115
| Date post: | 31-Dec-2015 |
| Category: |
Documents |
| Upload: | deirdre-ramsey |
| View: | 31 times |
| Download: | 0 times |
Introductions• Mark Lachniet ([email protected])• Senior Security Engineer at Analysts
International – Sequoia Services Group• Technical lead for the Security Group• MCNE, MCSE, CCSE, LPIC-1• Worked for 6 years as a technician and later
the IS Director at Holt Public Schools • Former board member and conference
organizer for MAEDS (http://maeds.org)• Frequent presenter at MAEDS, MACUL,
MIEM and for private engagements
Purpose of Today’s Presentation• Provide a macroscopic overview of security
issues, technologies, and concerns for schools– General Overview
– Operations Security
– Physical Security
– For administrators and technicians
– Will be presented first. Non-technical people may not need to hear about server hardening, but technical people definitely need to hear everything
• Provide technical information about specific technologies of concern– Network Security
– Host Security
Purpose of Today’s Presentation
• Provide links, works cited and references for continued research and investigation
• Provide time for discussion (via e-mail) about specific issues of concern
• Most importantly – to raise awareness. Things are bad in computer security, and we don’t want Michigan schools to be a casualty!
Agenda• Security Background• Operations Security• Physical Security• Network Security
– Wireless
• Host Security– Macintosh (OS/X)– Novell Netware– Linux / UNIX– Microsoft
• Short breaks about every 45 minutes for questions and more coffee
General Overview
Computer Crime on the Rise• We know that computer security is a real
problem. We are here, aren’t we?• September 11th has further raised the bar on
computer security awareness and funding• Computer security is about economic impact –
our reliance on the Internet and computers mean that our livelihood can be threatened by digital attackers from around the world
• Consider how skittish the stock market is, and how it affects the overall economy
• More and more people are getting connected• Tools and attacks are increasingly easy to find
and use, lowering the intellectual bar
The CSI Computer Crime and Security Survey
• The CSI survey, released 4/7/2002 has some very interesting pieces of information:
• 90% of respondents detected a security breach within the last 12 months. Have you? If not, it is probably happening without your knowledge!
• 44% of respondents were able to quantify their losses due to a security breach. The result was $455,848,000 over 223 respondents, for an average loss of $2,044,161 each
The CSI Computer Crime and Security Survey
• 74% of attacks cited were against the Internet border and devices (web servers, firewalls)
• 33% of attacks cited were against internal systems (internal file/print, workstations)
• 40% detected penetrations from the outside• 40% detected Denial of Service (DoS) attacks• 78% detected employees abusing privileges
(pornography, pirated software, etc.)
The CIA Triangle
Confidentiality
Integrity Availability
The CIA Triangle
• Confidentiality– The unintended or unauthorized disclosure of
computer data or information
• Integrity– The unintended or unauthorized modification of
computer data or information
• Availability– The loss of service of critical applications, systems,
data, networks or computer services
• K-12 Schools need to worry about all three!
Reasons for Security in K-12 Education
• Funding requirements (USF) • Integrity of critical data• Public opinion / negative publicity• Student safety & disciplinary issues• Avoid costly litigation• Lost productivity, both for technical and non-
technical personnel• Lost educational potential, inability to teach on
broken computers, lost files, etc.• To be a good Internet citizen
Important K-12 Data to Protect• Grades / Attendance: changing (for better or worse)
student grades or attendance: School Accreditation, state funding (count day) etc.
• Information considered private: SS#, special education status, free lunch programs, notes from councilors, discipline, medication (Ritalin), etc.
• Integrity of financial data – online PO’s, budgetary information (balances, accounts, responsibility reports)
• Payroll and Human Resources – criminal history, disciplinary actions, disability, etc.
• Educational and administrative documents – tests, lessons, etc. These are essentially “congealed money”
Protecting Students and Staff• We must protect children and staff who are
threatened by electronic means• Pedophiles, stalkers, and bad people• Student to student threats, assault• Recorded information about drugs, sexual
activity, abuse, gang activity, violence, or other crime
• Questionable Internet content – bomb-making instructions, how to hack, etc.
• The problem of IM and chat rooms• Student info – last names & pictures• South Carolina’s law
The Public• As a public school employee, anyone can question
or criticize your methods and actions at a school board meeting, PTO or school function, or in the media
• Bad security may expose the district to significant lawsuits, especially for failing to protect children’s information such as special ed. Status
• Bad security can (and eventually probably will) equal bad publicity, as more than one local district knows
• Be aware of FOIA laws – what can they legally obtain??? All e-mail? What is protected?
• And… of course… Internet filtering.
Downtime and Discipline• Broken systems – deleted files, missing
software, physical vandalism• Prevents students from learning• Requires extensive time and $$ to fix• Frequently leads to disciplinary action. The
computer tech as computer-narc (Think S.C.)• Take good notes of what you do• Learn to use windows find! Alt-PrtScn it, print
it out, and start a file• Parents….. “my son would never do that!”• Hopefully, it takes less time to proactively
secure things than to fix them
Justifying the Cost of Security• Security work can be expensive! It takes tools,
training and time (or money to hire out)• Compared to “firefighting”, yearly
replacement, keeping servers running, and imaging workstations, it is usually not seen as a priority (until there is an incident, anyway)
• Or worse, it is a priority but nobody ever gets the time to do it
• Talk to the school board, H.R. and Finance directors, and superintendents about the risk (and get help from someone)
• Security is a proactive cost savings, not reactive
Scare Them… With Reality• Discuss the frequency of computer breaches
in the media and at peer organizations• The national cost of computer incidents –
Code Red alone = $1.2 BILLION• Compute the cost in lost productivity if the
HR, payroll, or student system dies (lots!)• Discuss the cost of a lawsuit. Even a lawsuit
without merit will cost thousands of dollars• Discuss the need for student safety – could a
child be exposed to harm due to a failure in the existing system? Can you put a price on that?
Scare Them… With Reality• Discuss the educational ramifications – what if all
student and staff directories were wiped out and no backups existed?
• Discuss privacy issues – some choice e-mail from the superintendent’s or spec. ed director’s account being sent to the local paper for example
• Loss of USF funding, loss of accreditation?• Loss of community confidence and support• Loss of valuable computer technician time that
could otherwise be spent keeping everything working properly
• Loss of YOUR JOB!
Hacking
The Goal of Network Security• Simply put: “To be more annoying to
break into than your neighbor”• The house and neighborhood metaphor• Increase the “work factor” of attacking
you by erecting as many barriers as possible (defense in depth)
• Ultimately, network security is all about preserving the functionality of the organization. Technology is just the tool.
Why People Hack (Crack)• Crackers are generally regarded as being
motivated by one of four primary reasons:– Economic gain (espionage, embezzlement)– Egocentric (to prove they can do it, play
god, get recognition from other crackers)– Ideological (to prove a political point –
attacking the World Trade Organization or NATO web sites for example)
– Psychotic (they are just sick in the head and probably destructive)
Types of Hack Attacks• Reconnaissance – Scan networks and online
resources (whois, DNS), dumpster diving, etc. to gain interesting information about the target. Typically non-invasive, usually untraceable
• Exploits – Attack servers in an attempt to exploit a system vulnerability of some kind (e.g. NIMDA, Code Red, etc.) Very invasive, can be detected by IDS systems or careful log analysis
• Denial of Service (DoS) – Attack servers to take them down and render them unusable. You will probably know when this is happening from the complaint phone calls
Types of Hack Attacks• Attacks can be both personal and manual, or
automated and generic• Many attacks are the result of systems that have
already been attacked, and are now attempting to hack other machines. NIMDA was a good example of this. Usually the system owners have no idea what is happening
• If you monitor any Internet connection long enough (say, 15 minutes) you are bound to see attacks coming through. It is just part of doing business nowadays
• It is the manual attacks that you need to be worried about – deliberate, careful, and focused
• Most hackers aren’t that smart – they just use programs given to them – and are thus known as “script kiddies”
Common Security Practices• Security is a nascent field in many respects• Terminology, procedures and skill levels vary
drastically between people and organizations• Some disagreement over what best practices
actually are (i.e. the best placement of an IDS)• Few objective benchmarks to allow “apples to
apples” comparisons for HW, SW, Services• There is a big technical curve for security –
you must first be an expert in the technology, and then learn security on top of it
• Whether you do it internally or get external help, it needs to be done
What We Have to Work With
Common Security Services• A firewall and Internet border security is
simply not enough! This gives rise to the “candy” network – hard on the outside, soft on the inside (and tasty for attackers, too)
• Embrace the concept of “defense in depth.” In other words, have security at multiple layers and in many places to make attacks as difficult as possible.
• There is value in getting help from an external perspective – there is less ego on the line and a fresh viewpoint
Vulnerability Assessments• Sometimes called “penetration testing”• Uses scripts and vulnerability assessment tools
such as “Nessus” and the “ISS Internet Scanner” to scan all hosts for all known vulnerabilities
• Also uses “human logic” to find problems – manually connecting to services, analyzing portscans, researching various software packages, making connections, etc.
• Human logic is the most important step! Anyone can run a scanner program, but interpreting results and applying knowledge of the technologies involved is essential.
Vulnerability Assessments• People and companies that specialize in
security are important for a good vulnerability assessment project
• The deliverable of a vulnerability assessment should include a list of all IP addresses, open ports, explanation and ranking of vulnerabilities, and hopefully some dialog on how to start fixing them
• Vulnerability assessments should be done regularly – new vulnerabilities come out all the time – so you must stay up to date
• Be warned – other people are assessing your network. Are you?
Security Assessment Services• Sometimes called an audit• Sometimes performed in a very limited capacity
by financial auditors (mainly backup systems)• Can be used to audit an actual environment
against a set criteria, for example to determine compliance
• Should be performed by one or more individuals with backgrounds in both network systems and organizational administration
• Takes a macroscopic view of the organization• Analyze technology as well as policies and
procedures, configurations, and other items that a tool cannot assess
Security Assessment Services• Uses interviews, inspection of documentation,
and manual analysis (depending upon the focus)
• Should make recommendations on a wide variety of things to improve security
• Should provide a description of the current situation, what best practices are, and what the recommended changes are
• Should provide for estimation of pricing and priority, so that it could be used as a planning document for department priorities and budgets
Example Recommendations Physical Security Project #1: War Dial Telephone Exchanges Project #2: Improve Physical Security Network Security Project #3: Audit Firewall Configuration Project #4: Implement RFC 1918 addressing Machine Security Project #5: Secure Externally-Maintained Machines Project #6: Deploy warning banners Policies and Procedures Project #7: Security Awareness and Responsibilities Project #8: Improve User Password Security
Disaster Recovery Planning• Concerned with minimizing the effect of a problem
with a technological system• Focuses on things like tape backup, off-site storage,
network and machine redundancy, and recovery procedures
• Must identify critical assets, and all of the resources that support them (power, network, etc.)
• Put into place preventative measures and recovery procedures
• DRP is highly interactive and labor-intensive, primarily conducted through lots of interviews
• In the private sector, failure to have a Disaster Recovery Plan in place constitutes a failure of due diligence, and CEOs can be held legally liable for damages
Business Continuity Planning• BCP is similar to DRP, but it looks at the health of
the entire organization, and not just technological systems
• Why? Approx 65% of businesses that are down for more than a week never recover! School must continue regardless, but it will cost a fortune, and that may mean cutting back on services and employees to compensate (you won’t be popular)
• BCP looks at things like alternate locations, backup telephone systems, contacting employees, interfacing with public service agencies and the media, forming relationships with support vendors, etc.
• BCP typically is larger than, and contains, DRP measures
• Takes even longer than DRP
VPN / Remote Access Services• Providing remote access to school resources from
outside of the network is risky• Access should only be given to those with a
legitimate need (not just complainers)• Frequently, programs like PC/Anywhere, VNC,
and dial-up modem pools are used. Bad!• A better option is to use VPN devices• Can use the existing Internet connection, and
reduce the reliance on dial-up lines to save $• Can enforce proper authentication, provide
logging, and protect traffic through the use of encryption
• Can be used for client-site or site-site
Intrusion Detection Systems
• Are designed to detect (and sometimes respond to) significant security events
• Configuration is critical to success!
• IDS works in two ways:– Signature matching, like antivirus software– Pattern matching, finding strange
behaviors or fluctuations from the norm (ie, a DoS attack)
Intrusion Detection Systems• IDS comes in a few different forms:
– Network based, “sniffs” the network– Host based, monitor local traffic and API calls– Intrusion Prevention Systems, a combination of other
types but with the ability to intercept and *stop* attacks (e.g. Entercept)
– Filesystem integrity based, monitor changes in the filesystem, registry, routers, etc. for changes (e.g. TripWire)
• Popular IDS Systems:– Snort (free, open source, harder to manage)– ISS RealSecure (nice, but expensive)– Cisco Secure IDS (great for internal switches,
especially)
Intrusion Detection Systems• Can be configured to take different actions upon
noting an event such as logging to a database, sending an e-mail or page to a network admin, or working with a firewall or router to block the attack
• Be warned of active response IDS systems! What happens if I spoof an attack from your DNS server?
• IMO, IDS systems are somewhat overrated because of the sheer volume of attacks that occur on a daily basis
• Without very careful configuration, especially sensor placement and signature tuning, you could be so overwhelmed by alerts that you can’t filter the noise from the important stuff
• Are probably best suited for the internal network, or on a DMZ network with a heavily tuned signature database
Server Hardening• Probably the single most important aspect of security
• A firewall cannot protect an insecure host
• Hardening includes a number of steps including keeping up to date with patches, and other proactive steps
• Simply keeping up with patches is not true hardening
• True hardening takes steps to make a compromise more difficult – even for exploits that have not yet been discovered
• Server hardening is time consuming, especially on NT and UNIX systems, and requires a lot of upkeep
• We will discuss server hardening in the technical portion of this presentation
Operations Security
Operations Security• Concerned with ways to mitigate security
risks through administration – policies, procedures and practices
• The weakest link in the security chain are individual humans (or as Dilbert calls them, “in-duh-viduals”)
• Part of “defense in depth”• Administration support is critical to any
security initiative• Helps to minimize risk, respond to incidents,
and establish standards for how things should be done
Personnel Controls• Pre-hiring background checks for important positions.
Do they have a criminal history with computers? Did they lie on their resume? Do they have heavy debt?
• Coordinate user ID practices with human resources:– Hirings (create new IDs)– Firings (delete all IDs)– Position Changes (change ID rights)
• Requires that the IS department maintain a list of all places where IDs are stored! Do you have this?
• Create an “ID Maintenance” form as part of the H.R. standard procedures? Require sign-off on AUP
• Create checks and balances in power such that no single individual can take a process from start to finish by themselves. Especially in regards to money (payroll, POs, etc.)
Acceptable Use Policies• Should be well-plowed ground for most school
districts, so we’ll just touch on it• Provides guidance and expectation settings on what
behavior is acceptable an unacceptable• Should apply to both students and staff• Should use “implicit deny” language• Should state that all equipment is the property of the
district and may be monitored at any time• Should require sign-off on the part of users to
document that they have read it and agree with the requirements
• Should address password security • Should address information privacy standards such as
the treatment of confidential data (special ed records, etc.)
Warning Banners• Use warning banners when possible• Functions somewhat like an AUP, and can
contain the AUP itself (or items of it)• Can provide additional legal ammunition in
the event that something needed to go to court• Should be placed on public servers (web
server, e-mail servers, etc.) and on local workstations
• Should contain three distinct statements:– Definition of the appropriate use of the resource– Warning that the system is monitored– That there is no expectation of privacy
• http://www.ciac.org/ciac/bulletins/j-043.shtml
Formal I.S. Staff Security Responsibilities
• Security it takes time! If nobody is given sufficient time to keep up with security, it will never happen
• The buck must stop somewhere. Who is responsible for it?
• Define explicit security responsibilities for one or more staff members such as firewall maintenance, log review, server patching, etc. (good on a resume)
• Document these responsibilities and how they are done – this will help in the case of a vacation or staff change (hit by a bus or wins the lotto, you choose)
• Provide tools and training opportunities (such as SANS, or Microsoft for K-12 security training)
• Put it in the budget!
Formal Employee Security Responsibilities
• Every computer user has responsibilities they must live up to (or not use the computers)
• For example - don’t share passwords, don’t write passwords on a sticky notes, don’t use your last name as your password, etc.
• Information privacy – don’t store confidential information in an inappropriate place
• Don’t let student aides log into the student information system to enter grades
• Don’t let students use a teacher ID• This and more needs to be in the AUP and also
reinforced!
Incident Response Plans• Have a plan in place on how to respond to
security incidents before it happens• May be different for student discipline vs.
external hacks• It is better to plan ahead than to figure it out
when you are under stress• What is the criteria for alerting superiors?• What is the criteria for alerting law
enforcement?• Who will be responsible for responding?• How will the response be escalated?• What type of documentation will you keep?
Change Control• Change control is the process of requesting
changes to systems, implementing and testing them, and documenting results
• Security can be improved through change control because it reduces error and improves availability
• Keep detailed records of before and after configurations
• Require approval of changes by another party to ensure that the change is appropriate, needed, and does not create problems
• Test changes on a non-production system prior to full implementation
Security Awareness• Staying abreast of the latest issues and
solutions in security is critical• Administrators must budget for and offer
training opportunities to technical staff• Administrators should require that technical
staff be signed up for security listserves such as:– BugTraq / NT BugTraq (www.securityfocus.com)– Microsoft Bulletins (security.microsoft.com)
• Consider conducting regular internal trainings on security topics
• Consider ways to keep staff up to speed
Physical Security
Why Physical Security?• Without physical security, all other measures
can be circumvented• For example, if I can boot a computer, I can
probably enter some kind of single user mode (bootable CD’s, single user mode, etc.)
• There are many types of physical attacks as well (such as key loggers)
• Access to critical areas such as wiring closets can provide unrestricted access to the network or damage of equipment (“oooh, look at the blinky lights”)
• Physical security is needed to prevent the loss of equipment
The $59 KEYkatcher• The hardware key logger – no
need to install any software whatsoever
• Could be placed on a server, log a few passwords, and then removed
• Could be placed on a “broken” student workstation, then scarf the password when you turn off your desktop protection and log in as admin to fix the problem
• If this doesn’t scare you, you aren’t really paying attention
• Only $59 each from TigerDirect.com
KeyKatcher
Physically Securing Servers• As you can see from the last example,
restricting physical access to the console is important
• There are other steps to take such as:– Set the BIOS to boot to C: only
– Use a BIOS admin password (though it can be beaten)
– Disconnect floppy and CD-ROM drives (since they can be booted or be used to bring in malicious code)
– Lock the cases to stop modifications or “walkaway RAM”
– Beware of other system ports such as USB!
– Set swap file to be deleted on shut-down
– Don’t allow booting to DOS or another OS
– Use Encryption on the filesystem
The $40 USB Hard Drive• Now there are USB storage devices that work
like hard drives• These are harder to restrict • Can be used to bring in hacking software, and
circumvent security• If USB is not needed, perhaps turn it off or
disable the loading of new drivers• Windows XP will automagically load drivers
for these when detected!
Physical Availability• Also keep in mind availability as a security
requirement• Use redundant power supplies and other
types of hardware• Use RAID-5 striping or RAID-1 disk
mirroring on critical applications• Be aware of power conditioning needs and
UPS systems• Consider the use of Storage Area Networks
(SANs) for highly-available and centrally managed storage
Environmental Control• Temperature is an obvious problem – if its too
hot, things can overheat and fail. If they are too cold, media and LCDs can be damaged
• Too much humidity = corrosion• Too little humidity = static shock• Be aware of fire control systems – where are
the sensors located? What type of fire extinguisher systems are in use? Where are the output heads located?
• Ever think of the water sprinkler above your servers? What would happen if it went off?
Network Infrastructure
The Importance of a Good Net
• Firewalls and routers aren’t enough to protect you, but you still need them
• There are two critical factors:– Control – Restrict communication between parties
(the Internet to the DMZ, the Internet to the inside, inside to inside, etc.)
– Accountability – There must be audit trails and logging sufficient to recreate a sequence of events. Without accountability, you will never know how your network is being used
The Unprotected Network
• This is really, really bad! There is no protection at all• All hosts are directly connected to the Internet• All hosts can theoretically be attacked• Typically found in very small schools or universities• For goodness sake, get a firewall!• Juicy targets for hacking and setting up servers for
pirated software, etc.
Internal Network(Real IP Addresses)
The Internet
ISP Router
PlotterIBM Compatible IBM Compatible Mac II Laptop computer
The Firewalled Network
• Network access to inside is controlled at the firewall• “Sacrificial” hosts are unprotected outside the fw• Ideally, RFC1918 addressing and Network Address Translation
(NAT) are used on the inside network• Strict access control lists are used to stop all incoming traffic to
the inside network• Rely on hardening of Internet servers for protection
Real IP Network
Internal NetworkThe Internet
ISP Router
Plotter
IBM CompatibleIBM Compatible
Mac II
Laptop computer
Firewall
WWWServers
FTPServers
The Pseudo-DMZ Network
• Internal hosts are made available to the outside – usually for web and mail servers (often Exchange)
• This is better than nothing, but still a very bad idea! • Internal systems are exposed to the Internet, if one of
them can be hacked, it can be used to hack the rest of the Internal network (the leapfrog!)
Real IP Network
Internal NetworkThe Internet
ISP Router
Plotter
IBM CompatibleIBM Compatible
Firewall
WWWServers
MailServers
The True DMZ Network
• Internet servers are on a DMZ network and protected by the firewall with access control and logging
• The DMZ cannot talk to the inside (no leapfrog)• DMZ servers may use RFC1918 addressing & NAT• Easier to maintain and monitor critical servers• The inside is protected
DMZ Network
Real IP Network
Internal NetworkThe Internet
ISP Router
Plotter
IBM CompatibleIBM Compatible
Mac II
Laptop computer
Firewall
WWWServers
FTPServers
Use Network Address Translation (NAT)
• Best practices dictate that you use RFC1918 addresses such as:
10.0.0.0/8172.16.0.0/12192.168.0.0/24
• Use one-to-one NAT for externally accessible hosts or special clients (such as a DMZ)
• Use many-to-one (PAT, IP Masquerading, overloaded nat) for internal client access to the Internet
• NAT can break a lot of software, so be aware of address translation issues –anything that requires a host-to-host communication channel
• Use ACLs (access control lists) to deny all traffic except for that which is needed
Client VPN Services
• As before, but with a VPN concentrator as a means of ingress to the network
• Clients use VPN client software over the Internet• Beware split tunneling! (leapfrog)
DMZ Network
Real IP Network
Internal Network
The Internet
ISP Router
Plotter
IBM CompatibleIBM Compatible
Mac II
Laptop computer
Firewall
WWWServers
FTPServers
CISCOSYSTEMS
Cisco 3005 VPN concentrator
VPN Client User
Site to Site VPN
• Using firewalls or VPN devices, traffic between district#1 and district#2 is encrypted across the net
• Assumes compatible addressing! Have a plan!• Useful for sharing resources, hooking schools up to a
WAN when all you have is cable modems and DSL• Client access still possible
District #1
Real IP Network
Firewall
Real IP Network
District#2
The Internet
ISP RouterFirewall
VPN Client User
ISP Router
IDS Sensor Placement
• Where you “listen” is critical – inside, outside, DMZ• Outside = see all the attacks, be overwhelmed• DMZ = see a lot of attacks, manageable with tuning?• Inside = see internal attacks, or those that somehow
got in, but no monitoring of Internet servers• DMZ and Inside best?
DMZ Network
Real IP Network
Internal Network
The Internet
ISP Router Firewall
WWWServers
FTPServers
Intrusion DetectionSystem
?!
The “Partner Problem”
• Partners connected behind the firewall!• Common for vendor maintenance, services• No control over the partner’s security!• These connections should be controlled by a firewall• Never trust a vendor or partner!
Partner WANConnection
ISP Router
Partner WANConnection
Real IP Network
Internal NetworkThe Internet
ISP Router
PlotterIBM Compatible
Mac II
Firewall
ISP Router
E-mail Virus Filtering
• Work as an inline proxy, reverse arrows for outgoing• ACL allows SMTP InternetDMZ, DMZInside• Example product – Trend Micro Virus Wall• Can protect ANY SMTP server, but only if inline. Use special
agent software for mail server databases (Guinivere, NAV, etc.)• Doesn’t protect e-mail between internal users• Filter e-mail CONTENT?
DMZ Network
Real IP Network
Internal NetworkThe Internet
ISP Router
Internal Email Server
Firewall
Network VirusFilter
Web
Content Virus Filtering
DMZ Network
Real IP Network
Internal NetworkThe Internet
ISP Router
Plotter
IBM CompatibleIBM Compatible
Mac II
Laptop computer
Firewall
Network VirusFilter
Web
• Works much like a content filter – can intercept transparently via the firewall, or by browser proxy settings
• Must integrate with content filtering and proxy caching!• Good for stopping web attacks over HTTP, FTP, etc.• May or may not be able to look inside of HTTPS • Must make this network path mandatory (filter port 80 except
from the virus content filter)
Web Access Servers
• Model used for Groupwise / Outlook Web Access• Put the web server component on the DMZ, allow Web Access
server to talk ONLY to internal mail• Groupwise web access on DMZ is relatively secure• Outlook web access is a problem – must open full NetBIOS
access between the OWA server and the inside. An accident waiting to happen!
• Relay SMTP if needed
DMZ Network
Real IP Network
Internal NetworkThe Internet
ISP Router
Internal Email Server
Firewall
e-mail WebAccess
Web
Wireless Security• Wireless security has typically been very bad• Uses WEP encryption up to 128bits, but only if
properly configured on the AP and on the client• WEP can be broken within a few hours given the
proper hardware and software (freely available)• Signals leak further than you may think, giving
access to your network from areas outside of your physical control (like the street)
• “Wardriving” is becoming very popular – drive around in a car w/ an omnidirectional antenna and a GPS to locate insecure access points
• Geographical databases are being compiled that give the coordinates of insecure networks
• Newer products have true security (radius)
Wireless Security
• Net Stumbler is one popular utility• Above are all the access points between work
(Lansing) and home (Haslett), many of which were found at 45mph on Mount Hope Highway
• Be afraid. Be very afraid.
My Wireless Solution
• Only trust wireless users as much as Internet users• Put the WAP on a DMZ, require VPN access to the
internal network• Disallow all other access (e.g. wireless to the Internet)• This will allow strong authentication and logging for use of
internal servers• Should stop abuse (freeloading)
DMZ Network
Real IP Network
Internal NetworkThe Internet
ISP Router
Plotter
IBM CompatibleIBM Compatible
Mac II
Wireless Clientw/ VPN software
Firewall
WAPAntenna
Logging and Reporting• In order to know how your network is being
used, you need to log all traffic• Use reporting tools to summarize and make
sense of it!• Its too hard and time consuming to scan
through logs to find suspicious information• Instead, use a log reporting tool such as “Web
Trends Firewall Suite” to make sense of it• These tools should summarize information
such as host and protocol activity, usage trends, most popular hosts, etc.
• The “Cheap Man’s IDS”
Web Trends Firewall Suite
Host Security
General Host Security• Not nearly enough time to talk about
everything we need to!• We must refer to OS hardening guides instead
– there are many good ones out there• We will touch on a few highlights, things that
are perhaps not so obvious• Make sure to properly configure auditing and
logging capabilities• Make sure that machines are properly
patched • Make sure that password security is
adequate
Hardening Guides• http://nsa1.www.conxion.com/Windows NT/2000, Cisco routers, e-mail
• http://www.sans.orgWindows, Solaris, Linux (not free)
• http://www.microsoft.com/securityMicrosoft (of course)
• Analysts International Hardening Checklist(Normally used internally)
Macintosh Security
Macintosh OS/X Security• Warning: I am not a Macintosh expert. I am a
UNIX geek. I can only speak about the underlying packages that are common to other platforms
• We’ll focus on OS/X because it is actually a UNIX-like operating system underneath the hood
• Because of this, security must now be a bigger concern than before
• OS/X is relatively secure by default – it is not intended to be a multi-user system. Root is disabled
• Check out http://www.securemac.com for articles• http://www.apple.com/support/security/
security_updates.html For security updates so far• Brush up on UNIX security, especially how privileges
work (su, sudo, root account, low level ports)
Macintosh OS/X Security• One of the most dangerous security problems on
the Mac is actually from Microsoft• IE 5.1 may allow a remote user to take over your
Mac (two problems so far, more to come)• Microsoft office scripting / Macro viruses /
Exchange are always a problem• Various issues with UNIX apps underneath• Apache mod_SSL remote root compromise• PHP, Tomcat, sudo, openssh, etc. root
compromises• Beware of password security!• Appletalk brute force attacks & tools• Other brute force attacks (FTP, HTTP)
Macintosh OS/X Steps to Take• Learn UNIX security (sorry!)• Keep up to date with patches. Use the auto
updater if you are trusting or short on time• Use workstation firewalling to block incoming
access to everything!• Never run unnecessary services – Especially
the remote command line option and FTP• Never run plaintext protocols like Telnet or
FTP, use SSH instead• Don’t enable root access• Use good Antivirus software (make sure it
works in both environments)
Novell Security
Novell Security• Novell is not hacked casually, because its not
that much fun• There are some issues, though, that you
should know about• http://www.nmrc.org/faqs/netware/index.html
is where to start reading• There are several problems in older versions.
We will assume version 4.x or later• Also assume that patches are up to date
(including GroupWise and Border Manager)• Do not run the web server
Novell Security• Check all accounts for inappropriate access• Check user_template! Sometimes you can log
in as the template user with rights• Check service accounts such as Arcserve,
backup, and GroupWise agents • Physically protect the server – there is a
debug key combination that can disable the console screen saver and dump you to the console
• It is also possible to modify the disk directly using Norton to disable the security settings
Novell Security• Beware Pandora by NMRC.ORG• A great tool for admins and hackers alike• Great for auditing password security• Can brute-force attack passwords from directory
services: BACKUP.DS, BACKUP.NDS, DSREPAIR.DIB – are these files laying around?
• Can also spoof and hijack connections and file copies (use network switches and turn on packet signatures to stop some of this)
• Put SET PACKET SIGNATURE LEVEL=3 as the first line of STARTUP.NCF
• Numerous DoS attacks (the “yang” attack)• Bad NDS permissions are common
Novell Security• Never use RCONSOLE if possible (definitely
don’t put an rconsole password in the .NCF file)
• Beware of Compaq Insight Manager• Beware of the Web Server:
– Remove all sample code and unneeded stuff– SEWSE.NLM allows read access to any file– Multiple DoS attacks – Netware Remote Manager– NDSOBJ.NLM Allows browsing of NDS – Old GW Web Access applet allows read access– GWWEB.EXE allows read access
• Enable intruder detection• Enable auditing of critical files
Linux / UNIX Security
Linux / UNIX Security• Linux/UNIX is in some ways more secure than
other alternatives• Open Source means that people can look for
security problems on their own, a mixed blessing• Linux is the sum of a number of software pieces
by various people – the kernel, GNU libraries, application software, etc.
• Thus, a bug in one of the applications can affect the whole OS, especially if the process runs as root
• Despite this fact, security is generally pretty good by default, but it is still important to harden and maintain the servers properly
• Use the NSA hardening guide
Linux Hardening• Read the (free) Linux Administrator’s Security
Guide http://seifried.org/lasg/• Do a minimal installation and add packages later• Double-check for updates before putting on net• Create your disk partitions wisely – it affects how
symbolic and hard links work:– /tmp (temp files) – /var (log files, working files) – /home (user files)
• Use a BIOS / LILO / GRUB password• Booting to single user mode ‘linux single’• Use the ‘immutable’ property: chmod +i lilo.conf
UNIX Security• Filesystem “gotchas” setuid and setgid
writable files‘find / -perm +4000’ and ‘find / -perm +2000’
• Remove setuid privs for unnecessary utils such as ‘rlogin’ on single user systems‘chmod –s /bin/rlogin’
• Find all files that are world writable (and make sure they are not important!)‘find / -perm -g+w’ and ‘find / -perm –o+w’
• World-writable scripts are a no-no (such as those that are run by users or especially root)‘chmod og-w bigscript.sh’
UNIX Security• Turn off all unnecessary services• Use ipchains firewalling to block incoming
connections – default policy of deny all, allow specific source addresses and ports only.
• From /etc/sysconfig/ipchains:-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT-A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
• Test these rules from somewhere else with NMAP and Nessus! Never trust a local portscan
UNIX Security• Use TCP WRAPPERS or xinetd security features to
restrict incoming connections by source and service• Use Secure Shell (SSH) as a replacement for Telnet• Use SSH / SCP to transfer files with encryption (nice,
and very scriptable)• Use TripWire (tripwire.com) to monitor filesystem
changes• Use SNORT (snort.org) as a free IDS• Use Psionic Portscan Detection and log watch from
http://www.psionic.com to find attacks and suspicious activity in the logs
• Log to an alternate syslog server• Use ‘netstat –a –n | grep LISTEN’ or ‘lsof | grep
LISTEN’ to find programs listening on network ports
Microsoft Security
General Microsoft Security• Obviously, Microsoft has had a few problems• It requires good hardening and constant
patching, but it can be made (pretty) secure• Microsoft is making a genuine attempt to
improve their security (developer camp)• Requires updating all kinds of components:
– Core operating system– Internet Information Server– Microsoft Exchange / Outlook– Microsoft SQL Server– Internet Explorer
• Build this expectation into your time estimates and total cost of ownership when evaluating operating systems
During Installation• Do not connect to the Internet while
installing (can be hacked during install)• Install the minimal number of packages• Make Internet servers standalone – not
part of any domain or active directory• Format all volumes as NTFS • Install IIS on a separate volume or hard
drive. (note that this requires an unattended installation and script)
• Use strong administrator passwords
Install all service packs
• Operating system
• Internet Information Server
• Internet Explorer
• SQL server, others as needed
• hfnetchk.exe should come up clean* before the server is deployed
Filesystem Security• The ‘everyone’ group has full access to all
drives by default! This is dangerous and unnecessary
• Carefully remove ‘everyone’ and add administrators, users, etc. to disks using descriptive groups
• Create a ‘web user’ group that has READ access to IIS directories
• Create a ‘web admin’ group that has WRITE access to IIS directories
• Add IUSR~BOX and IWAM~BOX to ‘web users’ maybe ‘web admin’
Filesystem Security• Delete or remove access to dangerous
programs to make hacking harder:
ARP.EXE PING.EXE AT.EXE POLEDIT.EXE
ATSVC.EXE POSIX.EXE ATTRIB.EXE QBASIC.EXE
CACLS.EXE QFECHECK.EXE CLIPSRV.EXE RCP.EXE
CMD.EXE RDISK.EXE COMMAND.COM REGEDIT.EXE
CSCRIPT.EXE REGEDIT32.EXE DEBUG.EXE REXEC.EXE
DIALER.EXE ROUTE.EXE EDIT.EXE RSH.EXE
EDLIN.EXE RUNAS.EXE FINGER.EXE RUNONCE.EXE
FTP.EXE SECFIXUP.EXE HYPERTRM.EXE SYSEDIT.EXE
HTIMAGE.EXE SYSKEY.EXE IMAGEMAP.EXE TELNET.EXE
IPCONFIG.EXE TFTP.EXE ISSYNC.EXE TRACERT.EXE
MSIEXEC.EXE TSKILL.EXE NBTSTAT.EXE UNINST.EXE
NET.EXE WSCRIPT.EXE NET1.EXE XCOPY.EXE
NETSH.EXE NETSTAT.EXE NSLOOKUP.EXE
Filesystem Security• Remove all resource kits and SDKs• Disable indexing of disks recursively• Never allow the emergency console to
boot from the hard drive• Delete backup copies of the registry
from X:\%System Root%\repair\• Configure the recycle bin to
immediately delete files• Configure the system swap file to be
deleted at shutdown
High-accountability logging• Enable auditing of filesystem accesses
• Configure auditing to log all failed file accesses by the ‘everyone’ group
• Increase the size of the event log to 512mb if possible
• Set event viewer to delete events that are N days old, where N matches your backup schedule
• Audit the use of privileges
Monitor suspicious log events
• Filter event logs for interesting events– 529: Unknown Username or Bad Password
– 537: Unsuccessful Logon
– 530: Account Logon Time Restriction Violation
– 531: Account Currently Disabled
– 532: Account Has Expired
– 533: User Not Allowed to Log on
– 534: Logon Type Restricted
– 535: Password Expired
– 516: Some Audit Event Records Discarded
– 517: Audit Log Cleared
More Suspicious Events– 624: User Account Created– 630: User Account Deleted – 627: Change Password Attempt – 636: Local Group Member Added – 632: Global Group Member Added – 642: User Account Changed – 643: Domain Policy Changed– 608: User Right Assigned – 609: User Right Removed – 612: Audit Policy Change – 610: New Trusted Domain– 611: Removing Trusted Domain
Network Adapter Settings
• Disable all bindings except TCP/IP• Use IP filters to limit incoming traffic to only
required ports (80, 443, 25, etc.)• Disable remote access to the registry• Disable NetBIOS over TCP/IP• Disable IP routing• Do not make “dual-homed” hosts that connect
insecure (external) networks to secure (internal) networks
• Harden TCP/IP stack to DoS attacks
Disable Unnecessary Services• Alerter• Clipbook server• Computer browser• Distributed File System• Distributed Link Tracking Systems Server• Distributed Link Tracking Systems Client• IPSEC policy agent (unless IPSEC is used)• Licensing Logging Service• Logical Disk Manager Administrator Service
(needed for software RAID)• Messenger• Net Logon
Disable Unnecessary Services• Network DDE• Network DDE DSDM• Print Spooler• Remote Registry Service• Removable Storage• Server Services (needed for SMTP services)• Task Scheduler• TCP/IP NetBIOS Helper• Telephony (needed for terminal server)• Windows Installer• Windows Time• Workstation Service (needed for some
maintenance tasks)
Accounts and User IDs
• Configure password strength enforcement for users
• Rename the administrator account
• Create a bogus administrator account with no rights and log its use
• Rename and disable the guest account
• Remove ‘access this computer from the network’ rights from administrator and ‘everyone’ group
Accounts and User IDs• Remove the ‘log on locally’ right from
all users and groups that don’t need it• Perform periodic password cracking to
find bad passwords (including products that log in and run as services)
• Disable remote access to the registry• Disable anonymous access to NetBIOS
services (used for anonymously iterating user IDs and other NetBIOS information across the network)
Use Group Policy• A key advantage of Windows 2000 is the
ability to really control machines with group policy
• The NSA hardening guides have great documentation about group policy – read their guides as a starting place:
http://nsa2.www.conxion.com/win2k/guides/w2k-3.pdf
IIS Security
• Don’t use Front Page extensions
• Disable the HTML administration site
• Store web content on a separate drive
• Bind the web server process to specific IP addresses (not all available)
• Disable the WebDAV service
• Remove all unneeded ISAPI mappings, especially IDA/IDC (indexing service) and .printer (Internet Printing)
IIS Security
• Remove support for Internet printing– Remove the /printers virtual directory
– Delete files from %SystemRoot%\web\printers
– Disable local or group policy options for “Web-Based Printing”
• Delete default and sample IIS files– \Inetpub\iissamples
– \Inetpub\AdminScripts
– \Program Files\Common Files\System\msadc\Samples
– %SystemRoot%\help\iishelp
– %SystemRoot\System32\Inetsrv\iisadmpwd
– %SystemRoot%\web\printers
IIS Security
• Use restrictive IIS permissions– On "Home Directory" tab, disable Read, Write,
Directory browsing
– Add specific rights as necessary
– The Script Source Access IIS permission is not assigned to any folder
– Use authentication on all folders with Write / Write-Execute access
– If HTTP basic authentication is required, use SSL
– If using NTLM authentication, require NTLM v2
IIS Security• Protect global.asa files
– NTFS permissions set for System, Administrators and Operators = full control
– NTFS permissions set for Authors = modify– NTFS permissions set to explicitly deny IUSR_server and
IWAM_server accts.– All failed accesses to global.asa are logged
• Protect the metabase.bin file– MetaBase.bin has full control for System and Administrators– MetaBase.bin has Modify for Operators– Audit all failed and successful NTFS access to MetaBase.bin
• Enable the maximum level of logging• Set the UseHostName metabase value to hide
the true IP address of the server
Good Web Sites• http://www.securityfocus.com (sign up for
bugtraq and read the articles)• http://www.packetstormsecurity.org (seems to
change a lot, but lots of dirt)• http://www.microsoft.com/security• http://www.sans.org (check out the student
papers)• http://www.cert.org• http://www.gocsi.com• http://www.securityportal.com• http://www.isc2.org
Discussion
Thank You!
Mark Lachniet, MCNE, MCSE, CCSE, LPIC-1
Sr. Security Engineer
Analysts International - Sequoia Services Group
3101 Technology Blvd, Suite A
Lansing, MI 48910
(517) 336-1004 - voice
(517) 336-1100 - fax
mailto:[email protected]
