Security Baselines

1
Security Baselines

• Chapter 13

2
Overview

• The many uses for systems and OS require flexible
  components, allowing user to design, configure,
  and implement the systems they need.
• This flexibility causes some of the biggest
  weaknesses as developers deliver systems in
  default mode.
• Process of establishing a systems security state
  is called baselining.

continued
3
OS/NOS Hardening

• Process of modifying an OSs default
  configuration to make it more secure to outside
  threats to prevent
• Attacks These are intentional acts by malicious
  individuals
• Malfunctions These are hardware or software
  failures
• Errors These are unintentional acts

4
Best Practices for System Hardening

• Remove unused applications, services, and unused
  file shares
• Implement and enforce strong password policies
• Remove or disable expired or unneeded accounts
• Limit number of administrative accounts
• Set account lockout policies
• Keep track of latest security updates and hot
  fixes
• Maintain logging of all user account and admin
  activity
• Back up the system periodically
• Keep external log of each critical system
• Maintain records of backups and upgrades

continued
5
File Systems

• OS set privileges and access controls to protect
  information stored on the computer
• Denying read access protects confidentiality of
  information, whereas denying write access
  protects the integrity of information from
  unauthorized modification
• Common privileges read, write (modify), lock,
  append, and execute
• Group users by common needs
• Additional rights can be granted to a single user
  in a group
• The principle of least privilege states that
  users should have rights to only those resources
  that are necessary to perform their job
  requirements.
• Restrict access of OS source files, configuration
  files, and their directories

6
Common Practices for Setting File and Data
Privileges

• For NT systems
• No permissions allowing Everyone group to
  modify files
• Assign access permission of immutable to all
  kernel files (Files with this flag set cannot be
  changed in any way, not edited, not moved, and
  not replaced.)
• Establish all log files as append only
• Prevent users from installing, removing, or
  editing scripts
• Pay attention to access control inheritance when
  defining categories of files and users
  Administrators should disable a subdirectory's
  ability to override top-level security directives
  unless that override is required.

7
Installing and Configuring File Encryption
Capabilities

• File encryption is useful if the OS
• Lacks adequate access controls to maintain
  confidentiality
• Does not support access control lists, FAT and
  FAT32 partitions do not support ACLs
• Encryption is resource-consuming carefully weigh
  benefits

8
Systematic Approach forAddressing Updates

• Due to the complexity of operating systems,
  security-related problems are often identified
  only after the OS has been release. Establish
  procedures for monitoring security-related
  information
• Certain software updates may not be applicable
• A scheduled update might make information
  resources unavailable, so plan installation
  accordingly
• Test updates
• Deploy new systems with latest software and
  drivers

9
Network Hardening

• Crucial to have a network with availability as
  well as adequate security
• Firmware updates are made available by vendors as
  vulnerabilities and malfunctions are discovered
  with previous versions
• Subscribe to security related mailing lists.
• Visit security-related sites, such as CERT or
  SANS, which educate users on industry best
  practices for security-related issues.
• Administrators may also seek out and monitor more
  discrete hacker sites where exploits may appear
  prior to posting on a vendor sit

10
Routing Configuration

• Routing functions
• Derived from network topology and designed to
  route packets efficiently and reliably, but not
  entirely secure, therefore, not to be used to
  implement a security policy
• Firewall systems
• Should govern security of information flow in and
  out of the network
• Provide a policy enforcement mechanism at a
  security domain boundary
• Should specify what connectivity is to be
  permitted with the specific statements and deny
  all other connectivity

11
Best Practices for Configuring Router and
Firewall Systems

• Keep copy of current configurations of network
  devices in safe location (disaster recovery)
• Never allow IP-directed broadcasts through the
  system (smurf attacks, sends ping to broadcast
  addresses)
• For easy identification configure devices with
  meaningful names
• Use a description for each router interface
• Specify bandwidth on the interfaces to calculate
  routing metrics

continued
12
Best Practices for Configuring Router and
Firewall Systems

• Configure a logical loopback address to allow an
  interface to be available regardless of the
  status of the primary physical interface. The use
  of a logical interface could also provide
  redundant paths to conduct Simple Network
  Management Protocol (SNMP) polling
• Handle SNMP with care. SNMP has two types of
  communities Read Only and Read/Write which can
  be exploited if associated password is
  compromised,

13
Best Practices for Configuring Router and
Firewall Systems

• Avoid common names for password and naming
  schemes
• Deploy logging about interface status, events,
  and debugging. Even if a hacker is able to modify
  the logs of a compromised system, he or she would
  then need to also break into the SYSLOG server to
  get that copy.
• Restrict data traffic to required ports and
  protocols only

14
Access Control List (ACL)

• ACLs assist in the control of traffic across the
  network, but will not make a router into a true
  firewall
• Works on principle of pattern matching between a
  set of rules and the packet contents
• Implement packet filtering

15
Packet Filtering

• Can be based on intrinsic or extrinsic
  information pertaining to a data packet
• Intrinsic information is contained within the
  packet itself such as, source address,
  destination address, protocol, source port,
  destination port, packet length, and packet
  payload, which is the actual data.
• Extrinsic information exists outside of a data
  packet. For instance, arrival/departure interface
  on the device, context maintained by the firewall
  software that pertains to a packet, and date and
  time of packet arrival or departure
• Generally speaking, packet filters cannot
  reference extrinsic information.

16
Best Practices for Designing Filtering Rules for
New Networks

• Identify protocols, ports, and source and
  destination addresses that need to be serviced
  and make sure these requirements abide by your
  organization's security policy.
• Design antispoofing rules and place them at top
  of the ACL
• Add deny all rule at the end causes all
  packets to be denied unless there are explicit
  permissions.
• Place all permission rules between antispoofing
  rules and deny all rule at the end of the rule
  set

continued
17
Commonly Exploited Services

• Many services can be easily targeted by attackers
  unless disabled by system administrators
• Remote Procedure Call (RPC) essentially permits a
  computer to execute a program on another
  computer, VPN should be used
• Network File System (NFS) uses file sharing and
  should be blocked from the internet
• Web Services mostly are vulnerable because of
  deployment of outdated Web servers or the use of
  third-party applications with documented
  vulnerabilities
• Most SMTP-specific vulnerabilities result from
  unapplied or misapplied patches
• DoS attacks are successful when unnecessary
  services are running on network devices

18
Commonly Exploited Services on Cisco Platforms

• Cisco Discovery Protocol (CDP)
• TCP small servers
• UDPT small servers
• Finger
• HTTP server
• Bootp server
• Configuration autoloading
• IP source
• Proxy ARP

continued
19
Commonly Exploited Services on Cisco Platforms

• IP-directed broadcast
• Classless routing behavior
• IP unreachable notifications
• IP mask relay
• IP redirects
• NTP service
• Simple Network Management Protocol
• Domain Name Service

20
Application Hardening

• Process of making applications software secure by
  ensuring that the software contains security
  enabling technology and authentication.

• File and print servers
• DHCP servers
• Data repositories
• Directory services

• Web servers
• E-mail servers
• FTP servers
• DNS servers
• NNTP servers

21
Web Servers

• Associated with more attacks and vulnerabilities
  than any type of server
• A Web server is designed to make information
  accessible, rather than to protect it. Software
  companies creat default installations that turn
  on unneeded services rather than enabling only
  the basic services.

22
High Level Best Practices for Securing Web Servers

• Isolate a Web server on a DMZ
• Configure a Web server for access privileges.
• Identify and enable Web server-specific logging
  tools
• Consider security implications by invoking
  additional mechanisms to execute programs or
  process user-supplied data, ie CGI scripts
  server plug-ins
• Configure authentication and encryption, SSL,
  S-HTTP, and Secure Electronic Transaction (SET).

23
E-mail Servers

• Serious risks associated with ability to receive
  e-mail from the outside world
• Attachments with malicious contents
• MIME headers can be distorted and exploited
• Scripts embedded into HTML-enabled mail do not
  use explicit attachments, therefore hard to
  detect with conventional file-checking mechanisms
  
• Typical firewall does not inspect e-mail and its
  contents, so cant filter them.

24
Protecting Against E-mail Vulnerabilities

• Use latest software updates and patches on e-mail
  server
• Deploy dedicated e-mail relay (gateway) server in
  DMZ as they have content-filtering mechanisms to
  create rules to search for key words and phrases
  and specific types of file attachments.
• Deploy virus-scanning tools on the server
• Use attachment-checking mechanisms on the server
  to look for .exe or .vbs files.
• Use HTML Active Content removal to filter emails
  with HTML tags and attributes that are used to
  execute malicious code.

25
FTP Servers

• File Transfer Protocol
• Used to transfer files between a workstation and
  an FTP server
• Vulnerabilities
• Protecting against bouncebacks, which uses the
  FTP server to attack another device via the PORT
  command. FTP shouldnt open ports less than 1024
• Restrict access to FTP servers or certain areas
  of server by
• by filtering IP addresses
• use authentication to prevent spoofing

26
FTP Servers Vulnerabilities

• Protecting usernames and passwords
• To minimize the risk of brute force password
  guessing, limit the number of allowed attempts
  for a legitimate password, then terminate
• Configure FTP servers to impose a five-second
  delay before replying to an invalid "PASS"
  command to diminish the efficiency of a brute
  force attack.
• Limit the total possible number of control
  connections or attempt to detect suspicious
  activity across sessions and refuse further
  connections from the site.
• FTP servers be configured to return the same
  response to the USER command as they return a
  different response to an illegal password vs
  illegal userid.

27
FTP Servers

• Port stealing - Most operating systems assign
  dynamic port numbers in increasing order making
  it easy to predict the next port to be used.
• The attacker can make a connection to this port,
  preventing another legitimate client from making
  a transfer.
• The attacker can steal a file meant for a
  legitimate user or insert forged data into a
  stream thought to come from an authenticated
  client.
• To solve the problem configure the server OS to
  deploy random port assignment algorithms
• The anonymous FTP feature allows clients to
  connect to an FTP server with minimum
  authentication, and remote command execution
  allows clients to execute arbitrary commands on
  the server.

28
DNS Servers

• Domain Name Service (DNS) translate names into
  addresses
• All domain name servers are linked by a series of
  13 top-level domains (TLD) "root servers" that
  coordinate the data and allow users to the
  addresses
• Hierarchiacal structure with many nameservers.
  When a user requests a name resolution, the
  system queries a local nameserver. If the
  nameserver doesnt know, it queries the next one
  up the chain until answer is found.
• Most popular DNS server implementation is the
  open source BIND.

29
Vulnerabilities Associated with DNS

• Although the DNS data on recently assigned
  addresses is considered accurate, data on older
  blocks is often outdated. Furthermore,
  suballocations of IP blocks are often not
  tracked.
• Regional address registries and ISPs and DNS
  server operators should update information as
  often as possible
• An attacker could potentially initiate a forged
  request to change the information on a domain
  name use encryption to prevent
• DNS spoofing and cache poisoning

30
Vulnerabilities Associated with DNS

• Although it is very uncommon, the addresses of
  the 13 root servers sometimes change config file
  needs to be updated.
• Recursive query -When the local server cannot
  answer a query, it queries one or more servers up
  the DNS tree and forwards the answer to the
  client rather than handing off the query to the
  other servers. Hackers monitoring a domain name
  server can predict the next tracking number in a
  sequence and send a packet with that number to
  spoof the response from a legitimate name server
• Denial-of-service attacks

31
NNTP Servers

• Network News Transfer Protocol (NNTP)
• Delivers news articles to users on the Internet
• Stores articles in a central database users
  choose only items of interest
• Many individuals post news articles of dubious
  use to get a self serving point across to a large
  group of people and has made the use of news-
  groups less appealing
• Makes few demands on structure, content, or
  storage of news articles
• NNTP servers can index and cross reference
  messages, and allow for notification of
  expiration
• Proper authentication mechanisms, disabling of
  unneeded services, and application of relevant
  software and OS patches are effective methods of
  preventing attacks.

32
Protecting Against File and Print Server
Vulnerabilities

• Offer only essential network and OS services on a
  server
• Configure servers for user authentication,
  including BIOS
• Configure server operating systems as well as
  file encryption capabilities for sensitive data.
• Manage logging and other data collection
  mechanisms
• Configure servers for file backups

33
DHCP Servers

• Dynamic Host Configuration Protocol - DHCP has no
  security provisions and it is possible for a
  malicious user to configure an unauthorized DHCP
  server in an attempt to spoof the official DHCP
  server on the network.
• DHCP is a broadcast-based protocol, a malicious
  user can set up a sniffer program to collect
  critical network information
• An attacker can launch a DoS attack against the
  DHCP server, either depleting the pool of
  available addresses on the server or consuming
  the resources of the DHCP

continued
34
Preventing Attacks on DHCP Servers

• Assign permanent addresses
• Collect Media Access Control (MAC) addresses of
  all computers on network and bind them to
  corresponding IP addresses
• Use dynamic addressing, but monitor log files
• Use intrusion detection tools
• Configure DHCP server to force stations with new
  MAC addresses on the network to register with the
  DHCP server
• Implement latest software and patches

35
Data Repositories

• Store data for archiving and user access
• Contain an organizations most valuable assets in
  terms of information
• Should be carefully protected

36
Directory Services

• Lightweight Directory Access Protocol (LDAP)
• Industry standard protocol for providing
  networking directory services for the TCP/IP
  model
• Store and locates information network resources
• Based on simple, treelike hierarchy called a
  Directory Information Tree (DIT)
• Directory or nondirectory threats

37
Directory Service-Oriented Threats

• Unauthorized access to data by monitoring or
  spoofing authorized users operations
• Unauthorized access to resources by physically
  taking over authenticated connections and
  sessions
• Unauthorized modification or deletion of data or
  configuration parameters
• Spoofing of directory services to gain access to
  info of a sensitive nature
• Excessive use of resources

38
Nondirectory Service-Oriented Threats

• Common network-based attacks against LDAP servers
  to compromise availability of resources
• Attacks against hosts by physically accessing the
  resources
• Attacks against back-end databases that provide
  directory services

39
Security of LDAP Is Dependent on

• Authentication
• Anonymous
• Simple sends password in plain text, use SSL
• Simple Authentication and Security Layer (SASL)
  for LDAPv3
• Authorization resource allocation

40
Principles of Securityto Protect Databases

• Authentication of users and applications
• Administration policies and procedures
• Access control to objects and management of users
  can be simplified through the use of roles. Roles
  are a collection of privileges that can be
  assigned to users. In addition to roles, profiles
  can be used to control allocation and use of
  resources to users within the database
• Initial configuration - Certain database
  implementations, such as Oracle's, have
  well-known default accounts and passwords that
  provide varying levels of access
• Auditing - In addition to database auditing
  features, changes to critical configuration files
  (such as the Oracle init file) should be logged
  as well as unsuccessful attempts
• Backup and recovery procedures