Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HEPIX Umeå May 25-29 2009 SECURITY AUDITING OF MAIL SERVICES AT INFN DIY AUDITING Ombretta Pinazza, on behalf of INFN Mailing and Security WG Fulvia.

Published byGervase McCoy Modified over 9 years ago

Similar presentations

Presentation on theme: "1 HEPIX Umeå May 25-29 2009 SECURITY AUDITING OF MAIL SERVICES AT INFN DIY AUDITING Ombretta Pinazza, on behalf of INFN Mailing and Security WG Fulvia."— Presentation transcript:

1 1 HEPIX Umeå May 25-29 2009 SECURITY AUDITING OF MAIL SERVICES AT INFN DIY AUDITING Ombretta Pinazza, on behalf of INFN Mailing and Security WG Fulvia Costa, Francesco Ferrera, Diego Leanza, Alessia Spitaleri Patrizia Belluomo, Franco Brasolin, Roberto Cecchini, Michele Michelotto

2 2 O. Pinazza HEPIX Umeå, May 25-29, 2009 Contents  Project description  Why security auditing  Contingencies and planning  Methodology  From the first phase toward a regular procedure  Results  Security overview  Feedback from the sites  Conclusions

3 3 O. Pinazza HEPIX Umeå, May 25-29, 2009 Why auditing? How?  It’s required by the italian laws for public organizations  As a service for the INFN community  As an opportunity for our working groups  The overall procedure shall be systematic and well documented Policy Audit Evidence Actions Report Assessment

4 4 O. Pinazza HEPIX Umeå, May 25-29, 2009 External/Internal auditing  Professional auditors are extremely expensive  A cross-sites analysis using common parameters could be comparable to an external view  Local admins take care of monitoring and internal auditing UNIBO Ssh, dns, scan mail scan

5 5 O. Pinazza HEPIX Umeå, May 25-29, 2009 Objectives - expectations  Act in advance on emergencies: attacks to DNS, conficker worm, bugs and vulnerabilities  A step toward a common security policy  Feedback from site administrators  First results  Screenshot of the publicly visible services  Identified several misconfigured and vulnerable services

6 6 O. Pinazza HEPIX Umeå, May 25-29, 2009 Phase one  SSH  Vulnerable versions  Filter policies (firewall, bastion hosts, …)  HTTP and HTTPS  PHP and apache vulnerabilities  Several public servers  Unconfigured servers, open DBs, wikis, …  DNS  Root queries  Recursive queries  Vulnerabilities (Debian, …)  Conficker Security Auditing WG

7 7 O. Pinazza HEPIX Umeå, May 25-29, 2009 Mail services  not only OS or software vulnerabilities  check for misconfigured servers, open relays, explicit banners, unauthorized services  dangerous ESMTP features  SMTP AUTH Mailing Auditing WG

8 8 O. Pinazza HEPIX Umeå, May 25-29, 2009 Methodology 1  Define the hosts subset to be analyzed  MX query to all DNS servers to build the list of official mail servers  Nmap scan of all INFN subnets to reveal open “mailing” services  Sys admin indication  Analysis of the mailing services TCL scripts managing the connection and saving the dialog in a file Perl scripts handling ssl and starttls connections Perl scripts parsing output files and recognizing problems  SMTP Banner, exposed information, ESMTP features SMTP/SSL: port 25 or 465, INFN CA or self cert., features STARTTLS (587/tcp) SMTP AUTH

9 9 O. Pinazza HEPIX Umeå, May 25-29, 2009 Methodology 2  The aim is to verify if multiple services are available on the same host  Mailboxes  POP, POPS  IMAP, IMAPS  Other services  HTTP, HTTPS  LDAP  POPPASSD

10 10 O. Pinazza HEPIX Umeå, May 25-29, 2009 Methodology 3  Reporting  Global document with an evaluation of the security level, containing recommendations for the sites, based on common policies  Detailed modular reports on a web site with restricted access  Instructions, help and configuration documents  WIP Needs of an organized database Automatize data collection and analysis, and scan comparison

11 11 O. Pinazza HEPIX Umeå, May 25-29, 2009 Results 1  SSH  3048 server open  High severity problems (Nessus): Scan date Number Nov 2008 89 Dec 2008 55 Jan 2009 59 34 sites (*.infn.it) 151 subnets (B/C/trunks) 110.000 IPs 8.800 scanned

12 12 O. Pinazza HEPIX Umeå, May 25-29, 2009 Results 2 Date Recursive queries Root queries off oknookno Jan 2009 2931??0 Feb 2009 431837244 Mar 2009 521049133  DNS  65 official servers per 34 sites

13 13 O. Pinazza HEPIX Umeå, May 25-29, 2009 Results 3 Scan date web servers total number High severity problems Medium severity problems Low severity or no problems Mar 2008 1193218576399 May 2009 1252199557496  Web (HTTP and HTTPS)

14 14 O. Pinazza HEPIX Umeå, May 25-29, 2009 Results 4 Census2007Census2008Scan2009 Hosts71 * 80 * 150 Avg per site2.73.14.4 * Census: declared by sites admins  Mailing services

15 15 O. Pinazza HEPIX Umeå, May 25-29, 2009 Results 5

16 16 O. Pinazza HEPIX Umeå, May 25-29, 2009 Results 6 34 INFN sites 150Hosts 22 (64%)SMTP AUTH55MX 11 (32%)SMTP/SSL on 46577SMTP Security evaluation of mail services 14 (41%)35 (23%) 7 (21%)10 (7%) 13 (38%)4 (3%) High severity problems (bugged version, open relay, clear text auth, …) Medium severity problems (unconf. web, dangerous ESMTP feat., …) not working (official MX off, wrong IP/name corresp. on DNS, …) ok

17 17 O. Pinazza HEPIX Umeå, May 25-29, 2009 Conclusions  Positive feedback from sites admins:  74% sites have promptly checked their reports  Sent corrections, comments, requests  Several colleagues have intervened immediately to patch and protect their systems  This self made analysis can represent a starting base for an organized auditing procedure  INFN is trying to hire an IT graduate to carry on with the auditing activity

18 18 O. Pinazza HEPIX Umeå, May 25-29, 2009 Thanks  Security auditing group:  Roberto Cecchini, Franco Brasolin, Michele Michelotto, Patrizia Belluomo  Mailing auditing group:  Fulvia Costa, Franco Ferrera, Diego Leanza, Alessia Spitaleri

Download ppt "1 HEPIX Umeå May 25-29 2009 SECURITY AUDITING OF MAIL SERVICES AT INFN DIY AUDITING Ombretta Pinazza, on behalf of INFN Mailing and Security WG Fulvia."

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Web Server Administration

Web Server Administration
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Antispam GARR Michele Michelotto Hepix Karlsruhe, 11 May 2005.

Antispam GARR Michele Michelotto Hepix Karlsruhe, 11 May 2005.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google