod_auth_basic.so

LoadModule include_module modules/mod_include.so

Include conf.d/*.conf

User apache

Group apache

ServerAdmin root@localhost

UseCanonicalName Off

DocumentRoot "/var/www/html"

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

45

Apache Modules

Modules provide custom functionalityYou only need to load the modules you use.Anyone can write new modules to add features.

Some popular modulesDeflate: compresses content before sendingPerl: embedded interpreter for Perl languagePHP: embedded interpreter for PHP languageSSL: provides encrypted connectionssuexec: run user programs as specified user account

46

Final Exam

Comprehensive coverage of all topics– Conceptual questions from notes– Lab questions using your virtual machine

Exam will be open book and notes– You can use your graded assignments

47

References

1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.

2. Gordon Lyon, NMAP Network Scanning, Fyodor, 2008.3. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.4. Nicholas Wells, The Complete Guide to Linux System

Administration, Thomson Course Technology, 2005.5. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building

Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000.

48