Microsoft PowerPoint - handout9.ppt [Compatibility Mode]Secure
Booting
2
2
The Problem
All security controls are initiated by ... what? Why are we so sure
about our kernel/bios/hardware?
Network Service Security
3
Authentication
Recall the “Smartest Hack of All Time”
Ken Thompson, in his 1983 Turing Award lecture, admitted a back
door he created in early UNIX versions
UNIXClean Source of UNIX
4
Kenneth Thompson and Dennis Ritchie
of UNIX
Problem: many things could already go wrong before
OS it t l User Programsyour OS security controls can ever come into
effect!
Expanded ROMs Boot Block (MBR,GRUB)
Operating System
(security control)
User Programs
Solution: AEGIS Architecture
User Programs Each level needs to verify its upper level’s
integrity before the control is passed
Level 5
Expanded ROMs
Level 0 is secure We assume it is
If level i can ensure level i+1 is secure, then all levels will be
secure (a simple mathematical induction)
Level 2
Level 3
Level 4
Integrity Chaining
How does level i ensures integrity of level i+1 ? Level i stores a
digital signature of level i+1
What if this signature is altered? The signature is part of level i
So level i-1 will detect the modification
Expanded ROMsExpanded ROMs
What If The Check Fails?
The boot process will be terminated if a check fails at any
level
Good for integrity, bad for availability
Recovery mechanisms The system will boot into a small recovery
kernel in ROM (like safe mode of OS) Then recover either from ROM
cards or from network hosts
8
network hosts
Again, why can we trust what we trust? Bottom line: hacking
hardware is more difficult than hacking software
5
Overview
9
Background Extending the ideas of AEGIS TCG (Trusted Computing
Group)
Industry standards body w/ 135 members including component vendors,
software developers, systems vendors and network and infrastructure
companies, e.g., AMD, HP, IBM, Intel, Lenovo, Microsoft, Sun
Key component TPM (Trusted Platform Module) chip
10
Roughly the AEGIS ROM role Shipped in hardware: Thinkpad, Lifebook,
etc. Supported by software: Windows Vista, Trusted GRUB etc.
6
How Does TPM Work
Very similar to AEGIS
Besides ensuring the integrity of booting process? Encrypted
partitionsyp p
Offline security (stolen laptops): only verified software can
decrypt the partitions Ease data deletion/machine recycling: just
change TPM to remove the decryption key
13
Securing Network Services
15
“Any Problem in Computer Science Can Be Solved with Another Layer
of Indirection (Abstraction)”
Application layer
Application layer HTTP FTP POP3 Application layer
Presentation layer
Session layer
Transport layer
Application layer
Transport layer
Internet layer
HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTP
BitTorrent, …
TCP, UDP, RTP… SSL
RS-232, 10BASE-T, …
Basic defense in UNIX/Linux:
Iptables-based firewall + tcp_wrapper + xinetd It’s basic, so you
too should have it It’s basic, so you shouldn’t depend on it
18
19
The UNIX Internet Daemon (inetd)
inetd is a ‘super’ server It runs at boot time as part of the
startup procedure It examines /etc/inetd.conf to determine which
network services are under its control
No longer used in some OSs (e.g., inetd in Solaris is now
configured in the Service Management Facility)
Then listen to those ports Upon a connection request, inetd starts
the
20
The UNIX Internet Daemon (inetd)
A sample inetd.conf file might look like this: # Internet server
configuration database #ftp stream tcp nowait root /usr/etc/ftpd
ftpd#ftp stream tcp nowait root /usr/etc/ftpd ftpd #telnet stream
tcp nowait root /usr/etc/telnetd telnetd #shell stream tcp nowait
root /usr/etc/rshd rshd #login stream tcp nowait root
/usr/etc/rlogind rlogind …… #echo stream tcp nowait root internal
#daytime stream tcp nowait root internal #time stream tcp nowait
root internal #
21
Service Socket type
user Command/ argument
Routinely check the file After break ins, services may be installed
for later use
xinetd A replacement for inetd
Fedora is not shipped with inetd; it uses xinetd Is better
Providing access control to services based on Address/(domain) name
of remote host, and time of access
Can alleviate DOS by placing limits on The number of processes for
each service The number of processes it will fork Th i f l fil it
t
22
The size of log files it creates The number of connections a single
host can initiate Rate of incoming connections
Extensive logging abilities
23
tcp_wrapper
tcp_wrapper does the following: (Optionally) sends a "banner" to
connecting client Compares hostname/requested service with a
(negative) ACL If denied, tcpwrapper drops the connection Logs the
results with syslog
Advantages
24
Transparent to both the client and the wrapped network service
Centralized management of multiple protocols
13
/etc/hosts.allow and /etc/hosts.deny
When a connection reaches tcpwrapper: It reads /etc/hosts.allow to
match a rule and executes the specified actions If no match, it
checks /etc/hosts.deny to match a rule and then denies access
25
and then denies access If still no match, it handles the request to
server
At most one rule is executed On a first-come-first-serve
basis
tcp_wrapper Configuration Language
daemon_list Command name of a list of services Wildcard ALL
client_host_list The hostname or IP address of clients Wildcard
ALL, LOCAL, KNOWN, UNKNOWN, PARANOID
26
14
tcp_wrapper Example 1 To allow all connections except those from
the domain pirate.net: ## # /etc/hosts.allow: # # Allow anybody to
connect to our machine except # people from pirate.net #
27
tcp_wrapper Example 2
To only allow finger by internal machines: # # /etc/hosts.allow: #
# finger for insiders only # # in.fingerd : LOCAL : allow in
fingerd : ALL : twist /usr/local/bin/some message
28
15
tcp_wrapper Example 3
If you discover repeated break-in attempts through telnet and
rlogin, but you need to telnet into your computer from
concordia.ca:
# # /etc/hosts.allow: # # Allow telnet & # rlogin from
concordia.ca, but nowhere else
29
tcp_wrapper Utilities tcpdchk scans the configuration file and
reports configuration errors
% tcpdchk Warning: /etc/host.allow, line 24, iphone: no such
process name in /etc/inetd.conf (/etc/host.allow or /etc/inetd.conf
are inconsistent)
Tcpdmatch simulates a request and see the result % tcpdmatch sshd
[email protected] client: hostname whitehouse.gov client: address
63.161.169.137 client: username bush
30
client: username bush server: process sshd matched: /etc/hosts.deny
line 39 option : deny access: denied %
16
Outline
31
iptables
Where it is In Linux kernel 2.4 or later, a command line
program
What it is for Define rules for filtering packets
What it is Three chains of rules, INPUT, OUTPUT, FORWARD First come
first serve
32
host
iptables Example 1
iptables -A INPUT -s 200.200.200.1 -j DROP -A: append to rule chain
INPUT -s: source address (IP or DNS name) -j: action (DROP, DENY,
ACCEPT) So what does this mean?
What about this:
iptables Example 2
iptables -A INPUT -s 200.200.200.1/24 -p tcp -- destination-port
telnet -j DROP
-p: protocol (TCP, UDP, ICMP, etc.) --destination-port: (or
–source-port) /24: subnet mask (CIDR)
iptables -A INPUT -p tcp --destination-port telnet -i wan1 -j
DROP
34
wan1 j DROP -i: input interface (or –o)
Iptables –L, –F, -I INPUT 1, -R INPUT 1 -L: list –F: flush –I:
insert –R: replace
18
iptables Example 3
iptables -A INPUT -i wan1 -p tcp --syn -j DROP --syn: syn
packet
iptables -A INPUT -i ppp0 -p tcp --syn --destination- port ! 80 -j
DROP
!: not equal
Outline Overview inetd/xinetd
HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTP
BitTorrent, …
tcp_wrapper iptables Telnet/FTP/SSH
RS-232, 10BASE-T, …
Client contacts server at port 21, obtains authorization over
control connection, browses remote directory by commands over
control connection
Server receives a command for a file transfer, opens a TCP data
connection to client, closes connection, maintains “state”: current
directory, earlier authentication
37
FTP client
FTP server
TCP control connection port 21
TCP data connection port 20
Security Issues with FTP Passwords typed to FTP are transmitted
intransmitted in clear
38
20
Security Issues with FTP (Cont’d) FTP in active mode makes it
difficult toit difficult to implement packet-based firewalls
Because server needs to initiate the
39
Telnet Risks
Username, Password and other session data are transmitted over the
network in clear
In Ethernet, packets sent between computers are actually delivered
to every computer on the wire Telnet session packets are vulnerable
throughout their journey
ISPs have a single computer compromised and every Telnet connection
passing through it had its password sniffed
40
A second danger of Telnet is session hijacking After you log in
using your password, the attacker can seize control of the session
and type whatever commands he wishes
21
Commercial version Freeware (www.openssh.com)
A protocol For secure remote login/many other network services
SSH-1 developed in 1995 by Tatu Ylönen in Finland
41
