Arthur Petrosyan arthursci'am

1
Network Security Practices for Research and
Education Networks

• Arthur Petrosyan (arthur_at_sci.am)
• Academic Scientific Research Network of Armenia
  (ASNET-AM)
• Institute for Informatics and Automation Problems
  (IIAP) of the National Academy of Sciences of
  Armenia (NAS RA)
• www.asnet.am www.sci.am

2
Outline

• ASNET-AM overview
• Free and OpenSource Software for RENs
• Multiple layer onion approach
• Firewalls
• IDS -Intrusion Detection Systems
• Link-level security (Ssh,)
• VPN - virtual tunneling
• Anti-SPAM
• Host security
• TCP Wrappers
• Root Security
• Misc. Security Tips
• Tips to Secure your Apache Web Server
• Security Analysis Tools
• Conclusion

3
Academic Scientific Research Network of Armenia
(ASNET-AM)

• Largest REN in Armenia
• Over 10 years of experience in IT Services
  Networking
• Distributed network in 4 cities of Armenia
• Complex network infrastructure (fiber, copper,
  wireless, dial-up)
• Wide range of Internet/Intranet network services
• IT Training Education

4
(No Transcript)
5
Use of Free and Open Source Software (FOSS) for
RENs

• Contrary to popular managerial belief, there is a
  plethora of reliable FOSS (OS, packages,
  utilities) for establishing, maintaining and
  monitoring secure systems and networks
• Cost isnt the only reason for using FOSS
• RENs often tend to use FOSS for a number of other
  reasons (many packages, required for Scientific
  Research are FOSS)
• FOSS and proprietary can work well together

6
Security issue

• Security issue - Unique to each user/company
• Is Never 100. Complete solution should contain
  three components (1-Prevention, 2- Detection,
  3-Reaction)
• Different Platforms different issues (Cisco,
  UNIX, Linux, Windows NT/2000/Pro/98/ME/XP/2003,
  Novell, etc.)
• Nothing is secure in default out of the box
  configuration
• Any system/application requires proper
  configuration

7
The onion approach

• Network security similar to an onion - both have
  multiple layers
• Every layer depends on the next layer to provide
  integrity

• Layered security is best
• Even obscurity is one layer
• The more layers, the better

8
Security Policy

• The core of the security onion is based on having
  good security policy
• Good security policy includes
• Appropriate OS choice and minimum installation
• Regular update of all critical programs
• OS patching
• Running an anti-virus, anti-spyware
• Enforcing good password policies...

9
Firewall-first line of network security
Control the flow of information into and out of
your network
External Networks (Internet)
Firewall
Internal network

• Hardware firewalls (Cisco, )
• Linux/UNIX based firewalls

10
IDS - Intrusion Detection Systems

• IDS - a valuable part of security scheme
• Burglar alarm system for your network
• Examples
• Snort - the de facto standard for intrusion
  detection/prevention
• DenyHosts - Python script to block SSH server
  brute force attacks (ASNET-AM about 500 brute
  force attacks blocked monthly)

http//denyhosts.sourceforge.net/
http//www.snort.org/
11
Link-level security

• Network connection encryption
• Ssh instead of Telnet
• Sftp instead of FTP
• Stunnel - Universal SSL Wrapper (encapsulation
  for POP3, IMAP, LDAP,etc.)
• SSL for HTTP, where needed

12
VPN - virtual tunnelling

• Many VPN realizations exist (PPTP, IPIP, GRE, PPP
  atop SSH, IPsec, FreeS/WAN, CIPE, etc.)
• VTUN - Simple effective client-server tunnelling
  application with wide spectrum of options
• IP, Serial (PPP,SLIP), Ethernet, Pipe tunnels,
  Encryption (BlowFish 128 bits), Compression
  (zlib,lzo), Traffic shaping, etc.
• Works both over TCP and UDP
• Uses universal TUN/TAP device driver, which is
  already included in the kernel of most UNIX
  distributions

http//vtun.sourceforge.net/
13
Anti-SPAM

• Unsolicited junk E-mail messages (SPAM) blocking
• RBLs (Realtime Block List)
• 11 RBLs proved to be effective at ASNET-AM
• spamcop.net
• spamhaus.org (sbl, xbl)
• dsbl.org
• abuseat.org
• spambag.org
• dul.ru
• ahbl.org
• njabl.org
• ordb.org
• msrbl.net
• dul.dnsbl.sorbs.net
• Spamassassin (www.spamassassin.org) highly
  customizable open source tool

ASNET-AM current result 95 of Spam is being
blocked!
14
Host security - Basic tools

• Separate security layer are actual hosts
• Ping/telnet/dig/host/traceroute/whois/netstat
  While there are many complex high-tech tools out
  there to assist in security auditing, don't
  forget about the basics!
• Every system administrator should be very
  familiar with these tools as most of them come
  with operating systems by default
• other FOSS tools
• arpwatch - monitor your ARP tables and notify you
  if and when a MAC/IP address pairing change
• tcpdump, netwatch, iptraf, ettercap, ntop -
  Realtime Network Protocol Monitors

15
TCP Wrappers

• TCP Wrapper layer to monitor and control
  servers incoming TCP traffic on application
  level
• Flexible effective configuration
  (/etc/hosts.allow, /etc/hosts.deny)
• man 5 hosts_access
• TCP wrapper support (also called "libwrap
  support") is mostly compiled into the sshd binary
  
• /etc/hosts.allow example
• sshd 192.168.
• /etc/hosts.deny example
• sshd ALL

16
Root Security

• No user must login directly as root
• PermitRootLogin no in /etc/ssh/sshd_config
• Administrators must login with their own
  accounts, and then use su to become root.
• This ensures accountability.
• Viable alternative of su is the sudo utility,
  which allows
• Limited privileges for specified user accounts
• Actions that can be taken by these accounts
• Timeout for logged in users, so they have to
  re-authenticate in order to use sudo
• Set TMOUT Shell Variable (TMOUT3600 in
  /etc/profile)

17
Misc. Security Tips

• Keep Network Services at a minimum (turn off
  unnecessary ports/apps)
• netstat nlpt to check current open ports/apps
• Restrict access to
• Mail server (access_db)
• Proxy server (ACLs)
• Define and configure access to particular Web
  resources (.htaccess) by Username/Password/IP
  address (Apache HTTP Server AAA)
• Ensure Strong Passwords at critical servers
• Periodical audit of Users/groups (Remove/Block
  inactive users)
• Proper File/folder access
• Use of Private IP-networks (RFC 1918) /10.,
  172.16., 192.168. addressing/ for internal
  networks
• Consider the use of a remote log server monitor
  the logs!
• Logging is useless without monitoring
• Regular Backups

18
Example Tips to Secure your Apache Web Server

• Hide your Apache version
• ServerTokens Prod, ServerSignature Off in
  httpd.conf
• Disable TRACE and TRACK methods
• Dont store critical data on the WWW server
  itself if possible (reverse proxy or remote
  database)
• Consider placing static content on a CD-ROM where
  possible
• Run Web server on non-standard port where
  applicable
• Control access to Web servers IP/port on
  Firewall level
• On dual-homed hosts bind only to required IP
  address
• Not trivial directory name for Website CMS part
  (backend) - http//mywebsite.domain.com/admin -
  bad choice
• Secure directories by Apache AAA mechanism
  (.htaccess) where applicable

19
Security Analysis Tools

• New security tools appear on the Internet every
  day.
• Tools discussed here are a minuscule sample of
  all that is currently available.
• Applications presented here have withstood the
  test of time and remain popular and viable
  security assessment tools today.
• A vigilant system administrator should also
  download and try many other tools.
• Knowing how these tools work will help to secure
  systems against attacks.

20
Conclusion

• No one single security measure is a panacea
• A combination of different methods works best
• Nothing is 100 secure
• Always proceed in these three ways
• Prevention
• Detection
• Reaction
• Monitor your network continuously!

21

• Thank You!

Arthur Petrosyan (arthur_at_sci.am) Academic
Scientific Research Network of Armenia (ASNET-AM)
www.asnet.am