Download presentation
Presentation is loading. Please wait.
Published byΕυρυδίκη Αναγνώστου Modified over 6 years ago
1
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
2
Class Agenda 4/20/16 Covers Chapter 7 Learning Objectives
Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulations.
3
Learning Objective Assess how firewall, Transmission Control Protocol (TCP) Wrappers, and Security Enhanced Linux (SELinux) complement one another to secure network applications.
4
Key Concepts Basic layered security concepts of a Linux infrastructure
Firewall with iptables Application layer security with TCP Wrappers Benefits of mandatory access control (MAC) with SELinux
5
EXPLORE: CONCEPTS
6
SELinux Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel SELinux follows the model of least-privilege more closely
7
Modes of SELinux SELinux has three basic modes of operation Disabled:
9/20/2018 Modes of SELinux SELinux has three basic modes of operation Disabled: SELinux is turned off Permissive: SELinux is enabled but will not enforce the security policy, only warn and log actions. For troubleshooting Enforcing The default mode which will enable and enforce the SELinux security policy on the system. To temporarily turn off SELinux for troubleshooting, issue the “setenforce 0” command. To turn on SELinux, issue the “setenforce 1” command. (c) ITT Educational Services, Inc.
8
Common SELinux Commands
chcon: For changing the security context of a file or files Id -Z: To show the current user context ls -Z: To show the context of a file or files Refer to Table 7-2 on pages 203–204 of the textbook for other SELinux commands.
9
EXPLORE: PROCESSES
10
Network services Security
Controlling access to network services is one of the most important security tasks facing a server administrator The iptables-based firewall filters out unwelcome network packets TCP Wrappers add an additional layer of protection by defining which hosts are or are not allowed to connect to "wrapped" network services
11
IPTables Advanced tools for network packet filtering Kernel versions prior to 2.4 relied on ipchains for packet filtering The 2.4 kernel introduced iptables (also called netfilter) Iptables is administration tool for IPv4 packet filtering and NAT
12
Designing a Firewall Turn on the Firewall.
Check if rules that should be cleared are in place ? Yes Flush the current rules using the iptables –F command. List current rules using the iptables –L command . No Write firewall rules for INPUT, OUPUT, and FORWARD chains. Save the new rules using the iptables-save command.
13
Aadvantages over other network service control techniques:
TCP Wrappers package The TCP Wrappers package (tcp_wrappers) is installed by default and provides host-based access control to network services Aadvantages over other network service control techniques: Transparency to both the client and the wrapped network service Centralized management of multiple protocols
14
TCP Wrappers Configuration Files
To determine if a client is allowed to connect to a service, TCP Wrappers reference the following two files, which are commonly referred to as hosts access files: /etc/hosts.allow /etc/hosts.deny
15
Creating TCP Wrapper Rules
The TCP Wrapper rules on the next two slides are created to allow Secure Shell (SSH) access to the fictitious site is418.com. These rules are also used to log all access with a message and date while denying access to all other users.
16
Creating TCP Wrapper Rules (Continued)
Step 1 Open the /etc/hosts.allow file using a text editor. Step 2 Type the following rule to allow and log access from the is418.com domain: ssh:.is418.com:spawn /bin/echo `/bin/date` ssh access granted >> /var/log/sshd.log Step 3 Save and exit.
17
Creating TCP Wrapper Rules (Continued)
Step 4 Open the /etc/hosts.deny file using a text editor. Step 5 Type the following rule to deny everyone else: sshd:ALL Step 6 Save and exit.
18
EXPLORE: ROLES
19
Firewall and TCP Wrappers
Add, remove, and edit rules to a packet filter ruleset List and flush the rules to a packet filter ruleset List counters of matched packets to rules Iptables Provides iptables packet filter in the kernel Performs stateless and stateful packet filtering Provides network address translation Netfilter Allow or deny access to an application based on an Internet Protocol (IP) Address or hostname Allow or deny access to an application based on time TCP Wrappers
20
EXPLORE: CONTEXTS
21
Layered Security for FTP Access
Firewall TCP Wrapper SELinux Protects against unauthorized traffic Performs specific actions based on a network service running under the xinetd super server Protects the network service from unauthorized access based on the subject, such as users, applications, or files Allows access to FTP from local traffic only Sends an to the administrator when access is granted during nonbusiness hours Denies access to home directories to logged-in users
22
xinetd xinetd (extended Internet daemon) is an open-source super-server daemon which runs on many Unix-like systems and manages Internet-based connectivity.
23
EXPLORE: RATIONALE
24
Importance of Firewalls
Can be enabled on bastion hosts in addition to existing network firewalls Provide a layer of security at the network layer to restrict unauthorized traffic Can protect bastion hosts from malicious local network traffic
25
Importance of TCP Wrappers
Adds a layer of security in addition to firewalls Can allow and restrict access to an application based on domain name and time of the day Can spawn processes such as and logging
26
Summary In this presentation, the following concepts were covered:
SELinux and its commands Firewall and TCP Wrappers and their importance Process of designing a firewall by using iptables and creating TCP Wrapper rules Layered security for FTP access
27
Assignment Discussion 6.1 Determining Firewall Rules Lab 6.2 Apply Hardened Security for Controlling Access
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.