View
221
Download
0
Category
Tags:
Preview:
Citation preview
Arthur Petrosyan (arthur@sci.am)
Academic Scientific Research Network of Armenia (ASNET-AM)
Institute for Informatics and Automation Problems (IIAP) of the National Academy of Sciences of Armenia (NAS RA)
www.asnet.am www.sci.am
Network Security Network Security Practices Practices for Research and for Research and Education NetworksEducation Networks
OutlineOutline ASNET-AM overview Free and OpenSource Software for RENs Multiple layer ‘onion’ approach Firewalls IDS -Intrusion Detection Systems Link-level security (Ssh,…) VPN - virtual tunneling Anti-SPAM Host security
– TCP Wrappers– Root Security– Misc. Security Tips– Tips to Secure your Apache Web Server
Security Analysis Tools Conclusion
Academic Scientific Research Academic Scientific Research Network of Armenia (Network of Armenia (ASNET-AM)ASNET-AM) Largest REN in Armenia Over 10 years of experience
in IT Services & Networking Distributed network in 4 cities of Armenia Complex network infrastructure
(fiber, copper, wireless, dial-up) Wide range of Internet/Intranet network
services IT Training & Education
Use of Free and Open Source Use of Free and Open Source Software (FOSS) for RENsSoftware (FOSS) for RENs Contrary to popular managerial belief, there is a
plethora of reliable FOSS (OS, packages, utilities) for establishing, maintaining and monitoring secure systems and networks
Cost isn’t the only reason for using FOSS RENs often tend to use FOSS for a number of
other reasons (many packages, required for Scientific Research are FOSS)
FOSS and proprietary can work well together
Security issueSecurity issue Security issue - Unique to each user/company Is Never 100%. Complete solution should contain
three components: (1-Prevention, 2- Detection, 3-Reaction)
Different Platforms – different issues (Cisco, UNIX, Linux, Windows NT/2000/Pro/98/ME/XP/2003, Novell, etc.)
Nothing is secure in default “out of the box” configuration
Any system/application requires proper configuration
7
The onion approachThe onion approach Network security similar to an
onion - both have multiple layers
Every layer depends on the next layer to provide integrity
Layered security is best Even obscurity is one layer The more layers, the better
SSecurity ecurity PPolicyolicy
The core of the security onion is based on having good security policy
Good security policy includes– Appropriate OS choice and minimum
installation– Regular update of all critical programs– OS patching– Running an anti-virus, anti-spyware– Enforcing good password policies...
Firewall-first line of network securityFirewall-first line of network security
External Networks(Internet)
Firewall
Internal network 1. Hardware firewalls (Cisco, …)
2. Linux/UNIX based firewalls
Control the flow of information into and out of your network
IDS - Intrusion Detection SystemsIDS - Intrusion Detection Systems IDS - a valuable part of security scheme “Burglar alarm system” for your network Examples:
– Snort - the de facto standard for intrusion detection/prevention
– DenyHosts - Python script to block SSH server brute force attacks (ASNET-AM: about 500 brute force attacks blocked monthly)
http://denyhosts.sourceforge.net/http://www.snort.org/
Link-level securityLink-level security
Network connection encryption Ssh – instead of Telnet Sftp – instead of FTP Stunnel - Universal SSL Wrapper
(encapsulation for POP3, IMAP, LDAP,etc.)
SSL – for HTTP, where needed
VPN - virtual tunnelling Many VPN realizations exist (PPTP, IPIP, GRE, PPP
atop SSH, IPsec, FreeS/WAN, CIPE, etc.)
VTUN - VTUN - Simple effective client-server tunnelling application with wide spectrum of options – IP, Serial (PPP,SLIP), Ethernet, Pipe tunnels,
Encryption (BlowFish 128 bits), Compression (zlib,lzo), Traffic shaping, etc.
– Works both over TCP and UDP– Uses universal TUN/TAP device driver, which is
already included in the kernel of most UNIX distributions
http://vtun.sourceforge.net/
Anti-SPAM Unsolicited junk E-mail messages (SPAM) blocking
– RBLs (Realtime Block List)• 11 RBLs proved to be effective at ASNET-AM
– spamcop.net– spamhaus.org (sbl, xbl)– dsbl.org– abuseat.org– spambag.org– dul.ru– ahbl.org– njabl.org– ordb.org– msrbl.net– dul.dnsbl.sorbs.net
– Spamassassin (www.spamassassin.org) highly customizable open source tool
ASNET-AM current result: 95% of Spam is being blocked!
Host security - Basic toolsHost security - Basic tools Separate security layer are actual hosts
Ping/telnet/dig/host/traceroute/whois/netstat: While there are many complex high-tech tools out there to assist in security auditing, don't forget about the basics!
Every system administrator should be very familiar with these tools as most of them come with operating systems by default
+ other FOSS tools:– arpwatch - monitor your ARP tables and notify you if
and when a MAC/IP address pairing change – tcpdump, netwatch, iptraf, ettercap, ntop -
Realtime Network Protocol Monitors
TCP WrappersTCP Wrappers
TCP Wrapper – layer to monitor and control server’s incoming TCP traffic on application level – Flexible effective configuration (/etc/hosts.allow,
/etc/hosts.deny)
– man 5 hosts_access
– TCP wrapper support (also called "libwrap support") is mostly compiled into the sshd binary
• /etc/hosts.allow example:
sshd: 192.168.
• /etc/hosts.deny example:
sshd: ALL
Root SecurityRoot Security No user must login directly as ‘root’
– ‘PermitRootLogin no’ in /etc/ssh/sshd_config
Administrators must login with their own accounts, and then use ‘su’ to become root.
This ensures accountability. Viable alternative of ‘su’ is the ‘sudo’ utility, which allows:
– Limited privileges for specified user accounts
– Actions that can be taken by these accounts
– Timeout for logged in users, so they have to re-authenticate in order to use ‘sudo’
• Set ‘TMOUT’ Shell Variable (‘TMOUT=3600’ in /etc/profile)
Misc. Security TipsMisc. Security Tips Keep Network Services at a minimum (turn off unnecessary
ports/apps)– ‘netstat –nlpt’ to check current open ports/apps
Restrict access to:– Mail server (access_db)– Proxy server (ACLs)
Define and configure access to particular Web resources (.htaccess) by Username/Password/IP address (Apache HTTP Server AAA)
Ensure Strong Passwords at critical servers Periodical audit of Users/groups (Remove/Block inactive
users) Proper File/folder access Use of “Private IP-networks” (RFC 1918)
/10., 172.16., 192.168. addressing/ for internal networks Consider the use of a remote log server & monitor the logs!
– Logging is useless without monitoring Regular Backups
Example – Tips to Secure your Example – Tips to Secure your Apache Web ServerApache Web Server Hide your Apache version
– ‘ServerTokens Prod’, ‘ServerSignature Off’ in httpd.conf Disable TRACE and TRACK methods Don’t store critical data on the WWW server itself if
possible (reverse proxy or remote database) Consider placing static content on a CD-ROM where
possible Run Web server on non-standard port where applicable Control access to Web server’s IP/port on Firewall level On dual-homed hosts bind only to required IP address Not trivial directory name for Website CMS part (backend)
- http://mywebsite.domain.com/admin - bad choice Secure directories by Apache AAA mechanism (.htaccess)
where applicable
Security Analysis ToolsSecurity Analysis Tools New security tools appear on the Internet every
day. Tools discussed here are a minuscule sample of all
that is currently available. Applications presented here have withstood the
test of time and remain popular and viable security assessment tools today.
A vigilant system administrator should also download and try many other tools.
Knowing how these tools work will help to secure systems against attacks.
20
ConclusionConclusion No one single security measure is a
panacea A combination of different methods works
best Nothing is 100% secure Always proceed in these three ways:
1. Prevention
2. Detection
3. Reaction
Monitor your network continuously!
Thank You!Thank You!
Arthur Petrosyan (arthur@sci.am)
Academic Scientific Research Network of Armenia (ASNET-AM)
www.asnet.am
Recommended