View
217
Download
0
Tags:
Embed Size (px)
Citation preview
System HardeningSystem Hardening
Borrowed from the CLICS groupBorrowed from the CLICS group
System HardeningSystem Hardening
How do we respond to problems? (e.g. How do we respond to problems? (e.g. operating system deadlock)operating system deadlock) DetectDetect (Detect and) Terminate(Detect and) Terminate PreventPrevent
Security AnalogySecurity Analogy Better to prevent than try to clean upBetter to prevent than try to clean up
System Hardening - GoalsSystem Hardening - Goals
Prevent intrusion on a particular systemPrevent intrusion on a particular system Note: idea can (and should) be applied to Note: idea can (and should) be applied to
network as wellnetwork as well
Two main approachesTwo main approaches 1) Develop and ship in hardened state1) Develop and ship in hardened state 2) Harden after setup2) Harden after setup
Security Certification LevelsSecurity Certification Levels
Department of Defense, Trusted Computer Department of Defense, Trusted Computer System Evaluation Criteria (TCSEC)System Evaluation Criteria (TCSEC)Orange book – systems; Red book – Orange book – systems; Red book – systems/networkssystems/networksLevelsLevels Class D (minimal protection)Class D (minimal protection) Class C1 (discretionary security protection)Class C1 (discretionary security protection) Class C2 (controlled access protection)Class C2 (controlled access protection) Class B1 (labeled security protection)Class B1 (labeled security protection) Class B2 (structured protection)Class B2 (structured protection) Class B3 (security domains)Class B3 (security domains) Class A1 (verified design)Class A1 (verified design)
1) Hardening Before Shipping1) Hardening Before Shipping
System architecture should be designed to System architecture should be designed to prevent attacks/intrusionprevent attacks/intrusion Configured for high security as defaultConfigured for high security as default System programmed defensivelySystem programmed defensively
assume any user could be unfriendlyassume any user could be unfriendly System is audited for security problemsSystem is audited for security problems System built to contain known problemsSystem built to contain known problems
Examples – Operating System LevelExamples – Operating System Level OpenBSD ( OpenBSD ( http://www.openbsd.org ) ) SELinux ( SELinux ( http://www.nsa.gov/selinux ) )
2) Hardening After Delivery2) Hardening After Delivery
TechniquesTechniques ConfigurationConfiguration
Changing system configuration to deal with Changing system configuration to deal with security issuessecurity issues
WrappersWrappersProxy programs that are run in place of actual Proxy programs that are run in place of actual program, check for certain problems before calling program, check for certain problems before calling original program (which is moved to a non-public original program (which is moved to a non-public directory)directory)
Wrapper ExampleWrapper Example
TCP Wrappers (Linux)TCP Wrappers (Linux)Monitors and filters incoming requests for the Monitors and filters incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network servicesEXEC, TFTP, TALK, and other network services
Provides tiny daemon wrapper programs that can Provides tiny daemon wrapper programs that can be installed without any changes to existing be installed without any changes to existing software or to existing configuration filessoftware or to existing configuration files
The wrappers report the name of the client host The wrappers report the name of the client host and of the requested serviceand of the requested service
Imposes no overhead on the actual conversation Imposes no overhead on the actual conversation between the client and server applicationsbetween the client and server applications
System Hardening Tools - LinuxSystem Hardening Tools - Linux
Example: bastilleExample: bastille http://www.bastille-linux.org Script to help automate security changes in a Script to help automate security changes in a
number of areas (file transfer, mail, general number of areas (file transfer, mail, general configuration)configuration)
Bastille --assessmentBastille --assessment Certain actions still have to be done manuallyCertain actions still have to be done manually Be careful not to turn off needed services Be careful not to turn off needed services
accidentallyaccidentallyE.g. Don’t disallow root access at console unless you E.g. Don’t disallow root access at console unless you have other accounts you can use to gain superuser have other accounts you can use to gain superuser statusstatus
System Hardening Tools System Hardening Tools (Windows)(Windows)
Microsoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer More accurately a vulnerability analysis toolMore accurately a vulnerability analysis tool But notes contain links or information are very But notes contain links or information are very
useful in system hardeninguseful in system hardening Start/Programs/Microsoft Baseline Security Start/Programs/Microsoft Baseline Security
AnalyzerAnalyzer
Tools for specific applicationsTools for specific applications E.g. Internet Information Server is weak pointE.g. Internet Information Server is weak point IIS Lockdown ToolIIS Lockdown Tool C:\Tools\IISLockDC:\Tools\IISLockD
Port/Service Closure - LinuxPort/Service Closure - Linux
GUI Interface UtilitiesGUI Interface Utilities <RedHat icon> -> Server Settings -> Services<RedHat icon> -> Server Settings -> Services Choose run-level (e.g. 3: without X; 5: with X)Choose run-level (e.g. 3: without X; 5: with X) Remove services through checkboxesRemove services through checkboxes
ManuallyManually Directory hierarchy: /etc/rc.dDirectory hierarchy: /etc/rc.d
Subdirectories for different run-levels, main script Subdirectories for different run-levels, main script directory (init.d)directory (init.d)
Port/Service Closure - WindowsPort/Service Closure - Windows
Add and remove servicesAdd and remove services Start/Programs/Administrative Tools/ServicesStart/Programs/Administrative Tools/Services
See processes currently runningSee processes currently running Task Manager (ctrl-alt-del), Processes tabTask Manager (ctrl-alt-del), Processes tab