Download presentation
Presentation is loading. Please wait.
1
System Hardening Borrowed from the CLICS group
2
System Hardening How do we respond to problems? (e.g. operating system deadlock) Detect Detect (Detect and) Terminate (Detect and) Terminate Prevent Prevent Security Analogy Better to prevent than try to clean up Better to prevent than try to clean up
3
System Hardening - Goals Prevent intrusion on a particular system Note: idea can (and should) be applied to network as well Note: idea can (and should) be applied to network as well Two main approaches 1) Develop and ship in hardened state 1) Develop and ship in hardened state 2) Harden after setup 2) Harden after setup
4
Security Certification Levels Department of Defense, Trusted Computer System Evaluation Criteria (TCSEC) Orange book – systems; Red book – systems/networks Levels Class D (minimal protection) Class D (minimal protection) Class C1 (discretionary security protection) Class C1 (discretionary security protection) Class C2 (controlled access protection) Class C2 (controlled access protection) Class B1 (labeled security protection) Class B1 (labeled security protection) Class B2 (structured protection) Class B2 (structured protection) Class B3 (security domains) Class B3 (security domains) Class A1 (verified design) Class A1 (verified design)
5
1) Hardening Before Shipping System architecture should be designed to prevent attacks/intrusion Configured for high security as default Configured for high security as default System programmed defensively System programmed defensively assume any user could be unfriendly System is audited for security problems System is audited for security problems System built to contain known problems System built to contain known problems Examples – Operating System Level OpenBSD ( http://www.openbsd.org ) OpenBSD ( http://www.openbsd.org )http://www.openbsd.org SELinux ( http://www.nsa.gov/selinux ) SELinux ( http://www.nsa.gov/selinux )http://www.nsa.gov/selinux
6
2) Hardening After Delivery Techniques Configuration Configuration Changing system configuration to deal with security issues Wrappers Wrappers Proxy programs that are run in place of actual program, check for certain problems before calling original program (which is moved to a non-public directory)
7
Wrapper Example TCP Wrappers (Linux) Monitors and filters incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services Provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files The wrappers report the name of the client host and of the requested service Imposes no overhead on the actual conversation between the client and server applications
8
System Hardening Tools - Linux Example: bastille http://www.bastille-linux.org http://www.bastille-linux.org http://www.bastille-linux.org Script to help automate security changes in a number of areas (file transfer, mail, general configuration) Script to help automate security changes in a number of areas (file transfer, mail, general configuration) Bastille --assessment Bastille --assessment Certain actions still have to be done manually Certain actions still have to be done manually Be careful not to turn off needed services accidentally Be careful not to turn off needed services accidentally E.g. Don’t disallow root access at console unless you have other accounts you can use to gain superuser status
9
System Hardening Tools (Windows) Microsoft Baseline Security Analyzer More accurately a vulnerability analysis tool More accurately a vulnerability analysis tool But notes contain links or information are very useful in system hardening But notes contain links or information are very useful in system hardening Start/Programs/Microsoft Baseline Security Analyzer Start/Programs/Microsoft Baseline Security Analyzer Tools for specific applications E.g. Internet Information Server is weak point E.g. Internet Information Server is weak point IIS Lockdown Tool IIS Lockdown Tool C:\Tools\IISLockD C:\Tools\IISLockD
10
Port/Service Closure - Linux GUI Interface Utilities -> Server Settings -> Services -> Server Settings -> Services Choose run-level (e.g. 3: without X; 5: with X) Choose run-level (e.g. 3: without X; 5: with X) Remove services through checkboxes Remove services through checkboxesManually Directory hierarchy: /etc/rc.d Directory hierarchy: /etc/rc.d Subdirectories for different run-levels, main script directory (init.d)
11
Port/Service Closure - Windows Add and remove services Start/Programs/Administrative Tools/Services Start/Programs/Administrative Tools/Services See processes currently running Task Manager (ctrl-alt-del), Processes tab Task Manager (ctrl-alt-del), Processes tab
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.