© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Security Strategies in Linux Platforms and Applications
Lesson 7Networks, Firewalls, and More
Page 2Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Learning ObjectiveAssess how firewall, Transmission Control
Protocol (TCP) Wrappers, and Security Enhanced Linux (SELinux) complement one another to secure network applications.
Page 3Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Key ConceptsBasic layered security concepts of a Linux
infrastructureFirewall with iptables Application layer security with TCP
Wrappers Benefits of mandatory access control
(MAC) with SELinux
Page 4Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONCEPTS
Page 5Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Bastion Servers in DMZ
Page 6Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Firewall on a Bastion Host
Perimeter firewall allows accessto Ports 80, 443, 22, and 21
Bastion host firewall allows access only to Ports 80, 443, and 22
Port 80 Hypertext Transfer Protocol (HTTP)
Port 21File Transfer Protocol (FTP) Port 21
access is denied here
Page 7Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Modes of SELinux
DisabledPermissiveEnforcing
Page 8Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SELinux Administration Tool
Page 9Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Common SELinux Commandschcon: For changing the security context of
a file or files Id -Z: To show the current user context ls -Z: To show the context of a file or files
Refer to Table 7-2 on pages 203–204 of the textbook for other SELinux commands.
Page 10Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SELinux Troubleshooter
Page 11Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
An AppArmor Configuration Tool
Page 12Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: PROCESS
Page 13Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Are rules that should be cleared in place?
Designing a Firewall
Turn on firewall.
List current rules using the iptables –L command.
Flush the current rules using the iptables –F command.
Save the new rules using the iptables-save command.
Write firewall rules for INPUT, OUPUT, and FORWARD chains.
Yes
No
Page 14Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Creating TCP Wrapper RulesThe TCP Wrapper rules on the next two
slides are created to allow Secure Shell (SSH) access to the fictitious site is418.com. These rules are also used to log all access with a message and date while denying access to all other users.
Page 15Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Creating TCP Wrapper Rules (Continued)
Step 1 Open the /etc/hosts.allow file using a text editor.
Step 2
Type the following rule to allow and log access from the is418.com domain: ssh:.is418.com:spawn /bin/echo `/bin/date` ssh access granted >> /var/log/sshd.log
Step 3 Save and exit.
Page 16Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Creating TCP Wrapper Rules (Continued)
Step 4Open the /etc/hosts.deny file using a text editor.
Step 5Type the following rule to deny everyone else:sshd:ALL
Step 6Save and exit.
Page 17Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: ROLES
Page 18Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
FirewallsAdd, remove, and edit rules to
a packet filter rulesetList and flush the rules to a
packet filter rulesetList counters of matched
packets to rules
iptables
Provides iptables packet filter in the kernel
Performs stateless and stateful packet filtering
Provides network address translation
Netfilter
Page 19Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Firewall Rules from /etc/sysconfig/iptables
Page 20Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
GUI Security Level Configuration Tool
Page 21Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Console-based Security LevelConfiguration Tool
Page 22Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
GNOME Uncomplicated Firewall(Gufw) Tool
Page 23Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
TCP Wrappers
Allow or deny access to an application based on an Internet Protocol (IP) Address or hostname
Allow or deny access to an application based on time
TCPWrappers
Page 24Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONTEXTS
Page 25Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Firewall TCP Wrapper SELinuxProtects against unauthorized traffic
Performs specific actions based on a network service running under the xinetd super server
Protects the network service from unauthorized access based on the subject, such as users, applications, or files
Allows access to FTP from local traffic only
Sends an e-mail to the administrator when access is granted during non-business hours
Denies access to home directories to logged-in users
Layered Security for FTP Access
Page 26Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: RATIONALE
Page 27Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Importance of FirewallsCan be enabled on bastion hosts in
addition to existing network firewallsProvide a layer of security at the network
layer to restrict unauthorized trafficCan protect bastion hosts from malicious
local network traffic
Page 28Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Importance of TCP WrappersAdds a layer of security in addition to
firewalls Can allow and restrict access to an
application based on domain name and time of the day
Can spawn processes such as e-mail and logging
Page 29Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Summary
SELinux and its commandsFirewall and TCP Wrappers and their
importanceProcess of designing a firewall by using
iptables and creating TCP Wrapper rulesLayered security for FTP access