Professional Documents
Culture Documents
History
Old days security = planting two firewalls Today security = very complex problem
Type of attacks
Atacks on networks became more sophisticated and are carried through, but not limited to, one of the following techniques:
Packet sniffing An application that uses the promiscuous mode of the network adapter to capture all networks packets. IP spoofing An attack in which a hacker assumes an IP address of others to conceal its true identity Denial-of-service (DoS) attack Aims to overwhelm a service so as to deny legitimate requests from being serviced. The service may be in the form of bandwidth, memory, or CPU. It is the most well-known of all Internet attacks, and efforts should be invested in understanding its mechanisms. Some of the more famous DoS attacks include the following:
Code Red Blaster Ping of Death Trinity
Type of attacks
Password attack As its name implies, this attack intends to acquire passwords to important assets so as to cause further damage. Password attacks can be achieved through other methods previously mentioned, such as IP spoofing, or they can be achieved via brute force Man-in-the-middle attack This type of attack happens when a hacker manages to position himself between the source and the destination of a network transaction. ARP cache poisoning is one common method Application attack This type of attack happens when application software holes are exploited to gain access to a computer system. The holes may be bugs or may be TCP port numbers that are exposed Port redirection attack This type of attack makes use of a compromised host to gain access to a network that is otherwise protected
Attack Patterns
SSH
To add extra security to the various services, Linux has a system for allowing and denying them to chosen hosts. For instance, you may wish to allow logins from machines at your own site, but not from the Internet. The files /etc/hosts.allow and /etc/hosts.deny list allowed services and hosts.
SSH
The method of denying connections by checking the host provides a good basic method for throwing off attacks. It is not the end of the story. It is possible to fake host names on incoming connections ( oh yes it is ). While data is in transit between programs over the Internet it is also in danger. Anyone with the knowledge can look at your data. Using a method known as 'spoofing' they can even inject fake data into a legitimate stream. These problems come about because of the way that Internet protocols interact. To overcome these difficulties ssh was devised.
SSH
Ssh is a stable, well-developed system with open source that provides encryption and authentication on connections. Encryption is using codes to protect the packets of data while in transit. Authentication is a process for verifying if a.packet of data or a connection is valid. There are ssh clients for most other operating systems too. By using Linux as a server you can provide ssh level security for all your network use.
Logging
Linux has a comprehensive set of subsystems to let the systems administrator know what is going on with his or her system. All manner of log files are generally kept in the /var/log directory. Most of the standard services log information to /var/log/syslog and /var/log/messages about users connecting to them or attempting to connect. There are also log files for such services as apache (/var/log/httpd/access_log), mail (/var/log/mail) and firewall (/var/log/firewall).
Logging
The main problem with logging events is that one tends to end up with too much data. Careful filtering and only logging important information is important.
Logging
There are some good tools out there that will make this work easier. Ethereal is a packet sniffer
With it you can capture various types of packets over a given period of time. It also shows all manner of information about the packets. It's useful for watching packets coming into and going out of your machine. Generally it will detect traffic on your network segment.
Logging
Another logging/intrusion detection type tool is called Tripwire.
It takes a snapshot of your important system files and records their signature in a database. Various signature levels are available from mild to wild. You can also set the rules in a policy file to tell Tripwire what to check. After the database is initialized and signed Tripwire can be executed whenever you need to check the integrity of your system. The report will point out when your files are changed and the severity of the security risk. The Tripwire report is pretty easy to read and can be customized according to your file tracking needs.
Logging
A popular program for detecting access attempts (via the network) and port scans is Snort. The program produces files that log these types of activities and even gives some idea of where to find out more information. The same problem as with other log files. It gets tough for a busy system administrator to review all the log files on a regular basis
Firewalls
A firewall is a device that protects a private network from the wider Internet.
The simplest form of firewall is a Linux machine with one network connection ( an Ethernet card or modem ) connected to the Internet and the other connected to the private network. The Firewall computer can reach the protected network and the Internet. This traffic between the protected network and the Internet is controlled, in both directions by a list of rules. These rules can be customized for your needs.
CoyoteLinux.com has a firewall system that fits on a floppy and doesn't need a hard disk to run. It's design specifically to address the need for an easy to install no-nonsense Linux firewall
Firewalls
All data flowing to and from the Internet and the private network is filtered by the firewall. Inside the private network less care needs to be taken with turning off services and the like. It is a way of concentrating effort on making one machine secure and protecting many others in the process. The methods for correctly setting up firewalls are quite complex.
First you have to configure your machine for two Ethernet cards. Then you have to use the IP-chains/IP-tables software to set up filters which connect the two Ethernet cards data links.
Firewalls
The main drawback with making your systems more secure is that they become less accessible. The idea behind ramping up your system's security is to stop use of your computers, by crooks, thieves and malcontents but let the legitimate users use the system
Tools
Tools for defense can be grouped into four categories:
log monitoring connection monitoring host based intrusion detection network based intrusion detection
Log Monitoring
These tools will watch over your log files and help you detect security related events (actually, based on the rules, you can have them detect any type of event). Either by default, or through configuration, they can e-mail you the alerts.
autobuse logcheck Logwatch swatch
Connection Monitoring
When connected to the internet, unless a firewall is in place, other systems can connect to yours. These tools will help you know who is connecting to your box, even to the point of detecting stealth scans that normal logging will not catch.
ippl jail klaxon portsentry tcplogd
Linux Firewalls
Linux Firewalls * Define a Network Security Policy * Use a Secure Linux Distro for your firewall * Harden your firewall o Install the minimum number of packages o Turn all unused services off o Disallow user logins * Define a set of Firewall Rules * Define egress and ingress filters * You'd probably need to IPMasquerade or NAT o Allows internal machine to get out on the net o Outside world see these internal machines as www.foo.com * Start with existing/proven/simple Example Firewall configurations * Test your Firewall from the inside and outside o Apply all known Exploits and vulnerabilities o Apply all known Hacking Tools and attacks o Apply all known Rootkits
3-line IP Masquerade LinuxDoc.org ipchains -P forward DENY ipchains -A forward -i ppp0 -j MASQ echo 1 > /proc/sys/net/ipv4/ip_forward Egress and Ingress Filtering * Ingress Filtering: incoming network traffic entering your LAN IETF.org RFC2827.txt Sans.org Packet_filter - ingress/egress Sans.org Firewall Issues
* Egress Filtering: outoging network traffic leaving your LAN Sans.org Top Ten Blocking Recommendations Using IPChains Sans.org ipchains Egress Rules Sans.org Egress Filtering - cisco Sans.org Egress Filtering ( same as above ) Incidents.org Egress - cicso
ReDir port redirector Reverse Pimpage Revision remotely access machines behind a firewall Reverse Utilities telnet/http/ssh access to machines behind a firewall * Sock5 SourceForge.net Tsocks SourceForge.net socksd inet.no inet.no dante Umich.edu nylon SolSoft NSM proxy-based firewall httpf filters out java, js, etc tproxy Squid-Cache.org * TIS Proxy Server
ACE
ACE = Application control engine
provides application and network operations management with new levels of control over the way they deploy, operate, deliver, secure and manage their applications and business services across the extended enterprise. It helps enable greater control over the application infrastructure, allowing organizations to quickly deploy and migrate applications, delivering the highest levels of services to the end user while simplifying the overall management and operation of a data center.
FWSM
FWSM = Firewall Service Module
MARS
MARS = Monitoring, Analysis and Response System
Inspection Compared
HTTP Inspection
RFC 2616 compliance and filtering Protocol Conformance: The 1st line of a request is "Method SP" and that of response is HTTP-Version SP, etc. De-obfuscation: Override attempts to avoid regex searches by encoding the URL Methods: OPTIONS, GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT Extensions: INDEX, MOVE, MKDIR, COPY, EDIT, UNEDIT, SAVE, LOCK, NLOCK, REVLABEL, REVLOG, REVNUM, SETATTRIBUTE, GETATTRIBUTE, GETATTRIBUTENAMES, GETPROPERTIES, STARTREV, STOPREV Length and encoding checks Length: Configurable range for URL and URL Header requests and responses Encoding: chunked | compress | deflate | gzip | identity Detect HTTP misuse Peer-to-peer (p2p) applications: Kazaa, Gnutella Tunneling applications: HTTPort/HTTHost, FireThru Instant Messaging: (IMIYAHOO Messenger) MIME type validation and filtering (ACE only) Audio: /*, /midi, /basic, /mpeg, /x-adpcm, /x-aiff, /x-ogg, x-wav (8) Image: /*, /cgf, /gif, /jpeg, /png, /tiff, /x-3ds, /x-bitmap, /x-niff, /x-portable, /x-xpm (11) Text: /*, /css, /html, /plain, /richtext, /sgml, /xmcd, /xml (8 Video: /*, /-flc, /mpeg, /quicktime, /sgi, /x-avi, /x-fli, /x-mng, /x-msvideo (9) Application: /msword, /octet-stream, /pdf, /postscript, /vnd.ms-excel, /vnd.mspowerpoint, /x-gzip, /x-java-archive, /x-java-vm, /zip (10) Regex filtering on HTTP messages (ACE only) Detect protocol running on top of HTTP, i.e., to detect Yahoo Messenger, look for YMSG in the first 4 bytes