Linux-kernel security enhancements Karri Huhtanen.

Slides:

Advertisements

Similar presentations

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.

Advertisements

Linux on commodity network H/W Josh Parsons LUGOD talk August 15 th 2005.

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

SmartSoft Network Solutions, Inc.  Project Presentation  21/12/2005.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,

Working with Proxy Servers and Application-Level Firewalls Chapter 5.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Chapter 7: Working with Proxy Servers & Application-Level Firewalls

Linux Security.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

1 Enabling Secure Internet Access with ISA Server.

AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.

Linux Networking and Security Chapter 11 Network Security Fundamentals.

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.

Supercomputing Communications Data NCAR Scientific Computing Division NETS 12/10/ Network Engineering & Telecommunications Section Update Jim Van.

Fundamentals of Information Systems, Second Edition 1 Telecommunications, the Internet, Intranets, and Extranets.

Windows XP Professional Features ©Richard L. Goldman February 5, 2003.

LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.

1 FAQ’S ABOUT WAP Presented By Abhilash Pillai CSCI 5939-Independent Study.

Linux Networking and Security

Chapter 17 Internetworking: Concepts, Architecture, and Protocols

Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.

Communication Systems The Internet The largest wide area network in the world. It is made up of thousands of linked networks. What.

Operating System What is an Operating System? A program that acts as an intermediary between a user of a computer and the computer hardware. An operating.

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Privacy, Confidentiality, and Security Component 2/Unit 8c.

Firewall Security.

1.1 1 Purpose of firewall : –Control access to or from a protected network; –Implements network access policy connections pass through firewall and are.

Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.

“ Vulnerabilities in SNMP Implementations ” CSCI Web Security Instructor: Dr. Andrew Yang Presented By: Harini Varatharajan.

Network Security Part III: Security Appliances Firewalls.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

Fundamentals of Information Systems, Second Edition 1 Telecommunications, the Internet, Intranets, and Extranets.

Wireless and Mobile Security

Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.

IT Ess I v.4x Chapter 1 Cisco Discovery Semester 1 Chapter 8 JEOPADY Q&A by SMBender, Template by K. Martin.

POS 355 OUTLET The learning interface/pos355outletdotcom.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Open source IP Address Management Software Review

WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct

Project SCS a lightweight source control system for Windows platforms.

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

Háló Deloitte CRS Jailbreak & Behind.

Chapter 6 Application Hardening

FTP - File Transfer Protocol

Chapter 2: The Linux System Part 1

Cengage Learning: Computer Networking from LANs to WANs

NSA Security-Enhanced Linux (SELinux)

Presentation transcript:

Linux-kernel security enhancements Karri Huhtanen

Why? ● Linux is used more and more in network appliances, routers and other critical systems. ● Critical systems like these often cannot be upgraded and rebooted instantly when new security hole and fix is found. ● Plain vanilla Linux kernel and system is very vulnerable compared to specialized router operating systems because of the basic Unix kernel security features. ● Linux kernel has no encryption support for securing communications or data in plain vanilla kernel (at least yet) ● Thus there is a need for hardened Linux kernel and security enhancements

How? ● Designed security architecture needed – just closing security holes is not the solution ● Buffer overflow & memory protection/restrictions, “sandboxes” for services, processes and users ● Resource restrictions/limitations within kernel or outside (e.g. Fork bomb protection, firewall rules that limit the number of open connections etc.) ● Mandatory Access Controls (“Root has too much power”), subject/object - model based access control ● Logging, traceability of actions, integrity checks ● Hiding existence i.e. network transparency ● Communications / data encryption support (e.g. IPSEC stack, filesystem encryption)

Integrity and Access Control ● NSA Security-Enhanced Linux ( ) – A result of several NSA security research projects, from design to implementation approach – “Security-enhanced Linux is only a research prototype that is intended to demonstrate mandatory controls in a modern operating system like Linux and thus is very unlikely to meet any interesting definition of secure system.” -- NSA SELinux FAQ – A starting point and a theoretical model for future kernel development and Linux Security Module work ( ) ● LIDS ( ) – “Root has too much power.” – Access Control List implementation patch for Linux kernel – file/process protection and capabilities control – An opensource community's equivalent of NSA SELinux? ● grsecurity ( ) – A large collection of security enhancement patches for Linux kernel – Buffer overflow/memory protections, ACLs for files/sockets/consoles/processes/whatever,, logging, resource restrictions/limits, network invisibility/OS signature hiding etc.

Communications and Data Encryption ● FreeS/WAN IPSEC stack: – WWW site: – X.509 certificate support: – The leading free open source Linux IPSEC stack, commercial IPSEC stacks available for network appliance developers available from for example SSH Communications, SecGo, (F- Secure?) – Advantages: free, open source, available for all, (cheap), interoperable – Disadvantages: no management software, only 3DES encryption, limited hardware encryption and modern IP technologies support ● International Crypto API for GNU/Linux: – WWW site: sourceforge.net/projects/cryptoapi/ – Provides kernel modules for creating encrypted loopback devices to encrypt for example your home partition – Based on international crypto patch for GNU/Linux – Advantages: free, open source, available for all, cheap, several encryption algorithms implemented (blowfish, AES etc.) – Disadvantages: documentation, encryption of whole disk/swap is not possible

About this presentation and report ● This presentation will be soon added in several formats in: iki.fi/khuhtanen/interests/security/ ● The report, which presents these security enhancements in detail will be published on the same web page. ● The report will also most likely contain a report of the practical experiment where some or all of the presented security enhancements are combined in single kernel. The success or failure of this experiment as well as the succesful/failing combination is documented in the report. ● Questions? Suggestions of things to note in the report?