You are on page 1of 80

CT 320: Network and System

Administration
Fall 2014*

Dr. Indrajit Ray


Email: indrajit@cs.colostate.edu

Department of Computer Science


Colorado State University
Fort Collins, CO 80528, USA

*
Thanks to Dr. James Walden, NKU and Russ Wakefield, CSU for contents of these slides

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Topics
1. Introduction
2. Vulnerabilities, threats and attacks
3. Risk Management
4. OS Hardening
5. PAM
6. Passwords
7. Firewalls & Intrusion Prevention
Systems

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Overview
Computer Security: protection
afforded to an automated information
system in order to attain the
applicable objectives of preserving
the integrity, availability and
confidentiality of information system
resources (includes hardware,
software, firmware, information/data,
and telecommunications).
Key Security Concepts
Security Objectives
Confidentiality
Prevent / detect / deter improper
disclosure of information
Integrity
Prevent / detect / deter improper
modification of information
Availability
Prevent / detect / deter improper denial of
access to services provided by a system
Some Examples
An employee should not know the
salary of the manager (confidentiality)
An employee should not be able to
update own salary record (integrity)
Salary slips should be printed on the
last day of the month (availability)
Security Goals
Data confidentiality
Customer account data (credit cards,
identity)
Trade secrets
Administrative data (passwords,
configuration)
Data integrity
Administrative data
Software downloads (patches, free tools)
Web pages

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Security Goals
System integrity
System binaries
Kernel
System/network availability
Network bandwidth
Network services (auth, file, mail, print)
Disk space

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Interesting Situation
You are the security admin of a
company. One day you notice that an
employee is downloading a very big
file. You notice that downloading a file
is not exactly against company policy.
Should you flag this as a security
issue?
An Even More Interesting Situation

User uploads some financial documents on


Microsoft Cloud. You (Microsoft) analyze
these documents and determine that user
owes back taxes to the IRS ..
Security Objectives (continued)
Prevention is more fundamental
Detection seeks to prevent by threat of
punitive action
Detection often requires systems that
must be prevented from alteration
Sometimes detection is the only
option
Modification of messages on a network
More Security Objectives
Authenticity The property of being
genuine and being able to be verified
and trusted
Note similarity with integrity
Accountability Requirement that
actions of an entity should be traceable
to that entity
Acts as deterrence
Non-repudiation Requirement that an
entity is not able to deny or reject the
validity of its past action
Needed for proper accountability
Computer Security Challenges
1. Not simple
2. Must consider potential attacks
3. Procedures used may be counter-
intuitive
4. Involve algorithms and secret info
5. Must decide where to deploy
mechanisms
6. Battle of wits between attacker /
admin
7. Not perceived on benefit until fails
8. Requires regular monitoring
9. Too often an after-thought
10. Regarded as impediment to using
Systems Security Components / Terminology
History
War Games
Kid movie that brought security to light
Young man finds a back door into a
military super computer to run a nuclear
war simulation, believing it to be a
computer game. Causes a national
nuclear missile scare and nearly starts
WW III
1988 Morris worm
Millions of dollars and thousands of hours
wasted
First real global attack
Still a wide open issue
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems
Administration, Fall 2014
Security by Obscurity
If we hide the inner workings of a
system, it will be secure
Bad idea
Less and less applicable in the emerging
world of vendor independent open
standards
Less and less applicable in a world of
widespread computer knowledge and
expertise
Security by Legislation
If we instruct our users on how to
behave, we can secure a system
Bad idea
User awareness and cooperation is
important but cannot be the principal
focus for achieving security
Human beings tend to defy authority
Weakest Link In Computer Security
Human beings are often considered
the weakest link
95% of all attacks were directed against
the home computer user in 2007
End-users are frequently exposed to
security risks through routine on-line
activities such as checking email or web
browsing
Many recent attacks indicate that end-
users are increasingly becoming a new
form of threat in cyber-space, the so-
called unwitting accomplice
Vulnerabilities, Threats and
Attacks
System resource vulnerabilities
Be corrupted (loss of integrity)
Become leaky (loss of confidentiality)
Become unavailable (loss of availability)
Attacks are threats carried out and
may be
Passive
Active
Insider
Outsider
Vulnerabilities
1. Bad/default passwords.
2. Unused services with open ports.
3. Unpatched software vulnerabilities.
4. Transmitting confidential data in
cleartext.
5. Open modems or wireless networks.
6. Physical access to critical systems.
7. Uneducated users.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Vulnerability Databases
Repository for vulnerability data
Security checklists
Security related software flaws
Misconfigurations
Impact metrics
National Vulnerability Database (NVD)
http://nvd.nist.gov
Open Source Vulnerability Database
(OSVDB)
http://osvdb.org

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Some Common Security Threats
information leakage integrity violation denial of service illegitimate use

penetration planting
eavesdropping masquerade Virus / Worms
traffic analysis bypassing controls Trojan Horses
EM/RF interception authriztn. violation trapdoor
indiscretions physical intrusion service spoofing theft
media scanvenging

information leakage
integrity violation
intercept / alter theft resource exhaustion
repudiation replay integrity violation
Threat Motives
Financial motives
Identity theft
Phishing
Spam
Extortion
Botnets
Political motives
Danish sites hacked after Mohammed
cartoons.
Personal motives
Just for fun.
Insider revenge.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Threat Consequences
Unauthorized disclosure
Exposure, interception, inference,
intrusion
Deception
Masquerade, falsification, repudiation
Disruption
Incapacitation, corruption, obstruction
Usurpation
misappropriation, misuse
Attacks
Classified as passive or active
Passive attacks are eavesdropping
Release of message contents
Traffic analysis
Are hard to detect so aim to prevent
Active attacks modify/fake data
Masquerade
Replay
Modification
Denial of service
Hard to prevent so aim to detect
How Systems Are Attacked

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
How Systems Are Attacked
(continued)

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Example Networked System

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Attack Trees

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Types of attacks
Social engineering
Cold calls, shoulder surfing, phishing,
Alleviated by training, communication,
etc.
Software vulnerabilities
Buffer overflows, known bugs
Patching
Configuration errors
Complex takes time and knowledge to
do it right
Easy to bypass

Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems
Administration, Fall 2014
Risk Management
Risk is the relationship between your
assets, the vulnerabilities
characteristic to those assets, and
attackers who wish to access or
modify those assets.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Security Tips
Packet filtering
Unnecessary services
Software patches
Backups
Passwords
Vigilance

Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems
Administration, Fall 2014
Rules of Thumb
Dont put files of interest on your
system
Security policy should specify how
info is handled
Dont provide homes for hackers
Set traps to detect intrusions
Monitor reports from your security
tools
Teach yourself about security
Be nosy prowl around looking for
unusual activity
Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems
Administration, Fall 2014
Password mgmt.
Poor password management is
common weakness
Indirect information
Passwords easily hacked
Steps
Run the common password checker often
Check for null passwords
Password maintenance
Password aging
No group logins
Su to root

Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems
Administration, Fall 2014
SetUID programs
Prone to security holes
Minimize the number of them
Use pseudo-users rather than root
Make pseudo-users home directory be
/dev/null
Disable on public filesystems

Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems
Administration, Fall 2014
Security issues
Remote event logging
Use syslog
Secure terminals
Configure to disable root logins from SSH,
VPNs, etc
NIS known to have security issues
NFS4 security enhancements
Sendmail runs as root
Keep up to date

Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems
Administration, Fall 2014
Security issues contd
Viruses and worms
Not widely prevalent on Linux
Less market share than windows
Access controlled environment
Trojan horses
Programs get Trojan horses embedded in
them
Keep software up to date
Rootkits
Hiding system information

Dr. Indrajit Ray, Computer Science Department CT 320 Network and Systems
Administration, Fall 2014
Assets
1. Login account.
2. Network bandwidth.
3. Disk space.
4. Data.
5. Reputation.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Defenses
Vulnerability mitigation
Use secure authentication systems.
Deploy software in secure configuration.
Patch security flaws quickly.
Attack mitigation
Firewalls to prevent network attacks.
IDS to detect attacks.
Virus/spyware scanners.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
OS Hardening
Secure the physical system.
Install only necessary software.
Keep security patches up to date.
Delete or disable unnecessary user accounts.
Use secure passwords.
Disable remote access except where necessary.
Use sudo instead of su.
Run publicly accessible services in a jail.
Check logs regularly.
Configure firewall on each host.
Run security scanner to check security.
Document security configuration.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Secure the physical system
Place servers in a physically secure
location.
Physically secure the case.
Place ID tags on all hardware.
Password protect the BIOS.
Disable booting from removable
media.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Install only Necessary Software
Put different services on different
hosts.
A compromise in ftp shouldnt
compromise mail.
Improves reliability and maintainability
too.
Common unnecessary packages
X-Windows
Software development (gcc, gdb, etc.)

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Security Patches
Subscribe to vendor security patch
list.
Or know vendors update schedule.
MS Windows updates on 2nd Tuesday.
Update test host first.
up2date -u
Patches can sometimes break services.
Update other hosts after that.
May need to schedule downtown if reboot
required.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Use Secure Passwords
Attacks against Passwords
Password sniffing
Password guessing via login
Password cracking
Defences
Do not transfer passwords over the
network.
Secure /etc/{passwd,shadow}
Configure password quality/aging rules.
Test your passwords by cracking them.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
PAM
Problem:
Many programs require authentication.
Ex: ftp, rlogin, ssh, etc.
New auth schemes require rewrites.
Ex: longer passwords, keys, one-time
passwords
Solution:
Separate authentication from programs.
Store auth in Pluggable Authentication
Modules.
Programs choose PAMs to use at runtime by
reading config files.
Dr. Indrajit Ray, Computer Science Department CT 320 Network and
Systems Administration, Fall 2014
PAM Configuration
Configured under /etc/pam.d
Each PAM-aware service has a file there.
Format: <module interface> <control
flag> <module name> <module
arguments>
Module interface: one of 4 module types.
Control flag: how module will react to
failure or success (multiple successes
may be required.)
Module name: PAM shared library.
Module args: Files to use, other options.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Module Interfaces
auth Authenticates use of service.
For example, it may request and
verify a password.
account Verifies that access is
permitted, e.g. check for expired
accounts or location/time.
password Sets and verifies
passwords.
session Configures and manages
user sessions, e.g. mounting user
home directories or mailboxes.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Module Stacking Example
rlogin PAM requirements
The file /etc/nologin must not be present.
Root may not login over network.
Environment variables may be loaded.
~/.rhosts entry allows login without
password.
Otherwise perform standard password
login.
PAM config file
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_rhosts_auth.so
auth required pam_stack.so service=system-auth
Dr. Indrajit Ray, Computer Science Department CT 320 Network and
Systems Administration, Fall 2014
Control Flags
required Module result must be successful
for authentication to continue. User is not
notified on failure until results on all
modules referencing that interface are
available.
requisite Module result must be successful
for authentication to continue. User is
notified immediately with a message
reflecting the first failed required or
requisite module.
sufficient Module result ignored if it fails. If
a sufficient flagged module result is
successful and no required flagged modules
above it have failed, then no other results
are required and the user is authenticated to
the service.
optional Module result is ignored. Only
necessary
Dr. Indrajit Ray, Computer for successful authentication
Science Department CT 320 Network and
when no other modules reference the
Systems Administration, Fall 2014
Password Quality
Use pam_cracklib.so in system-auth
Options
retry=#: Maximum # of retries.
minlen=#: Minimum password length.
lcredit=#: Min # of lower case letters.
ucredit=#: Min # of upper case letters.
dcredit=#: Min # of digits.
ocredit=#: Min # of other chars.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Password Aging
Configure /etc/login.defs before creating
accounts.
PASS_MAX_DAYS: Max # of days before password
expires.
PASS_MIN_DAYS: Min # of days before user can
change pw.
PASS_WARN_AGE: # of days for pw change notice
given.
Also configure /etc/default/useradd
INACTIVE: # of days after pw expiration that
account is disabled.
EXPIRE: Account expiration date in format YYYY-
MM-DD.
Remember old passwords with pam_unix.so
Prevents users from changing password back to old
value.
Dr. Indrajit Ray, Computer Science Department CT 320 Network and
Modify /etc/pam.d/system-auth
Systems Administration, Fall 2014
Disable Unnecessary Accounts
/etc/passwd contains application
accounts.
Delete unnecessary application accounts.
Common ex: uucp, games, gdm, xfs,
rpcuser, rpc
All should have locked passwords.
Set shell to /bin/noshell or /bin/false.
Disable user accounts immediately on
termination of employment.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Disabling Remote Access
Disable cleartext protocols
telnet, ftp, rsh, rlogin
Disable root access via ssh.
Set PermitRootLogin to no in
sshd_config
Remove root non-terminal consoles
Set in /etc/securetty
Disable password access via ssh
Use keys instead.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
sudo
Login as root only for single-user
mode.
Use sudo instead of su.
sudo command
Advantages:
Uses user password instead of roots
password.
Logs who executed what commands as
root.
Can delegate limited powers to some
users.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Jails
Complete isolation: virtual machines.
Partial isolation: chroot
chroot /var/httpd httpd
chroot filesystem needs:
/var/httpd/etc: limited /etc/
{passwd,shadow,group}
/var/httpd/usr/lib shared libraries
/var/httpd/bin: extra binaries
/var/httpd/var/log: log space
/var/httpd/tmp: temporary space

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Check Logs
Review logs every morning.
Better yet, have a program scan
them.
Send logs to a central server for
security: attacker cant hide tracks by
deleting
ease of use: you can read all logs in one
place

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Firewalls and Intrusion Prevention
Systems
effective means of protecting LANs
internet connectivity essential
for organization and individuals
but creates a threat
could secure workstations and servers
also use firewall as perimeter defence
single choke point to impose security

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Firewall Capabilities & Limits
capabilities:
defines a single choke point
provides a location for monitoring
security events
convenient platform for some Internet
functions such as NAT, usage monitoring,
IPSEC VPNs
limitations:
cannot protect against attacks bypassing
firewall
may not protect fully against internal
threats
improperly secure wireless LAN
laptop, PDA, portable storage device
infected
Dr. Indrajit Ray, Computer Science
Systems Administration, Fall 2014
Departmentoutside then used inside
CT 320 Network and
Types of
Firewalls

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Packet Filtering Firewall
applies rules to packets in/out of
firewall
based on information in packet
header
src/dest IP addr & port, IP protocol,
interface
typically a list of rules of matches on
fields
if match rule says if forward or discard
packet
two default policies:
discard - prohibit unless expressly
permitted
more
Dr. Indrajit Ray, Computer Science conservative, controlled,
Department CT 320 visible
Network and
Systems Administration, Fall 2014
to users
Packet Filter
Rules

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Packet Filter Weaknesses
weaknesses
cannot prevent attack on application bugs
limited logging functionality
do no support advanced user
authentication
vulnerable to attacks on TCP/IP protocol
bugs
improper configuration can lead to
breaches
attacks
IP address spoofing, source route attacks,
tiny fragment attacks
Dr. Indrajit Ray, Computer Science Department CT 320 Network and
Systems Administration, Fall 2014
Stateful Inspection Firewall
reviews packet header information
but also keeps info on TCP
connections
typically have low, known port no for
server
and high, dynamically assigned client
port no
simple packet filter must allow all return
high port numbered packets back in
stateful inspection packet firewall
tightens rules for TCP traffic using a
directory of TCP connections
only allow incoming traffic to high-
numbered
Dr. Indrajit Ray, Computer Science
Systems Administration, Fall 2014
Department ports for packets matching
CT 320 Network an
and
Application-Level Gateway
acts as a relay of application-level
traffic
user contacts gateway with remote host
name
authenticates themselves
gateway contacts application on remote
host and relays TCP segments between
server and user
must have proxy code for each
application
may restrict application features
supported
more secure than packet filters
but have higher overheads CT 320 Network and
Dr. Indrajit Ray, Computer Science Department
Systems Administration, Fall 2014
Circuit-Level Gateway
sets up two TCP connections, to an
inside user and to an outside host
relays TCP segments from one
connection to the other without
examining contents
hence independent of application logic
just determines whether relay is
permitted
typically used when inside users
trusted
may use application-level gateway
inbound and circuit-level gateway
outbound
hence lower overheads
Dr. Indrajit Ray, Computer Science Department CT 320 Network and
Systems Administration, Fall 2014
SOCKS Circuit-Level Gateway
SOCKS v5 defined as RFC1928 to
allow TCP/UDP applications to use
firewall
components:
SOCKS server on firewall
SOCKS client library on all internal hosts
SOCKS-ified client applications
client app contacts SOCKS server,
authenticates, sends relay request
server evaluates & establishes relay
connection
UDP handled with parallel TCP
Dr. Indrajit Ray, Computer Science Department
control
CT 320 Network and
channel
Systems Administration, Fall 2014
Firewall Basing
Several options for locating firewall:
Bastion host
Individual host-based firewall
Personal firewall

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Bastion Hosts
critical strongpoint in network
hosts application/circuit-level
gateways
common characteristics:
runs secure O/S, only essential services
may require user auth to access proxy or
host
each proxy can restrict features, hosts
accessed
each proxy small, simple, checked for
security
each proxy is independent, non-privileged
limited disk use, hence read-only code
Dr. Indrajit Ray, Computer Science Department CT 320 Network and
Systems Administration, Fall 2014
Host-Based Firewalls
used to secure individual host
available in/add-on for many O/S
filter packet flows
often used on servers
advantages:
taylored filter rules for specific host needs
protection from both internal / external
attacks
additional layer of protection to org
firewall

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Personal Firewall
controls traffic flow to/from
PC/workstation
for both home or corporate use
may be software module on PC
or in home cable/DSL router/gateway
typically much less complex
primary role to deny unauthorized
access
may also monitor outgoing traffic to
detect/block worm/malware activity

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Firewall
Locations

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Virtual Private Networks

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Distributed
Firewalls

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Firewall Topologies
host-resident firewall
screening router
single bastion inline
single bastion T
double bastion inline
double bastion T
distributed firewall configuration

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Intrusion Prevention Systems (IPS)
recent addition to security products
which
inline net/host-based IDS that can block
traffic
functional addition to firewall that adds
IDS capabilities
can block traffic like a firewall
using IDS algorithms
may be network or host based

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Host-Based IPS
identifies attacks using both:
signature techniques
malicious application packets
anomaly detection techniques
behavior patterns that indicate malware
can be tailored to the specific platform
e.g. general purpose, web/database server specific
can also sandbox applets to monitor behavior
may give desktop file, registry, I/O protection

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Network-Based IPS
inline NIDS that can discard packets
or terminate TCP connections
uses signature and anomaly detection
may provide flow data protection
monitoring full application flow content
can identify malicious packets using:
pattern matching, stateful matching,
protocol anomaly, traffic anomaly,
statistical anomaly
cf. SNORT inline can drop/modify
packets
Dr. Indrajit Ray, Computer Science Department CT 320 Network and
Systems Administration, Fall 2014
Unified Threat
Management
Products

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Security Scanning
Scan host security
Run bastille on host.
Scan network security
Scan for open ports with nmap.
Scan for vulnerabilities with nessus.

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014
Intrusion Detection
Host-based intrusion detection
Check if system files are modified.
Check for config / process modifications.
Tools: tripwrite, osiris, samhain
Network-based intrusion detection
NIDS = Sniffer + traffic analysis + alert
system.
Check for suspicious activities: port
scans, etc.
Check for attack signatures: worms, etc.
Tools: snort, air snort

Dr. Indrajit Ray, Computer Science Department CT 320 Network and


Systems Administration, Fall 2014