© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Security Strategies in Linux Platforms and Applications

Lesson 7Networks, Firewalls, and More

Page 2Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Learning ObjectiveAssess how firewall, Transmission Control

Protocol (TCP) Wrappers, and Security Enhanced Linux (SELinux) complement one another to secure network applications.

Page 3Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Key ConceptsBasic layered security concepts of a Linux

infrastructureFirewall with iptables Application layer security with TCP

Wrappers Benefits of mandatory access control

(MAC) with SELinux

Page 4Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: CONCEPTS

Page 5Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Bastion Servers in DMZ

Page 6Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Linux Firewall on a Bastion Host

Perimeter firewall allows accessto Ports 80, 443, 22, and 21

Bastion host firewall allows access only to Ports 80, 443, and 22

Port 80 Hypertext Transfer Protocol (HTTP)

Port 21File Transfer Protocol (FTP) Port 21

access is denied here

Page 7Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Modes of SELinux

DisabledPermissiveEnforcing

Page 8Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

SELinux Administration Tool

Page 9Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Common SELinux Commandschcon: For changing the security context of

a file or files Id -Z: To show the current user context ls -Z: To show the context of a file or files

Refer to Table 7-2 on pages 203–204 of the textbook for other SELinux commands.

Page 10Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

SELinux Troubleshooter

Page 11Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

An AppArmor Configuration Tool

Page 12Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: PROCESS

Page 13Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Are rules that should be cleared in place?

Designing a Firewall

Turn on firewall.

List current rules using the iptables –L command.

Flush the current rules using the iptables –F command.

Save the new rules using the iptables-save command.

Write firewall rules for INPUT, OUPUT, and FORWARD chains.

Yes

No

Page 14Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Creating TCP Wrapper RulesThe TCP Wrapper rules on the next two

slides are created to allow Secure Shell (SSH) access to the fictitious site is418.com. These rules are also used to log all access with a message and date while denying access to all other users.

Page 15Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Creating TCP Wrapper Rules (Continued)

Step 1 Open the /etc/hosts.allow file using a text editor.

Step 2

Type the following rule to allow and log access from the is418.com domain: ssh:.is418.com:spawn /bin/echo `/bin/date` ssh access granted >> /var/log/sshd.log

Step 3 Save and exit.

Page 16Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Creating TCP Wrapper Rules (Continued)

Step 4Open the /etc/hosts.deny file using a text editor.

Step 5Type the following rule to deny everyone else:sshd:ALL

Step 6Save and exit.

Page 17Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: ROLES

Page 18Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

FirewallsAdd, remove, and edit rules to

a packet filter rulesetList and flush the rules to a

packet filter rulesetList counters of matched

packets to rules

iptables

Provides iptables packet filter in the kernel

Performs stateless and stateful packet filtering

Provides network address translation

Netfilter

Page 19Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Firewall Rules from /etc/sysconfig/iptables

Page 20Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

GUI Security Level Configuration Tool

Page 21Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Console-based Security LevelConfiguration Tool

Page 22Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

GNOME Uncomplicated Firewall(Gufw) Tool

Page 23Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

TCP Wrappers

Allow or deny access to an application based on an Internet Protocol (IP) Address or hostname

Allow or deny access to an application based on time

TCPWrappers

Page 24Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: CONTEXTS

Page 25Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Firewall TCP Wrapper SELinuxProtects against unauthorized traffic

Performs specific actions based on a network service running under the xinetd super server

Protects the network service from unauthorized access based on the subject, such as users, applications, or files

Allows access to FTP from local traffic only

Sends an e-mail to the administrator when access is granted during non-business hours

Denies access to home directories to logged-in users

Layered Security for FTP Access

Page 26Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: RATIONALE

Page 27Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Importance of FirewallsCan be enabled on bastion hosts in

addition to existing network firewallsProvide a layer of security at the network

layer to restrict unauthorized trafficCan protect bastion hosts from malicious

local network traffic

Page 28Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Importance of TCP WrappersAdds a layer of security in addition to

firewalls Can allow and restrict access to an

application based on domain name and time of the day

Can spawn processes such as e-mail and logging

Page 29Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Summary

SELinux and its commandsFirewall and TCP Wrappers and their

importanceProcess of designing a firewall by using

iptables and creating TCP Wrapper rulesLayered security for FTP access