BCS ISSG Linux Day Securing Linux

Slides:

Advertisements

Similar presentations

Network Security Essentials Chapter 11

Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Computer Security: Principles and Practice

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Security Firewall Firewall design principle. Firewall Characteristics.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Network Security Testing Techniques Presented By:- Sachin Vador.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Web server security Dr Jim Briggs WEBP security1.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Computer Security: Principles and Practice

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Installing and Configuring a Secure Web Server COEN 351 David Papay.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

SEC835 Database and Web application security Information Security Architecture.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

Module 14: Configuring Server Security Compliance

1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Chapter 12 Operating System Security Strategies The 2010 Australian Signals Directorate (ASD) lists the “Top 35 Mitigation Strategies” Over 85% of.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Module 11: Designing Security for Network Perimeters.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Role Of Network IDS in Network Perimeter Defense.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Chapter 12 Operating System Security. Possible for a system to be compromised during the installation process before it can install the latest patches.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Working at a Small-to-Medium Business or ISP – Chapter 8

Critical Security Controls

Chapter 6 Application Hardening

CONNECTING TO THE INTERNET

Managing Secure Network Systems

Secure Software Confidentiality Integrity Data Security Authentication

Control system network security issues and recommendations

Introduction to Networking

NERC CIP Implementation – Lessons Learned and Path Forward

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

* Essential Network Security Book Slides.

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Chapter 27: System Security

Firewalls Jiang Long Spring 2002.

Web Servers / Deployment

Operating System Security

Linux Security.

Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein

IS4680 Security Auditing for Compliance

Network hardening Chapter 14.

Welcome to all Participants

Convergence IT Services Pvt. Ltd

6. Application Software Security

Presentation transcript:

BCS ISSG Linux Day Securing Linux Peter SJF Bance CEng MBCS Rhye Internet Solutions Limited http://www.rhyeinternet.com/ 19 November 2018 © 2003 Rhye Internet Solutions Limited

© 2003 Rhye Internet Solutions Limited Overview Why harden? Default installations. How hard to be? Cost v benefit. First steps – audit and plan. Hardening Process: Removing unnecessary services Users and permissions Patching and configuration Advanced hardening – introduction Next steps – an ongoing process 19 November 2018 © 2003 Rhye Internet Solutions Limited

© 2003 Rhye Internet Solutions Limited Why Harden? With few exceptions, default Operating System installations expose unnecessary and dangerous services For example, in a typical RedHat 7.2 default installation (even without GUI components): ~16 open TCP ports, mostly unnecessary ~11 warnings produced by a basic Nessus scan ~2 serious holes identified by Nessus Without a hardening process being followed, data is at serious risk Vendors are beginning to assist in the hardening process, and so the manual effort involved is reducing Simply adding a firewall is almost never sufficient 19 November 2018 © 2003 Rhye Internet Solutions Limited

© 2003 Rhye Internet Solutions Limited How hard to be? The basic steps (removing unnecessary services and patching the rest) should always be followed How much further you go depends on: The machine’s purpose The user base (security v. convenience) The availability and capability of maintenance personnel (or you!) 19 November 2018 © 2003 Rhye Internet Solutions Limited

© 2003 Rhye Internet Solutions Limited Audit and Plan Identify exactly what you have on your system, in as much detail as possible Identify your aims (see the previous slide) Plan the process: What services can be removed without impacting functionality (what is the machine’s purpose)? How should the remaining services be configured? What user accounts are required on the system? What permissions should each user be granted? Are there any additional known threats to your system that need countermeasures? E.g. exposure to curious minds (University?!) 19 November 2018 © 2003 Rhye Internet Solutions Limited

Hardening Process – Services As much hardening as possible should be performed before connecting to a network or the Internet Based on your assessment of the machine’s purpose, remove unnecessary services and other software On the RH 7.2 system mentioned earlier, intended as a simple static Web server: 64 packages removed using RPM (SMB, NFS, DHCP, etc.) 2 packages added (Apache and SSH) also using RPM Configure necessary services as securely as possible: Apply patches (inevitably necessary) – with RH, vendor-provided packages are updated reasonably rapidly Apply sensible configuration (e.g. disable SSH1 capability, reduce Apache header information, disable SMTP relay, etc.) 19 November 2018 © 2003 Rhye Internet Solutions Limited

Hardening Process – Users Without users, security would be simple, but unfortunately systems would be mostly useless  Only create necessary user accounts, and remove any unnecessary default ones Ensure all passwords are strong, either by issuing them yourself, or through regular audit Produce and publish a system security policy if relevant to your machine’s purpose Monitor activity as much as possible – unusual hours of access, exceptional disk usage, etc. Be the BOFH! System security is most commonly put at risk by unaware users – consider implementing a security awareness training programme. 19 November 2018 © 2003 Rhye Internet Solutions Limited

Hardening Process – Permissions Identify the rights and file-based permissions your users should have Identify the permissions your applications should have Even identify the permissions other systems should have when interacting with yours If unsure, it is far better to grant lower privileges than necessary and then increase them later than to have a system full of super-users from the outset Checking and altering file permissions system-wide can be onerous – consider implementing a chroot environment (jail) Never grant su or sudo privileges if you can avoid it 19 November 2018 © 2003 Rhye Internet Solutions Limited

© 2003 Rhye Internet Solutions Limited Other Risks Security is not just about Confidentiality and Integrity of information – Availability can also be crucial. Disaster Recovery and Business Continuity levels and plans should be defined and implemented. Security Awareness training becomes more important if users are easily susceptible to social engineering attacks. Dial-up remote control connections, FTP services, administration via Telnet, etc. – all should be carefully considered and alternatives found where possible. 19 November 2018 © 2003 Rhye Internet Solutions Limited

© 2003 Rhye Internet Solutions Limited Advanced Hardening Bear in mind Benefit v. Cost TCP Wrappers (e.g. hosts.deny/allow): A basic firewall Allow simple filtering of requests (e.g. by host) Application-level filtering: E.g. Apache mod_rewrite Proxy services Kernel modifications – e.g. IP stack tuning to reject particular requests Advanced authentication techniques (tokens, single-use passwords, etc.) Fake headers or identification of running services Tripwires, traps, WORM drives, Intrusion Detection, Firewalls, Bastions, Gateways, Proxies, Honey Pots, Counter attacks, Defense in Depth, Port Sentries, how far do you want to go?! Firewalling (IP Tables/Chains) and Intrusion Detection will be covered in other presentations Whatever you do beyond the basic steps, document everything, even if only for your own later reference! 19 November 2018 © 2003 Rhye Internet Solutions Limited

© 2003 Rhye Internet Solutions Limited Next Steps Security is not a state, it is a process. It is everyone’s responsibility, and is a state of mind. Most of all, it is a balance – a difficult balance between Risk, Benefit and Cost. Independent Audit or Penetration Test, BS7799 Accreditation – may all be worthwhile depending on your environment. Policies are as important as technical security - ensure your users know how you expect them to use the system, and how to protect it and themselves from malicious outsiders. Keep up-to-date – today’s vulnerability-free system is tomorrow’s sieve Change control – ensure you know what is being put on your system (what could your users do with PHP? Perl?) 19 November 2018 © 2003 Rhye Internet Solutions Limited

Summary Slides available later today from: Be secure – within reason! http://www.rhyeinternet.com/papers/issg-linux/ Be secure – within reason! 19 November 2018 © 2003 Rhye Internet Solutions Limited