Some Practical Security

Slides:

Advertisements

Similar presentations

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Advertisements

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

System Security Scanning and Discovery Chapter 14.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.

James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Web server security Dr Jim Briggs WEBP security1.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Threats to I.T Internet security By Cameron Mundy.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

E0: Unix System Administration AfNOG 2006 Nairobi, Kenya Security introduction Brian Candler Presented by Hervey Allen.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

The Truth About Protecting Passwords COEN 150: Intro to Information Security Mary Le Carol Reiley.

Some Practical Security AfNOG 2004 Workshop Hervey Allen May 2004 Liberal borrowing from Brian Candler.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.

Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Copyright ©: SAMSUNG & Samsung Hope for Youth. All rights reserved Tutorials The internet: Staying safe online Suitable for: Beginner.

Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-

Linux Networking and Security

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

1.1 1 Purpose of firewall : –Control access to or from a protected network; –Implements network access policy connections pass through firewall and are.

Topic 5: Basic Security.

Network Security Part III: Security Appliances Firewalls.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.

Security AFNOG 3 Workshop. Main Security Concerns ● Confidentiality ● Keeping our data safe from prying eyes ● Integrity ● Protecting our data from loss.

Security Discussion IST Retreat June IT Security Statement definition In the context of computer science, security is the prevention of, or protection.

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

Computer Security By Duncan Hall.

Web Security Firewalls, Buffer overflows and proxy servers.

Intro to Network Security. Vocabulary Vulnerability Weakness that can be compromised Threat A method to exploit a vulnerability Attack Use of one or more.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

CSCE 548 Student Presentation By Manasa Suthram

CONNECTING TO THE INTERNET

Unit 4 IT Security.

The Linux Operating System

Instructor Materials Chapter 7 Network Security

Backdoor Attacks.

Secure Software Confidentiality Integrity Data Security Authentication

Computer Data Security & Privacy

Wireless Network Security

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Security introduction

Security in Networking

Chapter 27: System Security

What Makes a Network Vulnerable?

Firewalls Purpose of a Firewall Characteristic of a firewall

Firewalls Routers, Switches, Hubs VPNs

Firewalls Jiang Long Spring 2002.

Faculty of Science IT Department By Raz Dara MA.

Linux Security.

Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein

Computer Security By: Muhammed Anwar.

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

6. Application Software Security

Presentation transcript:

Some Practical Security ngNOG 07 Workshop

Main Security Concerns Confidentiality Keeping our data safe from prying eyes Integrity Protecting our data from loss or unauthorised alteration Authentication and Authorisation Is this person who they claim to be? Is this person allowed to do this? Availability Are our systems working when we need them? (Denial of Service)

Basic steps to securing a server Run only the services you plan on using. Use only the services that are necessary. Stay up-to-date and patch services as needed. Use secure passwords and force your users to use them. Restrict root access to a minimal set of services. Restrict access to services via tcpwrappers if appropriate. Restrict access to your box using IP Firewall services (ipfw). Log events and understand your logs. Install intrusion detection software. Back up your server's data! Think about physical security. Don't forget about your clients.

Some useful web links The FreeBSD Handbook Security Section http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html FreeBSD Website “intrusion detection” Software http://www.freebsd.org/cgi/ports.cgi?query=intrusion+detection&stype=all FreeBSD Security Notifications Mailing List http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications Security Documents from nsrc.org http://nsrc.org/security/ and http://nsrc.org/freebsd-tips.html CERT (Coordinated Emergency Response Team) http://www.cert.org/ and http://www.us-cert.gov/cas/index.html SANS Computer Security and Mailing Lists http://www.sans.org/ and http://www.sans.org/newsletters/risk/ Nice List of Security Resources for Linux/UNIX http://www.yolinux.com/TUTORIALS/LinuxSecurityTools.html Nessus Security Auditing Package http://nessus.org/

Security implications of connecting to the Internet The Internet lets you connect to millions of hosts but they can also connect to you! Many points of access (e.g. telephone, cyber-cafe) even if you can trace an attack to a point on the Internet, the real source may be untraceable Your host runs many Internet services many potential points of vulnerability many servers run as "root" !

Network-based attacks Passive attacks e.g. packet sniffers, traffic analysis (dsniff) Active attacks e.g. connection hijacking, IP source spoofing, exploitation of weaknesses in IP stack or applications Denial of Service attacks e.g. synflood “Man in the middle” attacks Hijacking services Attacks against the network itself e.g. smurf

Other common attacks Brute-force and Dictionary attacks (password guessing) Viruses Trojan horses (in the form of emails). Humans are often the weakest link "Hi, this is Bob, what's the root password?"

Authentication: Passwords Can be guessed If too complex, users tend to write them down If sent unencrypted, can be "sniffed" from the network and re-used

Choosing good passwords Combinations of upper and lower-case letters, numbers and symbols 'brute force' attacker has to try many more combinations Not in any dictionary, including hackers dictionaries $40&yc4f "Money for nothing and your chicks for free" wsR!vst? "workshop students aRe not very sleepy today ?"

Authentication: Host name Very weak DNS is easily attacked (e.g. by loading false information into cache) Slight protection by ensuring that reverse and forward DNS matches e.g. Connection received from 84.201.255.1 Lookup 84.201.255.1 -> noc.ws.afnog.org Lookup noc.ws.afnog.org -> 84.201.255.1 This is why many sites won't let you connect unless your forward and reverse matches

Cryptographic methods Can provide REALLY SECURE solutions to authentication, privacy and integrity Some are hard to implement, many different tools, usually requires special clients, but becoming much more widespread. Export and usage restrictions (less of a problem these days) Take care to understand where weaknesses lie, like “Man in the Middle”, “entropy with random numbers”, etc.

Simple combinations The lock on your front door can be picked Two locks are better than one The thief is more likely to try somewhere else

IP source address AND password authentication You can use "tcp wrappers" (/etc/hosts.allow) to add IP source authentication to any service run from inetd For info and examples: man 5 hosts_access The application also typically has password authentication

Exercise Enable telnet (note: bad idea!) Uncomment telnet ... tcp line in /etc/inetd.conf killall -1 inetd Check other people can telnet to your machine Now restrict access to only yourself and your neighbour Add two lines to top of /etc/hosts.allow telnetd : 84.201.31.12, 84.201.31.13 : allow telnetd : ALL : deny Get someone on a different row to try to telnet to you. What happens if you telnet to 127.0.0.1 ?

UNDERSTAND what you're doing A bad security solution is worse than no security at all Know what you're doing Read all the documentation Read sample configurations Build test machines Ask questions Join the announcements mailing list for your O/S and applications Test what you've done Try connecting from outside your network Try circumventing your own rules For instance: Windows vs. UNIX. Securing a box.

Practical UNIX security As part of the books for this class you've been given: Practical Unix & Internet Security, 3rd Edition http://www.oreilly.com/catalog/puis3/index.html There are many other useful publications at: http://www.oreilly.com/ http://www.aw-bc.com/catalog/academic/discipline/0,,69948,00.html Be sure to take advantage of this book to learn about the philosophy of security, particularly in the UNIX world.

Summary Disable all services which are not needed Apply security patches promptly; join the announcement mailing lists Good password management Combine passwords with IP access controls where possible Use cryptographic methods where possible Understand what it is that you are doing!