Securing IT Assets with Linux - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Securing IT Assets with Linux

Description:

Monitoring sites can help in this process. ... invisible to the intruder who manages to bypass your existing security framework. ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 33
Provided by: matthe104
Category:

less

Transcript and Presenter's Notes

Title: Securing IT Assets with Linux


1
Securing IT Assets with Linux Presented
by Matthew Will Bass Associates, Inc.Steven
Kohrs Open Source Experts
2
Securing IT Assets with Linux Security In Todays
Internet
  • The Internet resources currently available today
    to individuals, businesses, and organizations
    allow for the innovative exchange of information.
    However, the widespread storage and transfer of
    information creates an opportunity for security
    breaches, even in the most secure systems. It is
    important to recognize the sources of threat, and
    take educated preventative measures.
  • Why is Security Important?
  • Security should be a concern in every situation.
    Whether youre building a network for a small
    trucking firm or working for NASDAQ as a
    financial advisor.
  • The Internet is a vast system of information
    with varying degrees of confidentiality it is
    inviting to criminal activity because users may
    be as anonymous as they want. Internet crime
    continues to grow it is important that security
    be a serious consideration for every user.
  • Statistics About Common Threats
  • CERT/CC (Computer Emergency Response Team
    Coordination Center)
  • national computer response team that addresses
    and records security issues
  • publishes list of statistics dealing with
    computer security


3
Securing IT Assets with Linux Security In Todays
Internet
  • Future Potential Security Problems
  • The need for security in the future will be even
    greater than it is now. Hopefully by then most
    basic security precautions will be second nature.
  • However, even in the future when higher security
    measures are taken, new ways will be developed to
    get around them.
  • There is no guaranteed way to know what the
    future security concerns will be, only the
    guarantee that security will always be an issue.
  • Futility of Security
  • Security will always be an ongoing process.
    Security is much like trying to patch holes in a
    dam. Although some of the water might
    occasionally leak through, it is important to
    never stop patching holes enough holes and the
    dam falls apart.
  • Always be on the watch for security holes.
    Monitoring sites can help in this process. Join
    trusted list services that deal with security
    problems.

4
Securing IT Assets with Linux Security In Todays
Internet
  • Security is Never 100
  • There is NO way to be completely secure.
    Skilled crackers can gain entrance to secure
    systems without leaving a trace.
  • Government agencies, like the CIA and FBI, have
    been breached before, despite their almost
    unlimited resources and abilities. Lately the
    CIA and the FBI have been off-limits for
    crackers, but this is mainly because of their
    ability to catch crackers, not because they can
    prevent them from breaking in.
  • Solutions for an Insecure World
  • What should we do to protect ourselves? There
    are several methods of security planning.
  • Protect a system from inside and outside
    attacks.
  • Basic protection methods include
  • set up firewalls to protect networks setup
    firewalls behind firewalls
  • set up tripwires to send alerts if and
    unauthorized person gains access
  • patch those security holes and perform regular
    backups
  • use encryption when sending/receiving any data

5
Securing IT Assets with Linux Firewall using
IPTABLES
  • Without some form of security, a connection
    between a local network and the Internet is an
    unrestricted pathway. Users inside the network
    can use resources outside of the network and vice
    versa. This accessibility can be beneficial.
    However, for security, outside access to the
    network should be restricted, monitored, and
    controlled. The most common method of
    controlling the flow of information on a network
    is through the use of packet filtering programs
    such as iptables.
  • Packet Filtering
  • Data is sent across networks in the form of
    packets containing information on the packets
    origin, destination, and protocol.
  • A packet filter is a program which examines the
    packets as they enter or leave a system,
    selectively restricting passage.

6
Securing IT Assets with Linux Firewall using
IPTABLES
  • Why filter?
  • Packets that are filtered increase security.
  • Prevent ousiders from using services on a
    system.
  • Prevent malicious attacks such as Denial of
    Service (DoS) and ping flood attacks.
  • Control the flow of information.
  • Prevent internal system users from using certain
    sites or types of protocols.

7
Securing IT Assets with Linux Firewall using
IPTABLES
  • The Rules Chain Concept
  • The most common method used by packet filtering
    for the organization of the filters is the rules
    chain. A rule chain contains a listing of each
    filter, or rule, that has been configured on the
    local system.
  • Linux uses four main chains
  • Input packets traveling to the host
  • Output packets leaving from the host
  • Forward packets received by the host and will
    be forwarded by the host
  • User Defined special type of chain created by
    the user that receives packets from the three
    main chains for processing
  • Rules chains allow for complex filtering of data
    entering or leaving a system while making it easy
    to install and maintain the rules.

8
Securing IT Assets with Linux Firewall using
IPTABLES
  • What is iptables?
  • iptables is the building block of a framework
    inside the Linux kernel. This framework enables
    packet filtering, network address translation
    (NAT), network port translation (NPT), and other
    packet mangling.
  • iptables is a generic table structure for the
    definition of rulesets. Each rule with an IP
    table consists of a number of classifiers
    (iptables matches) and one connection action
    (iptable target).
  • What can I do with iptables?
  • build internet firewalls based on stateless and
    stateful packet filtering
  • use NAT and masquerading for sharing internet
    access
  • use NAT to implement transparent proxies
  • do further packet manipulation (mangling) like
    altering the bits of the IP header
  • http//www.netfilter.org/

9
Securing IT Assets with Linux Snort An Intrusion
Detection System
  • Why Use Intrusion Detection?
  • - Intrusion detection devices are an integral
    part of any network. The Internet is constantly
    evolving, and new vulnerabilities and exploits
    are found regularly. They provide an additional
    level of protection to detect the presence of an
    intruder, and help to provide accountability for
    the attacker's actions.
  • Snort
  • - Detect and alert based on pattern matching for
    threats including buffer overflows, stealth port
    scans, CGI attacks, SMB probes and NetBIOS
    queries, NMAP and other portscanners, well-known
    backdoors and system vulnerabilities, DDoS
    clients, and many more.
  • - Use syslog, SMB "WinPopUp" messages, or a file
    to alert an administrator.
  • - Develop new rules quickly once the pattern
    (attack signature) is known for the
    vulnerability.
  • - Record packets in their human-readable form
    from the offending IP address in a hierarchical
    directory structure.
  • Used as a "passive trap" to record the presence
    of traffic that should not be found on a network,
    such as NFS or P2P connections.
  • http//www.linuxsecurity.com/feature_stories/using
    -snort.html

10
Securing IT Assets with Linux Snort An Intrusion
Detection System
  • Where to Place a Snort System?
  • its effectiveness depends largely on where on
    your network Snort runs and how that computer is
    connected to the rest of your network.
  • Hubs vs. switches.
  • Although switches are better for network
    efficiency, hubs are better for use with Snort.
    However, some switches can be configured to echo
    all traffic to a specific port in addition to
    sending the data to the destination computer.
    Consult your switch's documentation to learn if
    yours can do this. If it can't, you may be
    limited in your ability to monitor internal
    traffic.
  • Firewalls.
  • If you put Snort outside of the firewall, it can
    monitor external attacks on your network, but
    won't see most internal traffic. If you put
    Snort behind the firewall, it can monitor
    internal traffic and attacks that manage to
    breach the firewall, but not attacks blocked by
    the firewall.
  • http//www.linux-mag.com/2003-05/guru_01.html

11
(No Transcript)
12
Securing IT Assets with Linux Snort An Intrusion
Detection System
  • How to keep Snort rules up to date?
  • Oinkmaster
  • Oinkmaster is simple Perl script released under
    the BSD license to help you update your Snort
    2.0 rules and comment out the unwanted ones
    after each update. It also has a few other useful
    features regarding rules management. Oinkmaster
    will tell you exactly what had changed since the
    last update, giving you good control of your
    rules. It is most often used to update the
    official rules from www.snort.org, but can just
    as well be used for managing/distributing your
    homemade rules.
  • What problem does Oinkmaster solve?
  • Since we always want to run the latest and
    greatest rules, we download the new rules from
    www.snort.org as soon as they have been updated.
    Oops - all our customized rules are now
    overwritten, and we have to do it all over again.
    This is where Oinkmaster comes in - it will
    automatically do those boring modifications to
    the rules that you would usually have to do
    manually after each update.
  • - www.snort.org/dl/rules

13
Securing IT Assets with Linux Packet Sniffer -
Ethereal
  • Network Protocol Analyser
  • capture data live IP frames off the wire or save
    the capture for later analysis
  • data can be read from ethernet, PPP, Token-Ring,
    IEEE 802.11, ect
  • browse data via a GUI or TTY mode
  • over 500 protocols can be dissected
  • Filter data to find exactly what you want
  • Monitor the traffic on your network
  • verify misuse of your network by internal users
  • great way to locate attacks by monitoring
    suspicous activity
  • http//www.ethereal.com/

14
Securing IT Assets with Linux Monitoring Network
Integrity with Nmap
  • Network Intrusion Detection Systems (NIDS) are
    one way to maintain network integrity. However,
    a commercial NIDS can be costly to install and
    maintain.
  • If you can't afford a NIDS, basic network
    mapping techniques are still beneficial. The
    best tool for network scanning, also known as
    port scanning, is the open-source Nmap.
  • Nmap performs all sorts of network scans, from
    simple ping scans to see what hosts on a network
    are "alive" to more advanced scans by protocol
    and packet type.
  • Nmap is clearly designed to enable rapid
    pinpointing of hosts vulnerable to attack, and
    that's exactly its strength.
  • Nmap scans a list of target machines and outputs
    a list of the interesting ports on each.
  • Protected areas behind firewalls are
    frequently left unrestricted. This is folly most
    security breaches are inside jobs, and a firewall
    is no substitute for good host-based security. On
    a properly secured host, ALL network traffic
    should be accounted for, incoming and outgoing.
  • Periodic nmap scans are a key component of any
    well-rounded security infrastructure.
  • http//www.certcities.com/editorial/columns/story.
    asp?EditorialsID109

15
Securing IT Assets with Linux System Monitoring
  • Check the Log Files
  • When monitoring a network for possible breaches,
    the log files are a rich source of data. They
    provide a vast amount of information concerning
    login attempts, system messages, and remote
    access. Using this information, the detection of
    a break-in and perhaps the subsequent
    identification of the intruder is possible.
  • Security Audits
  • The key elements to network security are the
    ability to analyze a network for tampering and
    the correction of vulnerabilities which could
    possibly invite a breach. There are two types of
    software and techniques that are available to aid
    administrators with either issue.
  • One type deals with intruder detection by
    detecting if a security breach has occurred and
    whether anything has been altered, moved, or
    deleted.
  • Another type of security measure is to implement
    a way of testing a network for security weakness.
    Ideally, security breaches in the network will
    not occur at all, and to prevent those breaches,
    preventive measures are extremely important.
  • Several programs aid a network administrator in
    both of these types if security analysis.

16
Securing IT Assets with Linux Nessus
  • Nessus is a professional-grade security scanner,
    but it's a free and 100 customizable one.
  • Plug-in architecture. Each security test is
    written as an external plugin. This way, you can
    easily add your own tests without having to read
    the code of the nessusd engine.
  • NASL. The Nessus Security Scanner includes NASL,
    (Nessus Attack Scripting Language) a language
    designed to write security test easily and
    quickly. (security checks can also be written in
    C)
  • Up-to-date security vulnerability database. We
    mostly focus on the development of security
    checks for recent security holes. Our security
    checks database is updated on a daily basis.
  • Client-server architecture. The Nessus Security
    Scanner is made up of two parts a server, which
    performs the attacks, and a client which is the
    front-end. You can run the server and the client
    on different systems. That is, you can audit your
    whole network from your personal computer,
    whereas the server performs its attacks from the
    main frame which is upstairs.
  • Can test an unlimited amount of hosts at the
    same time. Depending of the power of the station
    you run the Nessus server onto, you can test two,
    ten or forty hosts at the same time
  • Smart service recognition. Nessus does not
    believe that the target hosts will respect the
    IANA assigned port numbers. This means that it
    will recognize a FTP server running on a
    non-standard port (31337 say), or a web server
    running on port 8080

17
Securing IT Assets with Linux Nessus
  • Nessus
  • - Multiples services. Imagine that you run two
    web servers (or more) on your host, one on port
    80 and another on port 8080. When it will come to
    testing their security, Nessus will test both of
    them
  • - Tests cooperation. The security tests performed
    by Nessus cooperate so that nothing useless is
    made. If your FTP server does not offer anonymous
    logins, then anonymous-related security checks
    will not be performed.
  • - Complete reports Nessus will not only tell
    you what's wrong on your network, but will, most
    of the time, tell you how to prevent crackers
    from exploiting the security holes found and will
    give you the risk level of each problem found
    (from Low to Very High)
  • - Exportable reports The Unix client can export
    Nessus reports as ASCII text, LaTeX, HTML,
    "spiffy" HTML (with pies and graphs) and an
    easy-to-parse file format.
  • - Full SSL support Nessus has the ability to
    test SSLized services such as https, smtps,
    imaps, and more. You can even supply Nessus with
    a certificate so that it can integrates into a
    PKI-fied environement
  • - Smart plugins (optional) Nessus will
    determine which plugins should or should not be
    launched against the remote host (for instance,
    this prevents the testing of Sendmail
    vulnerabilities against Postfix).

18
Securing IT Assets with Linux Nessus
  • Nessus
  • Non-destructive (optional) If you don't want
    to take the risk to bring down services on your
    network, you can enable the "safe checks" option
    of Nessus, which will make Nessus rely on banners
    rather than exploiting real flaws to determine if
    a vulnerability is present
  • Nessus Plugins
  • Backdoors - CGI abuses - CISCO - Default
    Unix Accounts - Denial of Service - Finger
    abuses - Firewalls - FTP - Gain a shell
    remotely - Gain root remotely - Netware -
    NIS- Peer-To-Peer File Sharing - Port scanners
    - Remote file access - RPC- System Settings
    - SMTP problems - SNMP - Useless services
    - Windows - Windows User management
  • (There are 2095 plugins in the database, covering
    1332 unique CVE ids and 1548 unique Bugtraq IDs)

19
Securing IT Assets with Linux Intrusion Detection
System
  • Tripwire
  • - What is Tripwire software?Tripwire software is
    a tool that checks to see what has changed on
    your system. The program monitors key attributes
    of files that should not change, including binary
    signature, size, expected change of size, etc.
  • What is Tripwire used for?Tripwire is
    originally known as an intrusion detection tool,
    but can be used for many other purposes such as
    integrity assurance, change management, policy
    compliance and more.
  • Does Tripwire keep out intruders?Sadly speaking
    no, but the whole essence of this system is to
    put into place invisible cameras on your system
    that are completely invisible to the intruder who
    manages to bypass your existing security
    framework. Thus Tripwire running stealthily on
    your system, just sits and waits for something to
    go wrong. As soon as a violation occurs it throws
    a detailed postmortem, having analyzed the crime
    scenario. Thus Tripwire will help you determine
    damage to any of your data, whether it is
    corrupted, what is the extent of damage over the
    network, what System files have been replaced
    (possible placement of TROJANS on you System
    binaries) and in general, the extent of damage.
  • http//www.freeos.com/articles/3404/

20
Securing IT Assets with Linux Samba 3.0 Does
Windows Even Better
  • Enables machines to join an Active Directory
    domain as a native member and to authenticate
    users with LDAP and Kerberos. For companies that
    use Active Directory, these improvements can make
    a mixed- platform server environment easier to
    manage. One logon ID for both Windows and Linux
    systems.
  • Its capability as an NT-style primary domain
    controller offers sites that have held off on
    deploying Active Directory a strong option for
    replacing their Windows file and print servers
    with Linux boxes running Sambafor which they
    needn't buy client access licenses.
  • Samba will maintain user, group and domain
    security identifiers for businesses that are
    switching from Windows NT 4.0 domains to Samba
    domains.
  • 'Stacking' VFS (virtual file system) layer
    allows dynamic checking of file access.
  • Virus scanning, auditing, security.
  • SWAT (Samba Web Administration Tool)
  • a Web-based management and setup client that
    offers a basic interface into the universe of
    different configuruation options for Samba.
  • http//www.eweek.com/article2/0,1759,1449497,00.as
    p?rsDisSamba_3.0_Does_Windows_Even_Better-Page001
    -110499http//us1.samba.org/samba/ftp/slides/ente
    rprisesamba.pdf

21
Securing IT Assets with Linux Securing Microsoft
Groupware Environments with Linux
  • Large portions of many mid- to large-size
    corporations have based their core IT
    infrastructure on Microsoft technologies.
  • It's much simpler to create malicious code if
    you only have to worry about one flavor of
    operating system or mail client or office suite,
    especially one that facilitates programmatic
    access either through built-in mechanisms (e.g.
    macros) or inherent security flaws (e.g. buffer
    overflows).
  • It is this very environment, which was designed
    to facilitate easy administration, global
    collaboration and information exchange, that
    requires the most protection.
  • Qmail
  • - is a secure, reliable, efficient, simple
    message transfer agent.
  • - Secure Security isn't just a goal, but an
    absolute requirement. Mail delivery is critical
    for users it cannot be turned off, so it must be
    completely secure.
  • - Reliable qmail's straight-paper-path
    philosophy guarantees that a message, once
    accepted into the system, will never be lost.
    qmail also supports maildir, a new,
    super-reliable user mailbox format. Maildirs,
    unlike mbox files and mh folders, won't be
    corrupted if the system crashes during delivery.
  • - Efficient qmail can easily sustain 200,000
    local messages per day.

22
Securing IT Assets with Linux Securing Microsoft
Groupware Environments with Linux
  • Qmail
  • Simple qmail is vastly smaller than any other
    Internet MTA.
  • (1) qmail has one simple forwarding mechanism
    that lets users handle their own mailing lists.
    (2) qmail-send is instantly triggered by new
    items in the queue(3) qmail's design inherently
    limits the machine load
  • - In short, it's up to speed on modern MTA
    features.
  • Qmail-Scanner
  • - an addon that enables a Qmail server to scan
    all gateway-ed email for certain characteristics
    (i.e. a content scanner). - typically used for
    its anti-virus protection functions, in which
    case it is used in conjunction with external
    virus scanners. - can be used as an archiving
    tool for auditing or backup purposes. - is
    integrated into the mail server at a lower level
    than some other Unix-based virus scanners,
    resulting in better performance. - is capable of
    scanning not only locally sent/received email,
    but also email that crosses the server in a relay
    capacity.

23
Securing IT Assets with Linux Securing Microsoft
Groupware Environments with Linux
  • Clam AntiVirus
  • - is a GPL anti-virus toolkit for UNIX. The main
    purpose of this software is the integration with
    mail servers (attachment scanning). The package
    provides a flexible and scalable multi-threaded
    daemon, a command line scanner, and a tool for
    automatic updating via the Internet. The programs
    are based on a shared library distributed with
    the Clam AntiVirus package, which you can use
    with your own software. Most importantly, the
    virus database is kept up to date .
  • SpamAssassin
  • is one of the most well known spam fighting
    tools in the open source world. It is regularly
    maintained and updated, works for individual
    users as well as in site-wide configurations, is
    highly customizable and integrates with many
    different mail servers.
  • The never-ending battle
  • As your inbox no doubt proves, spammers get
    smarter every day, virus writers get more clever
    by the second and users never stop complaining
    about spam. As a result, you'll need to do
    regular checks for software updates to qmail,
    qmail-scanner, ClamAV, and (especially)
    SpamAssassin.
  • http//www.securityfocus.com/infocus/1772

24
Securing IT Assets with Linux Paros SPIKE
Fuzzing detection
  • Paros
  • is a HTTP/HTTPS proxy for assessing web
    application vulnerability. It supports
    editing/viewing HTTP messages on-the-fly with
    client-certificate, proxy-chaining, filtering and
    intelligent vulnerability scanning.
  • works on a principle common to the new
    generation of Web security tools. It runs as a
    local proxy on your scanning workstation, and all
    the interaction between your local browser and
    the target Web server is brokered by the security
    tool.
  • can capture an outbound query, alter or fuzz it
    and then send it along to the server.
  • SPIKE
  • - Automated SQL Injection Detection
  • - Web Site Crawling (guaranteed not to crawl
    sites other than the one being tested)
  • - Login form brute forcing
  • - Automated overflow detection
  • - Automated directory traversal detection

25
Securing IT Assets with Linux F.I.R.E - Forensics
and Incident Response Environment
  • F.I.R.E.
  • is a single CD-ROM Linux distribution geared
    toward analyzing compromised systems and
    recovering data from them.
  • can use it either by rebooting the compromised
    system with the F.I.R.E. CD-ROM or by mounting
    the CD-ROM in a running but feared-compromised
    Linux system and running tools directly off the
    CD.
  • makes it easy to copy data from the compromised
    system to other hosts on your network.
  • includes the X Windows System and a variety of
    both command-line and X-based security tools
    (including Nmap and Nessus).
  • can use F.I.R.E. to transform an ordinary
    Windows laptop into an awesome penetration-testing
    juggernaut.
  • at no extra charge, F.I.R.E.'s major functions
    can be accessed from a menu system comprehendable
    even by those of us who aren't full-time computer
    forensics specialists.
  • http//www.linuxjournal.com/article.php?sid7235

26
Securing IT Assets with Linux Conclusion
  • Dont believe your network cannot be breached.
    Before making any software or hardware changes
    you should first answer one question How will
    this effect security in this environment?
  • Keep up to date on all security technology.
    Dont let your security model become stagnant.
    New security holes or leaks are found almost on a
    daily basis.
  • Dont be afraid of Open Source or the products
    produced from the Open Source community.
  • Open source is not just for hackers. Its a new
    way of organizing people to create complex
    products in a knowledge-based economyOpen Source
    is an alternative way of spurring innovation
  • Steven Weber, author of The Success of Open
    Source Harvard University
    Open Sources Untapped Potential - San
    Francisco Chronicle - April 19, 2004

27
Securing IT Assets with Linux Discussion
Thank You for Attending
28
Securing IT Assets with Linux Links and
Additional Information
  • Webmin manage nearly all system services from
    a web interface
  • www.webmin.com
  • Big Brother monitor your network from printers
    to servers right down to a specific service
  • www.bb4.com
  • Netfilter iptables for linux
  • www.netfilter.org
  • Tripwire intruder detection
  • www.tripwire.org
  • Ethereal packet sniffer utility to monitor
    network traffic
  • www.ethereal.com
  • SANS Internet Storm Center cyber threat
    monitor and alert system
  • isc.sans.org

29
Securing IT Assets with Linux Links and
Additional Information
  • CERT coordination center of Internet security
  • www.cert.org
  • Linux Security Linux community for security
  • www.linuxsecurity.com
  • PacketStorm portal for Linux security
    information
  • www.packetstorm.org
  • BugTraq keep informed on bugs
  • www.bugtraq.org
  • Revolution OS get the story on the open source
    movement (highly recommended)
  • www.revolution-os.com
  • Snort Intrusion Detection System
  • www.snort.com

30
Securing IT Assets with Linux Links and
Additional Information
  • Oinkmaster Snort rules manager / updater
  • oinkmaster.sourceforge.net
  • Nessus system security scanner
  • www.nessus.org
  • Tripwire file integrity checker
  • www.tripwire.org
  • Samba file and printer sharing server
  • www.samba.org
  • qmail safe and secure Mail Transport Agent
    (MTA)
  • www.qmail.org
  • qmail-scanner content scanner for qmail
  • qmail-scanner.sourceforge.net

31
Securing IT Assets with Linux Links and
Additional Information
  • Clam AntiVirus open source antivirus scanner
  • www.clamav.net
  • SpamAssassin a mail filter to identify spam
  • www.spamassassin.org
  • Paros Web application security assessor
  • www.proofsecure.com
  • SPIKE Web application security assessor
  • www.immunitysec.com/spikeproxy.html
  • F.I.R.E. Forensics and Incident Response
    Environment
  • fire.dmzs.com

32
Securing IT Assets with Linux Contact Information
Bass Associates, Inc. Open
Source Experts A HunTel
Company SiLK
Enterprises, Inc.

Matthew Will
Steven L. Kohrs
Bass Associates, Inc.
Open Source Experts
2027 Dodge Street Suite 500
1536 N 105th Street
Omaha, Ne 68102
Omaha, Ne 68114
402.346.1505
402.498.0457
mwill_at_bass-inc.com
skohrs_at_opensourceexperts.
com www.bass-inc.com

www.OpenSourceExperts.com
Write a Comment
User Comments (0)
About PowerShow.com