1
SANS Network Security 2000
Cost Effective Methods forSecuring Small Networks
An Open Source Solution
http://www.nyx.net/~srbrown/firewall/sans_ns2000.pdf
Sean BrownApplied Geographics, [email protected]://www.nyx.net/~srbrown
2
versus
3
SANS Network Security 2000 3
Table of ContentsIntroduction 6Case Study: (Applied Geographics, Inc.) 8Objectives 12Firewall 14Encryption 19Intrusion Detection 23Conclusions 27References 31
4
SANS Network Security 2000 4
What this Presentation IS…
• A case study in Open Source firewalls• An introduction and summary to Open
Source tools• A reference for further inquiry
5
SANS Network Security 2000 5
What this PresentationIS NOT...
• A beginners guide to computer security• A firewalling HOWTO• A detailed guide for configuring a linux
firewall
6
SANS Network Security 2000 6
Introduction and Problem
• Inexpensive high bandwidth accesseases Internet connectivity for smallbusinesses→Efficient access to Internet resources→Email, web, ftp services run locally→Easy access to internal resources when
away from office
Notes:• As high bandwidth Internet access becomes more readily
available at lower cost, many small companies are leveragingthe Internet to expand their market share and grow theirbusiness.
• High Bandwidth access allows internal users fast and easyaccess to resources on the Internet.
• Likewise, telecommuters, clients, and remote users are ableto gain access to local files and resources required fromremote support.
7
SANS Network Security 2000 7
Introduction and Problem
• Security of local network resourcessacrificed for expediency and cost→Internal resources open to unauthorised
access→No means for detecting intrusion attempts
Notes:• Companies choosing to connect their internal LANS to the
Internet often sacrifice the security of local network resourcesfor the sake of expediency and cost.
• Additionally, a lack of knowledge often allows small businessowners to be easily lulled into a false sense of security afterinstalling the latest and greatest <insert favorite buzzwordhere> without any real understanding of their existingvulnerabilities.
• Resources are often opened for <World> access since this isthe easiest way to resolve permissions problems.
• Intrusion detection is non-existent.
8
SANS Network Security 2000 8
Case Study: Applied Geographics, Inc. (Before)
• Minimal (or no) firewall protection• 50+ hosts• 10/100 switched ethernet• 416 Kbps SDSL• Network services hosted internally, i.e.
Email, Web, FTP
Notes:• Applied Geographics, Inc. (AGI) is a small, highly visible
Geographic Information Systems (GIS) consulting firm in Boston,Massachusetts. Primary business goals include providingsoftware and network consulting services to companies andmunicipal governments wishing to "Internet Enable" their GISmapping and data warehousing applications. A secondaryservice is to provide hosting services for these applications onAGI's network. This scenario is not uncommon in today's digitaleconomy and necessitates a secure environment so as to protectboth AGI and its clients.
• Network Description• The AGI network consists of approximately 50 network
hosts.• The network topology is 10/100 switched Ethernet with one
host per port.• Internet services are provided through a 416 Kbs SDSL
circuit to our ISP.• All network services except for external DNS are provided
within AGI's internal network, i.e. Email, Web, FTP.
9
SANS Network Security 2000 9
Case Study: Applied Geographics, Inc. (Before)
• Linux firewall/router (2.0.34)• Open telnet access to firewall• Open anonymous ftp access
(upload/download)• Microsoft IIS web server with numerous
open ports and vulnerable services
Notes:• When I joined AGI, I was not surprised at the state of internal and
external network security.• The existing network configuration allowed users to telnet into the
"firewall" from remote sites and use it as a platform for gainingaccess to files on the internal network as needed for performingtheir jobs.
• No packet filtering• The firewall also acted as the ftp server allowing unregulated
anonymous ftp transfers, both uploads and downloads.• IIS Web server was located outside the firewall with numerous
unnecessary services running and no additional hardeningperformed (1), i.e.
• Removal of unused/exploitable services• Removal of sample applications and default virtual directories• Installation of latest patches and hotfixes
--(1) Multiple sites have information on hardening NT and IIS. I use
the following: http://www.microsoft.com/technet/security/iischk.aspand http://www.securityfocus.com/data/library/auscert_win.html
10
SANS Network Security 2000 10
Case Study: Applied Geographics, Inc. (Before)
• Intranet with directory browsing enabled(open to external access)
• Email server not preventing spam relay• Logfiles unmonitored• Root passwords widely known
Notes:
• An intranet was configured on an internal Windows NTServer which allowed directory browsing of sensitivecompany files.
• This intranet server was also opened to outside accessthrough a web proxy on the firewall allowing externalbrowsers to access these files with plain text authentication.
• Email server not configured to prevent spam relay
• System logfiles on all servers were not centralised andunmonitored
• Root passwords were widely know by users (an example ofallowing world access if there are permissions problems withsome resources).
11
SANS Network Security 2000 11
Case Study: Applied Geographics, Inc. (Before)
Router
C OL-AC T-ST A-
12 34 5 67 8 91 0111 2H S1 H S2 OK 1O K2 P S
C O NSO LE
10/100 EthernetSwitch
EmailWWW FTP
AGI NetworkSummary(Before)
TelnetIMAP
Local BrowsingAnonymous U/D FTP
Internet
"Firewall"
416 Kbps SDSL
12
SANS Network Security 2000 12
Objectives
• Firewall - configured to properly secureinternal network resources
• Encrypted Authentication - eliminateplain text authentication for remoteaccess
• Intrusion Detection - detectunauthorised access attempts andmaintain system integrity
Notes:• I immediately established three primary goals vis-a-vis securing our
network without sacrificing accessibility and usability byauthenticated, authorised users.
• Firewall• Filter all network traffic between trusted and untrusted
network interfaces• Eliminate exposure to untrusted networks using a packet
filtering firewall, proxies for common network services, andmasquerading internal hosts
• Prevent unauthorised mail relay.• Encrypted Authentication
• Eliminate plain text transmissions over untrusted networkinterfaces including authentication, remote access, remoteterminal sessions, file transfers, and sensitive webtransactions.
• Intrusion Detection• Detect all unauthorised access to trusted network resources
by installing and configuring intrusion detection and loganalysis software
• Scan for backdoors, open vulnerable ports, and DDoS attacksoftware.
13
SANS Network Security 2000 13
Objectives
• Solutions needed to be based oninexpensive or easily obtainablehardware, and software withunrestrictive licensing1, e.g. GNU GPL,public domain, etc.
Notes:Since cost is a factor in many small businesses, AGI
notwithstanding, solutions needed to be based oninexpensive or easily obtainable hardware, and software withnon-restrictive licensing such as GNU GPL open sourceprojects or public domain applications.
• GNU and EFF maintain much information on softwarelicensing for open source projects.
• End users are permitted to modify source code andredistribute under certain specified guidelines
14
SANS Network Security 2000 14
Firewall<Hardware>
• Pentium 100MHz w/96MB RAM• Red Hat Linux2 v6.1 (Hardened)
→Remove references in /etc/inetd.conf→Enable TCP wrappers: /etc/hosts.deny and
/etc/hosts.allow→Only install apps necessary on firewall→Run Bastille Linux 1.13
Notes:• Firewall System• Spare outdated hardware
• Pentium 100MHz• 96MB RAM• 2GB IDE Hard Drive• 3 Intel 10/100 Pro NICs
• Operating System• Red Hat Linux 6.1 hardened to remove unnecessary
services and restrict access• Remove references in /etc/inetd.conf• Enable TCP wrappers: /etc/hosts.deny and
/etc/hosts.allow• Only install apps necessary on firewall• Run Bastille Linux 1.1
• Other OS options included OpenBSD and DebianLinux. Red Hat was chosen since it is the Linuxdistribution with which I am most familiar and I ownstock in the company ;-)
15
SANS Network Security 2000 15
Firewall<Packet Filtering>
• IPChains4
→Latest Linux kernel5 (2.2.16) compiled withfirewall options
→IPChains application for configuringrulesets
Notes:Packet Filtering• Latest stable kernel (2.2.16) recompiled to enable firewall
options and remove unneeded overhead.• Config_firewall = Y• Config_IP_Firewall = Y
• Installed packet filtering software including:• IPChains - configure and manage packet filter rulesets• IPMASQADM - enable and manage NAT• IPFWD - enable arbitrary protocol forwarding (needed for
VPN configuration)
16
SANS Network Security 2000 16
Firewall<Proxy Services>
• Trusted Information Systems FirewallToolkit (FWTK)6
→Proxy applications for email, web services,ftp, nntp
→Patches7 available for preventing spamrelay and enabling spam filtering
Notes:Proxies• Trusted Information Systems' Firewall Tool Kit (FWTK)• Proxy services for Email allow internal email servers to be
isolated from external connections• Proxies are also available for http, ftp, nntp, and arbitrary port
forwarding• FWTK is an open source application with wide end user
support in the form of patches to the FWTK base sourcecode. The patches enable a variety of added functionalityincluding spam and mail relay control
• FWTK has a restrictive license which among other things:• Prohibits redistribution of the source code• Does not allow use outside your organization• Prohibits commercial use and/or support of FWTK
outside your organization
17
SANS Network Security 2000 17
Firewall<Masquerading and NAT>
• IP subnetting configured using reservedprivate addresses, i.e. 10.x.x.x/8,172.16.x.x/12, 192.168.x.x/16 (RFC1597)8
• Enable masquerading of internal hostsusing IPChains
Notes:• Internal network design uses RFC1597 reserved IP address
space for hosts on the LAN• Masquerading of internal hosts is enabled in the Linux kernel
on the firewall and controlled through the IPChains program
18
SANS Network Security 2000 18
Firewall<Masquerading and NAT>
• Enable Network Address Translation(NAT) for necessary services→TCP/80: HTTP→TCP/143: IMAP→TCP/443: SSL→TCP/1723: PPTP→IP Protocol 47: GRE
• NAT enabled and managed throughIPMASQADM and IPFWD
Notes:• To enable external connections to specific internal network
resources, i.e. web and vpn servers, it is necessary to portforward specific ports:
• TCP/80: http services on numerous internal webservers
• TCP/443: ssl• TCP/1723: pptp control connection• TCP/143: IMAP• IP protocol 47: GRE
• IPMASQADM and IPFWD are used to manage NAT. Theymust be downloaded and installed before they can be used.
19
SANS Network Security 2000 19
Encryption<Remote Access>
• Microsoft PPTP MSCHAPv2 to enableremote access through VPN9
→Adequate performance→Builtin to the OS or a free add-on→Documented vulnerabilities exist10
→Users need to weigh security needs vs.potential risks
Notes:• Remote access capabilities were a priority for the users at
AGI. As a consulting firm our employees travel extensivelyand require simple, secure access to AGI network files andresources.
• VPN configuration using PPTP and MSCHAPv2• Inexpensive (built into the OS or free add-on)• Performance is adequate to the needs at hand• Better than completely open transmissions.
• Numerous shortcomings in the PPTP and MSCHAPv2implementation and design
• Explore IPSEC options for client/server VPN connections.• Decision makers need to weigh both the cost of purchasing
and implementing an alternative VPN solution vs. potentialbenefits to added security. In AGI's case, the existingMicrosoft solution was sufficient for our needs.
20
SANS Network Security 2000 20
Encryption<Terminal Sessions>
• OpenSSH11
→Configure for key and/or passwordauthentication
→Restricted to administrative use only (Me)
Notes:• Remote terminal sessions were unnecessary for normal
usage. However, it was necessary for administrative accessto the firewall.
• OpenSSH installed to allow secure terminal access• sshd configured to require the use of either a 1024-bit key
pair or the local user password• Restricted to administrative use only (Me)
21
SANS Network Security 2000 21
Encryption<Authentication>
• SSL enabled Email and Web sessions→OpenSSL12 configured for self signed
certificates→Self signed CA certificates installed on
remote client laptops enabling trusted SSLserver authentication
Notes:• Authentication for additional services• OpenSSL installed to create a company-wide CA (Certificate
Authority)• Most web sites available for public access use a third-
party CA like Verisign or RSA Data Security to certifytheir SSL certificates.
• Self signing provides an easy way to certify your ownprivate access services without paying for the privilege.
• Company-wide root CA used to sign SSL digital certificatesfor AGI internal use
• AGI root CA certificate installed as a trusted authority on allcompany laptops and employee home systems
• Certifies that AGI web servers with certificates signedby the AGI root CA are in fact AGI web servers
• Avoids error messages when trying to access an AGIsite with an SSL certificate
22
SANS Network Security 2000 22
Encryption<Authentication>
• 128-bit SSL enabled IMAP4 required foremail access→Outlook Express IMAP4 client→Netscape Messenger IMAP4 client
• 128-bit SSL required for Outlook WebAccess13
Notes:• 128-bit SSL enabled on all web servers where access to
sensitive data is required• All directory browsing is disabled• SSL configured for use with IMAP. This will allow users to
obtain their Email using a standard IMAP enabled Emailclient while encrypting the authentication
• SSL enabled for web access to email
23
SANS Network Security 2000 23
IDS<Software>
• Tripwire v2.2.114
→Firewall system integrity→Soon to be an Open Source project for
Linux• Psionic Logcheck15
→System log processing and reporting→Works with TIS Firewall Toolkit log format→Rulesets easily configured for general
system auditing
Notes:• Intrusion Detection software installed to provide a means for
detecting unauthorised network traffic and maintaining system integrity.• System Integrity
• Tripwire v2.2.1 used for monitoring changes to firewall andcritical systems
• **Show Sample report• Policy and database files are encrypted• Policies for integrity checking are easily managed and
modified• Can be used to obtain a snapshot of your system after an
attack or system compromise• Tripwire is being Open Sourced (GPL) for the Linux OS
• Logcheck provides system log processing capabilities• System logs are parsed and irregularities or security issues
are extracted, formatted and emailed on a user configurablebasis
• Entries are extracted based on user configurable rulesets• Default rulesets are designed for use with the FWTK but are
easily configured for general system monitoring
24
SANS Network Security 2000 24
IDS<Software>
• NTSyslog16
→Send Windows NT event log messages toa central syslog server
→Powerful monitoring tool used inconjunction with Psionic’s Logcheck
• SNORT17
→Open Source tool for realtime trafficanalysis and packet logging
→Multi-platform support
Notes:• System Integrity, cont.
• NTSyslog allows NT to send it's event logs to a centralsyslog server.
• Allows for centralised logging• A powerful monitoring tool when used in
conjunction with Logcheck on your syslog server• Packet Sniffing
• Snort is an Open Source project providing real-timenetwork traffic analysis and packet logging
• Snort is extremely configurable through rulesets• There is a high level of end user support for using and
writing your own rulesets
25
SANS Network Security 2000 25
IDS<Prevention>
• Strong password policy→Six character minimum→Mix of case and special characters→Verify password strength with auditing
tools− L0phtcrack18 for NT auditing− Crack19 for Unix /etc/passwd auditing
Notes:• Password Policies• Algorithms used by password crackers like L0phtcrack are
extremely effective at brute forcing bad passwords.• At AGI, I recommend…
• Six character minimum• Mix of alphanumeric and special characters, e.g. @$&(,
etc• Password strength can be verified by using password
auditing tools• L0phtcrack against NT Domain registry• Crack against Unix passwd file
26
SANS Network Security 2000 26
IDS<Prevention>
• TCP/UDP open port auditing→NMAP20 to verify open TCP/UDP ports on
firewall→PortSentry21 1.0 to detect and block
portscans
Notes:TCP/IP Port Auditing• Regular administrative portscans• Identify unknown open ports• Used in conjunction with good system logging• Provide signatures to help identify unauthorised portscans• Recognise deficiencies in your system logging• Tools for auditing open ports
• NMAP has many command-line options for testing yourlogging
• Stealth, xmas, null, syn, fin, spoofed,fragmented...you get the picture
• Widely available and commonly used makes it agood tool for obtaining portscan signatures
• PortSentry can listen for connects on user definedports and block future access attempts by automaticallyadding rules to packet filter rulesets, e.g. IPChains,Netfilter, and Ipfwadm (DON’T DO THIS!!)
27
SANS Network Security 2000 27
Original Objectives
• Firewall - configured to properly secureinternal network resources
• Encrypted Authentication - eliminateplain text authentication for remoteaccess
• Intrusion Detection - detectunauthorised access attempts andmaintain system integrity
Notes:The solutions implemented at AGI have successfully addressed each
of these goals while keeping costs at a minimum.• Firewall
• Filter all network traffic between trusted and untrusted networkinterfaces
• Eliminate exposure to untrusted networks using a packetfiltering firewall, proxies for common network services, andmasquerading internal hosts
• Prevent unauthorised mail relay.• Encrypted Authentication
• Eliminate plain text transmissions over untrusted networkinterfaces including authentication, remote access, remoteterminal sessions, file transfers, and sensitive webtransactions.
• Intrusion Detection• Detect all unauthorised access to trusted network resources by
installing and configuring intrusion detection and log analysissoftware
• Scan for backdoors, open vulnerable ports, and DDoS attacksoftware.
28
SANS Network Security 2000 28
Case Study: Applied Geographics, Inc. (After)
Router
CO L-AC T-ST A-
1 2 34 56 7 89 101 112H S1 HS 2 OK 1O K2 PS
CO NS OL E
10/100 EthernetSwitch
FTPEmail WWW VPN
AGI NetworkSummary
(After)
SSHSSL IMAP
VPNControlled FTP
Internet
"Firewall"
416 Kbps SDSL
29
SANS Network Security 2000 29
Cost Summary
Component Approximate CostFirewall (hardware) $200Firewall (OS) $0Firewall (Proxy/Packet Filter SW) $0SSH (Server/Client SW) $0SSL (CA & Server Certificate) $0VPN (Server/Client SW) $0Password Auditing SW $0IDS (Tripwire, Logcheck, & Snort) $0Port Scanning Tools $0
Total Cost $200
Notes:• Overall hardware and software costs for the security
upgrades amounted to the cost of the Pentium system usedfor the firewall (approx. $200). Since the work was done in-house, the implementation and configuration was carried outas part of my job as System Administrator rather than hiringoutside consultants.
30
SANS Network Security 2000 30
Brevity is the soul of wit…
- Shakespeare
31
SANS Network Security 2000 31
References1. GNU General Public License,
http://www.gnu.org/philosophy/license-list.html2. Red Hat Linux Version 6.1, Red Hat Software,
Inc., http://www.redhat.com3. Bastille Linux 1.1.0, http://www.bastille-linux.org/4. IPChains Version 1.3.9,
http://netfilter.kernelnotes.org/ipchains5. Linux Kernel 2.2.16, http://www.kernel.org6. Firewall Toolkit (FWTK) Version 2.1, Trusted
Information Systems, http://www.fwtk.org7. Miscellaneous user developed patches for the TIS
FWTK 2.1 package,http://www.fwtk.org/fwtk/patches
8. Internet Engineering Task Force Request forComments, http://www.ietf.org/rfc.html
32
SANS Network Security 2000 32
References9. Microsoft VPN Solutions, Microsoft, Inc.
http://www.microsoft.com/ISN/whitepapers.asp10.Schneier, Bruce and Mudge, "Cyptanalysis of
Microsoft's PPTP Authentication Extensions (MS-CHAPv2)", October 1999,http://www.counterpane.com/pptpv2-paper.html
11.OpenSSH Version 2.1.1, The OpenBSD Project,http://www.openssh.com
12.OpenSSL Version 0.9.5a, The OpenSSL Project,http://www.openssl.org
13.Outlook Web Access for Microsoft Exchange ServerVersion 5.5,http://www.microsoft.com/exchange/en/55/help/default.asp
33
SANS Network Security 2000 33
References14.Tripwire Version 2.2.1, Tripwire, Inc.,
http://www.tripwire.com15.Logcheck Version 1.1.1, Psionic Software, Inc.
http://www.psionic.com/abacus/logcheck/16.NTSyslog Version 1.5, Sabernet.net
http://www.sabernet.net/software/ntsyslog.html17.Snort Version 1.6.2.2, Marty Roesch,
http://www.snort.org18.L0phtcrack Version 2.52, L0pht Heavy Industries,
Inc. http://www.l0pht.com/l0phtcrack19.Miscellaneous Unix Authentication tools,
Computer Incident Advisory Capability (CIAC),http://ciac.llnl.gov/ciac/ToolsUnixAuth.html
34
SANS Network Security 2000 34
References20.NMAP Version 2.52, Fyodor
http://www.nmap.org/nmap/index.html21.Psionic Portsentry Version 1.0, Psionic Software,
Inc. http://www.psionic.com/abacus/portsentry