Arthur Petrosyan (arthur@sci.am)

Academic Scientific Research Network of Armenia (ASNET-AM)

Institute for Informatics and Automation Problems (IIAP) of the National Academy of Sciences of Armenia (NAS RA)

www.asnet.am www.sci.am

Network Security Network Security Practices Practices for Research and for Research and Education NetworksEducation Networks

OutlineOutline ASNET-AM overview Free and OpenSource Software for RENs Multiple layer ‘onion’ approach Firewalls IDS -Intrusion Detection Systems Link-level security (Ssh,…) VPN - virtual tunneling Anti-SPAM Host security

– TCP Wrappers– Root Security– Misc. Security Tips– Tips to Secure your Apache Web Server

Security Analysis Tools Conclusion

Academic Scientific Research Academic Scientific Research Network of Armenia (Network of Armenia (ASNET-AM)ASNET-AM) Largest REN in Armenia Over 10 years of experience

in IT Services & Networking Distributed network in 4 cities of Armenia Complex network infrastructure

(fiber, copper, wireless, dial-up) Wide range of Internet/Intranet network

services IT Training & Education

Use of Free and Open Source Use of Free and Open Source Software (FOSS) for RENsSoftware (FOSS) for RENs Contrary to popular managerial belief, there is a

plethora of reliable FOSS (OS, packages, utilities) for establishing, maintaining and monitoring secure systems and networks

Cost isn’t the only reason for using FOSS RENs often tend to use FOSS for a number of

other reasons (many packages, required for Scientific Research are FOSS)

FOSS and proprietary can work well together

Security issueSecurity issue Security issue - Unique to each user/company Is Never 100%. Complete solution should contain

three components: (1-Prevention, 2- Detection, 3-Reaction)

Different Platforms – different issues (Cisco, UNIX, Linux, Windows NT/2000/Pro/98/ME/XP/2003, Novell, etc.)

Nothing is secure in default “out of the box” configuration

Any system/application requires proper configuration

7

The onion approachThe onion approach Network security similar to an

onion - both have multiple layers

Every layer depends on the next layer to provide integrity

Layered security is best Even obscurity is one layer The more layers, the better

SSecurity ecurity PPolicyolicy

The core of the security onion is based on having good security policy

Good security policy includes– Appropriate OS choice and minimum

installation– Regular update of all critical programs– OS patching– Running an anti-virus, anti-spyware– Enforcing good password policies...

Firewall-first line of network securityFirewall-first line of network security

External Networks(Internet)

Firewall

Internal network 1. Hardware firewalls (Cisco, …)

2. Linux/UNIX based firewalls

Control the flow of information into and out of your network

IDS - Intrusion Detection SystemsIDS - Intrusion Detection Systems IDS - a valuable part of security scheme “Burglar alarm system” for your network Examples:

– Snort - the de facto standard for intrusion detection/prevention

– DenyHosts - Python script to block SSH server brute force attacks (ASNET-AM: about 500 brute force attacks blocked monthly)

http://denyhosts.sourceforge.net/http://www.snort.org/

Link-level securityLink-level security

Network connection encryption Ssh – instead of Telnet Sftp – instead of FTP Stunnel - Universal SSL Wrapper

(encapsulation for POP3, IMAP, LDAP,etc.)

SSL – for HTTP, where needed

VPN - virtual tunnelling Many VPN realizations exist (PPTP, IPIP, GRE, PPP

atop SSH, IPsec, FreeS/WAN, CIPE, etc.)

VTUN - VTUN - Simple effective client-server tunnelling application with wide spectrum of options – IP, Serial (PPP,SLIP), Ethernet, Pipe tunnels,

Encryption (BlowFish 128 bits), Compression (zlib,lzo), Traffic shaping, etc.

– Works both over TCP and UDP– Uses universal TUN/TAP device driver, which is

already included in the kernel of most UNIX distributions

http://vtun.sourceforge.net/

Anti-SPAM Unsolicited junk E-mail messages (SPAM) blocking

– RBLs (Realtime Block List)• 11 RBLs proved to be effective at ASNET-AM

– spamcop.net– spamhaus.org (sbl, xbl)– dsbl.org– abuseat.org– spambag.org– dul.ru– ahbl.org– njabl.org– ordb.org– msrbl.net– dul.dnsbl.sorbs.net

– Spamassassin (www.spamassassin.org) highly customizable open source tool

ASNET-AM current result: 95% of Spam is being blocked!

Host security - Basic toolsHost security - Basic tools Separate security layer are actual hosts

Ping/telnet/dig/host/traceroute/whois/netstat: While there are many complex high-tech tools out there to assist in security auditing, don't forget about the basics!

Every system administrator should be very familiar with these tools as most of them come with operating systems by default

+ other FOSS tools:– arpwatch - monitor your ARP tables and notify you if

and when a MAC/IP address pairing change – tcpdump, netwatch, iptraf, ettercap, ntop -

Realtime Network Protocol Monitors

TCP WrappersTCP Wrappers

TCP Wrapper – layer to monitor and control server’s incoming TCP traffic on application level – Flexible effective configuration (/etc/hosts.allow,

/etc/hosts.deny)

– man 5 hosts_access

– TCP wrapper support (also called "libwrap support") is mostly compiled into the sshd binary

• /etc/hosts.allow example:

sshd: 192.168.

• /etc/hosts.deny example:

sshd: ALL

Root SecurityRoot Security No user must login directly as ‘root’

– ‘PermitRootLogin no’ in /etc/ssh/sshd_config

Administrators must login with their own accounts, and then use ‘su’ to become root.

This ensures accountability. Viable alternative of ‘su’ is the ‘sudo’ utility, which allows:

– Limited privileges for specified user accounts

– Actions that can be taken by these accounts

– Timeout for logged in users, so they have to re-authenticate in order to use ‘sudo’

• Set ‘TMOUT’ Shell Variable (‘TMOUT=3600’ in /etc/profile)

Misc. Security TipsMisc. Security Tips Keep Network Services at a minimum (turn off unnecessary

ports/apps)– ‘netstat –nlpt’ to check current open ports/apps

Restrict access to:– Mail server (access_db)– Proxy server (ACLs)

Define and configure access to particular Web resources (.htaccess) by Username/Password/IP address (Apache HTTP Server AAA)

Ensure Strong Passwords at critical servers Periodical audit of Users/groups (Remove/Block inactive

users) Proper File/folder access Use of “Private IP-networks” (RFC 1918)

/10., 172.16., 192.168. addressing/ for internal networks Consider the use of a remote log server & monitor the logs!

– Logging is useless without monitoring Regular Backups

Example – Tips to Secure your Example – Tips to Secure your Apache Web ServerApache Web Server Hide your Apache version

– ‘ServerTokens Prod’, ‘ServerSignature Off’ in httpd.conf Disable TRACE and TRACK methods Don’t store critical data on the WWW server itself if

possible (reverse proxy or remote database) Consider placing static content on a CD-ROM where

possible Run Web server on non-standard port where applicable Control access to Web server’s IP/port on Firewall level On dual-homed hosts bind only to required IP address Not trivial directory name for Website CMS part (backend)

- http://mywebsite.domain.com/admin - bad choice Secure directories by Apache AAA mechanism (.htaccess)

where applicable

Security Analysis ToolsSecurity Analysis Tools New security tools appear on the Internet every

day. Tools discussed here are a minuscule sample of all

that is currently available. Applications presented here have withstood the

test of time and remain popular and viable security assessment tools today.

A vigilant system administrator should also download and try many other tools.

Knowing how these tools work will help to secure systems against attacks.

20

ConclusionConclusion No one single security measure is a

panacea A combination of different methods works

best Nothing is 100% secure Always proceed in these three ways:

1. Prevention

2. Detection

3. Reaction

Monitor your network continuously!

Thank You!Thank You!

Arthur Petrosyan (arthur@sci.am)

Academic Scientific Research Network of Armenia (ASNET-AM)

www.asnet.am