Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | arthur-gregory |
View: | 216 times |
Download: | 0 times |
Topics
•IA Lab visit was scheduled for today; attempting to reschedule for next week
•Review of Homework 4•Managing Devices•Security•Homework 5•Q&A
2
New disk installation
•Attach the drive and reboot to allow system to recognize it ▫sudo fdisk -l
•Partition disk if required▫cfdisk, fdisk, sfdisk, parted, gparted
•Allocate space to the partition without installing a file system▫Note the device name (something like
/dev/sdc1)
4
New disk installation (Cont’d)•Prepare for use:
$ sudo pvcreate /dev/sdc1•Create volume group (vgname)
$ sudo vgcreate vgname /dev/sdc1•Create logical volume
$ sudo lvcreate –l 100%FREE –n volname vgname
•Create file system:$ sudo mkfs –t ext4 /dev/vgname/volname
5
New disk installation (Cont’d)•Create mount point:
$ sudo mkdir mountpoint•Set mount opt, mntpoint:
$ sudo vi /etc/fstab•In /etc/fstab add a line from an existing
file system and modify it•Mount the file system
$ sudo mount mountpoint
6
Solid State Disks
9
Source: http://www.ibmsystemsmag.com/power/infrastructure/storage/SSD_benefits/Internal-Structure-of-an-SSD/
Storage Interfaces
•ATA (Advanced Technology Attachment, aka IDE, Integrated Drive Electronics): hardware controller inside the disk. Has been improved
•PATA (Parallel ATA): disks are connected to motherboard with 40/80 conductor cable
•SATA (Serial ATA): successor of PATA, higher transfer rate, simpler connectivity, hot swapping, optional command queuing
11
Storage Interfaces (Cont’d)
•SCSI (Small Computer System Interface): Not as popular but has a long installation base, allows for multiple disks on a bus, daisy chained
•FC (Fibre Channel): Serial interface for enterprise environments with high speed (fiber)
•USB (Universal Serial Bus) and FW (FireWire): popular for external hard disk connectivity
12
Storage Software
•Unix disk installation is more complex than Windows (plug-and-play)
•See Exhibit B on page 221 (next slide)•Storage device- anything that looks like a
disk•Partition- fixed subsection of a disk; acts as
an independent device•RAID Array- combines multiple devices into
one virtualized device•Volume/Logical volumes- subdivision of disks
14
Attachment
•After connecting the disk, the OS will acknowledge its existence if everything is OK
• Initial POST will detect the disk and list its characteristics
•See example on page 223 of USAH•The new disk will have devices files in /dev•Make sure you know the correct device
when you format
17
Formatting
•All hard disks are preformatted at the factory
•No need to perform a low-level format•Formatting writes address information
and timing marks on the platter▫Indicates sector limits▫Also indicates bad blocks
•Any bad blocks found afterwards may or may not be handled automatically
19
Partitioning
•Partitioning is the lowest level of disk management
•Partitioning divides a disk into separate areas of known size
•Traditional Partitioning: writes a “label” at the beginning of the disk to define blocks included in the partition
•The device driver responsible reads the label and uses table to calculate location of each partition
21
RAID
•RAID: Redundant Arrays of Inexpensive(independent) Disks
•Distributes/replicates data across multiple disks
•Intent is to avoid data loss and minimize downtime, increasing performance
•Software and Hardware RAID: different issues
•Different RAID levels
23
RAID Levels
•The RAID levels specify the exact details of parallelism and redundancy implemented in the array
•Levels refer to the configuration•The higher levels do not necessarily mean
faster or better▫Depend on the application
24
Linear Mode
•Also known as JBOD (Just a bunch of disks)
•Not really RAID•Concatenates the block addresses of
multiple drives to create the illusion of single, larger virtual drive
•There is no data redundancy or performance benefit
25
RAID Level 0
•Used to increase performance•Combines two or more drives of equal
size with stripes alternating between them
•Decreases write and access time•Reliability is inferior to separate disks•Two disks have double the failure rate of
a single drive, for example
26
RAID Level 1
•Also known as Mirroring•Writes are duplicated to two or more
drives at the same time•Slower writing•Reads are similar to RAID 0•Prevents data loss when a disk fails
28
RAID 0+1 and 1+0
•Stripes of mirrors or mirrors of stripes•Logical concatenation of RAID 0 and RAID
1•Attempts to obtain performance of RAID 0
and the redundancy of RAID 1
30
RAID 5
•Stripes both data and parity information•Adds redundancy •Improves read performance•More efficient use of disk space than
RAID 1
32
RAID 6
•Similar to RAID 5 with two parity disks•RAID 6 can withstand complete failure of
two drives without losing data
34
Disk Failure Recovery
•JBOD and RAID 0 do not help with disk failure•Data must be recovered manually from
backups•Bad disks must be replaced with new ones as
soon as possible•Once the new disk is replaced, data must be
written to new disk▫Not a very fast operation
•Can designate “hot spares” drives to allow swapping of drives when failure occurs
35
RAID5 Drawbacks
•RAID 5 is very popular but has disadvantages•Does not replace regular offline backups• Just protects the system against disk failures•Does not protect against controller failures,
hackers, fires, or other hazards•Does not have great write performance•Prone to corruption•“Write hole”: cannot guarantee that the
blocks are properly updated
36
Logical Volume Management
•Want to manage space in a partition at different times
•Groups storage devices into volume groups•The blocks in the volume group are allocated
to logical volumes – act as disk partitions•Logical volumes are more flexible and
powerful•Logical volumes provide many useful
operations
37
Logical Volume Operations
•Move logical volumes among different physical devices
•Grow and shrink logical volumes on the fly•Take copy-on-write “snapshots” of logical
volumes•Replace on-line drives without interrupting
service• Incorporate mirroring or striping in your
logical volumes
38
File Systems
•After the partitions are set up, we need to load the file system
•UFS: Unix File System•The file system was removed from the
kernel▫To abstract the implementation
•Many file systems are available•See examples in the book (pp. 255-264)
40
Storage Area Networking
•Lower-level system for abstracting storage•Network storage appears as local storage•Clients must provide own file system
implementation to use SAN•SAN can be used for swap areas that do
not require a full blown file system•Not typically used to share files, but to
replace hard disks with centralized storage area
41
Operating System Security
•No OS is 100% safe•Best we can hope is to make our OS
resistant to attack•Architecture stresses easy manipulation
of data in a networked, multiuser environment
•Applications on the OS are developed by many vendors▫Can introduce security vulnerabilities
43
Security Threats
•Social Engineering•Operating System vulnerabilities•Application software vulnerabilities•Configuration Errors•Unpatched software•Attachments in emails•Inside threats
▫Disgruntled employees▫Lack of security policy enforcement
44
Security Tips
•Patch software•Detect and remove unnecessary services•Secure hosts for remote logging•Frequent and proper backups•Virus and worm protection•Trojan Horses, Rootkits•Packet filtering•Vigilance•Intrusion Detection Systems
45
Pluggable Authentication Modules•PAM provides flexible modular control
over authentication tasks•System authentication routines are stored
in a shared library that can be used by applications▫Accessible to programmers also
•Can integrate advances in security into a single location
46
Setuid programs
•Setuid programs are run as the user that owns the executable file
•Programs that run setuid create security issues
•Security holes have been discovered in these setuid commands
•Best practice: scan disks at normal intervals to find new setuid programs
48
Effective use of chroot
•Command chroot restricts a process to a specific directory▫No access to other files outside this
directory•Can provide a false sense of security if not
understood well•Does not relieve administrators from
exercising due diligence in security matters
49
Others
•John the Ripper (JTR): Finder of insecure passwords
•Bro: programmable network intrusion detection system
•OSSEC: Host based intrusion detection system
•Wireshark: Network packet analyzer
53
MAC
•Mandatory Access Control is an alternative to Unix access control system
•MAC does not allow users to change permissions
•Permissions are granted based on sensitivity of resource being controlled
•Users can read or write items of same classification or lower, but not of higher
•Mainly used for classified projects
54
Cryptography
•Kerberos: developed by MIT, uses tickets to validate user access
•PGP: Pretty good privacy – uses encryption tools for files, signatures, and to verify origin
•SSH: secure shell; provides cryptographic authentication between two hosts
55
Firewalls
•Filters unwanted packets from leaving or entering a zone
•Scans packet header to determine if it should be allowed access
•Services listen to a predefined port▫Defined in /etc/services
58
Service filtering
•Well-known services are associated with a port
•Ports in the range 1-1023 are “privileged” and can only execute as root
•Ports > 1024 are non-privileged•To start, deny inbound connections
▫Allow one at a time for services you want to allow
60
Stateful inspection firewalls
•Inspects traffic flowing through firewalls and compares with what should be being transmitted
•If you open an ftp port connection, you expect data to flow through that port
•Attempts to connect to other ports are dropped
61
Linux Firewalls
•Netfilter packet-handling engine•Command line tool iptables used to filter
network traffic▫Default table: filter▫Consists of chains of rules to filter traffic▫Filter contains three default chains:
FORWARD, INPUT, OUTPUT▫Each packet passes through one of these
chains•Other tables: nat and mangle
62
Linux Firewalls (Cont’d)
•Nat contains chains of rules to control Network Address Translation (NAT)
•Mangle contains chains of rules that modify or alter the contents of network packets outside of NAT
•Mangle is used for special handling, but not typically used in production environments
•USAH pp. 938-939 contain a complete example
63
IPFilter
•Most Unix vendors do not have firewall software▫But can add to the system
•IPFilter is an open source package to supply NAT and stateful firewall services for Unix▫Included in many distributions, and in Linux
•It reads filter rules from configuration file•If multiple matches are found, the last one
wins
65
Sources of Security Information
•CERT: Computer Emergency Response Team, by Carnegie-Mellon University
•SANS: Professional organization sponsoring security conferences and training programs
•ISSA: Information Systems Security Association, a professional organization
•ISACA: Information Systems Audit and Control, a professional organization in areas of governance and compliance
68
Installing Software
•Installed software is typically in /usr/local▫Indicates not from distribution▫Vendors installed in different locations
•Two ways to install software:▫1. create directory and copy all there
(/opt/pianoman)▫2. create directory and copy software
there, but configuration files in a central location (/usr/local/pianoman)
•Impact: PATH modifications
70
Installation best practices
•Allow user to change location▫Avoid hard coding locations
•Use common installation packages (tar, cpio)▫Exist in most versions of Unix▫Can use distribution’s provided packages
Advantage: these are typically better in functionality
Disadvantage: you are tied to that distribution and may have to develop multiple installation packages
71
Installation of Devices
•Install device driver•Determine device’s major and minor
numbers•Use mknod to associate a filename
in”/dev” with the new device▫mknod creates special file in the file system
Can create character or block oriented special file
Can create a named pipe See page 642 in UPU
72
Installation of Terminal Files
73
Name Description
/etc/termcap or /etc/terminfo
Encoded list of every standard terminal’s capabilities and control codes. The Unix editors use the value of the environment variable $TERM to index into this file and fetch your terminal’s characteristics
/etc/sys A list of every terminal on the system, together with the program that should be associated with it when the system is initialized (usually ‘getty”). If the terminal’s type is constant and known, that information is also included
/etc/gettyttab A list of baud rate information that is used by “getty” in determining how to listen to a login command
Figure 15.12. Unix system files containing information about terminals
Network Troubleshooting
•Most used protocol is TCP/IP•Troubleshooting tools are available to
troubleshoot a network•Sample tools: ping, arp, traceroute,
netstat, tcpdump, Wireshark•Understand network protocols
75
Ping
•Simple to use, but useful to detect connectivity problems
•Submits ICMP ECHO_REQUEST packet to a host and waits to see if the host replies
76
SmokePing
•An open source tool used to keep ping packets over time
•Displays the history of each monitored link using front end
•Documents the round trip time of pings over time
•Spikes show transit times of individual packets
77
Traceroute
•Displays the sequence of gateways from which a packet traverses to its destination
•All OS contain a version of traceroute•Syntax:
▫traceroute hostname
79
Network Management Protocols•SNMP: Simple Network Management
Protocol•Organized in a standard hierarchy•Manager relies on agents to provide
information•Device configuration is stored in a MIB
(Management Information Base)•Attributes are called OIDs (Object Identifiers)•Has simple commands: get next, trap, set,
getnext
87
Homework 5•Download nmap from http://nmap.org•Review the nmap documentation there•Perform a scan of www.regis.edu•Perform a scan of your localhost (172.0.0.1)•Capture the scan and save it to a file•Write a report discussing your findings•Visit the nmap documentation portal and
review the Nmap Reference Guide for more information
94