Title: Arthur Petrosyan arthursci'am
1Network Security Practices for Research and
Education Networks
- Arthur Petrosyan (arthur_at_sci.am)
- Academic Scientific Research Network of Armenia
(ASNET-AM) - Institute for Informatics and Automation Problems
(IIAP) of the National Academy of Sciences of
Armenia (NAS RA) - www.asnet.am www.sci.am
2Outline
- ASNET-AM overview
- Free and OpenSource Software for RENs
- Multiple layer onion approach
- Firewalls
- IDS -Intrusion Detection Systems
- Link-level security (Ssh,)
- VPN - virtual tunneling
- Anti-SPAM
- Host security
- TCP Wrappers
- Root Security
- Misc. Security Tips
- Tips to Secure your Apache Web Server
- Security Analysis Tools
- Conclusion
3Academic Scientific Research Network of Armenia
(ASNET-AM)
- Largest REN in Armenia
- Over 10 years of experience in IT Services
Networking - Distributed network in 4 cities of Armenia
- Complex network infrastructure (fiber, copper,
wireless, dial-up) - Wide range of Internet/Intranet network services
- IT Training Education
4(No Transcript)
5Use of Free and Open Source Software (FOSS) for
RENs
- Contrary to popular managerial belief, there is a
plethora of reliable FOSS (OS, packages,
utilities) for establishing, maintaining and
monitoring secure systems and networks - Cost isnt the only reason for using FOSS
- RENs often tend to use FOSS for a number of other
reasons (many packages, required for Scientific
Research are FOSS) - FOSS and proprietary can work well together
6Security issue
- Security issue - Unique to each user/company
- Is Never 100. Complete solution should contain
three components (1-Prevention, 2- Detection,
3-Reaction) - Different Platforms different issues (Cisco,
UNIX, Linux, Windows NT/2000/Pro/98/ME/XP/2003,
Novell, etc.) - Nothing is secure in default out of the box
configuration - Any system/application requires proper
configuration
7The onion approach
- Network security similar to an onion - both have
multiple layers - Every layer depends on the next layer to provide
integrity
- Layered security is best
- Even obscurity is one layer
- The more layers, the better
8Security Policy
- The core of the security onion is based on having
good security policy - Good security policy includes
- Appropriate OS choice and minimum installation
- Regular update of all critical programs
- OS patching
- Running an anti-virus, anti-spyware
- Enforcing good password policies...
9Firewall-first line of network security
Control the flow of information into and out of
your network
External Networks (Internet)
Firewall
Internal network
- Hardware firewalls (Cisco, )
- Linux/UNIX based firewalls
10IDS - Intrusion Detection Systems
- IDS - a valuable part of security scheme
- Burglar alarm system for your network
- Examples
- Snort - the de facto standard for intrusion
detection/prevention - DenyHosts - Python script to block SSH server
brute force attacks (ASNET-AM about 500 brute
force attacks blocked monthly)
http//denyhosts.sourceforge.net/
http//www.snort.org/
11Link-level security
- Network connection encryption
- Ssh instead of Telnet
- Sftp instead of FTP
- Stunnel - Universal SSL Wrapper (encapsulation
for POP3, IMAP, LDAP,etc.) - SSL for HTTP, where needed
12VPN - virtual tunnelling
- Many VPN realizations exist (PPTP, IPIP, GRE, PPP
atop SSH, IPsec, FreeS/WAN, CIPE, etc.) - VTUN - Simple effective client-server tunnelling
application with wide spectrum of options - IP, Serial (PPP,SLIP), Ethernet, Pipe tunnels,
Encryption (BlowFish 128 bits), Compression
(zlib,lzo), Traffic shaping, etc. - Works both over TCP and UDP
- Uses universal TUN/TAP device driver, which is
already included in the kernel of most UNIX
distributions
http//vtun.sourceforge.net/
13Anti-SPAM
- Unsolicited junk E-mail messages (SPAM) blocking
- RBLs (Realtime Block List)
- 11 RBLs proved to be effective at ASNET-AM
- spamcop.net
- spamhaus.org (sbl, xbl)
- dsbl.org
- abuseat.org
- spambag.org
- dul.ru
- ahbl.org
- njabl.org
- ordb.org
- msrbl.net
- dul.dnsbl.sorbs.net
- Spamassassin (www.spamassassin.org) highly
customizable open source tool
ASNET-AM current result 95 of Spam is being
blocked!
14Host security - Basic tools
- Separate security layer are actual hosts
- Ping/telnet/dig/host/traceroute/whois/netstat
While there are many complex high-tech tools out
there to assist in security auditing, don't
forget about the basics! - Every system administrator should be very
familiar with these tools as most of them come
with operating systems by default - other FOSS tools
- arpwatch - monitor your ARP tables and notify you
if and when a MAC/IP address pairing change - tcpdump, netwatch, iptraf, ettercap, ntop -
Realtime Network Protocol Monitors
15TCP Wrappers
- TCP Wrapper layer to monitor and control
servers incoming TCP traffic on application
level - Flexible effective configuration
(/etc/hosts.allow, /etc/hosts.deny) - man 5 hosts_access
- TCP wrapper support (also called "libwrap
support") is mostly compiled into the sshd binary
- /etc/hosts.allow example
- sshd 192.168.
- /etc/hosts.deny example
- sshd ALL
16Root Security
- No user must login directly as root
- PermitRootLogin no in /etc/ssh/sshd_config
- Administrators must login with their own
accounts, and then use su to become root. - This ensures accountability.
- Viable alternative of su is the sudo utility,
which allows - Limited privileges for specified user accounts
- Actions that can be taken by these accounts
- Timeout for logged in users, so they have to
re-authenticate in order to use sudo - Set TMOUT Shell Variable (TMOUT3600 in
/etc/profile)
17Misc. Security Tips
- Keep Network Services at a minimum (turn off
unnecessary ports/apps) - netstat nlpt to check current open ports/apps
- Restrict access to
- Mail server (access_db)
- Proxy server (ACLs)
- Define and configure access to particular Web
resources (.htaccess) by Username/Password/IP
address (Apache HTTP Server AAA) - Ensure Strong Passwords at critical servers
- Periodical audit of Users/groups (Remove/Block
inactive users) - Proper File/folder access
- Use of Private IP-networks (RFC 1918) /10.,
172.16., 192.168. addressing/ for internal
networks - Consider the use of a remote log server monitor
the logs! - Logging is useless without monitoring
- Regular Backups
18Example Tips to Secure your Apache Web Server
- Hide your Apache version
- ServerTokens Prod, ServerSignature Off in
httpd.conf - Disable TRACE and TRACK methods
- Dont store critical data on the WWW server
itself if possible (reverse proxy or remote
database) - Consider placing static content on a CD-ROM where
possible - Run Web server on non-standard port where
applicable - Control access to Web servers IP/port on
Firewall level - On dual-homed hosts bind only to required IP
address - Not trivial directory name for Website CMS part
(backend) - http//mywebsite.domain.com/admin -
bad choice - Secure directories by Apache AAA mechanism
(.htaccess) where applicable
19Security Analysis Tools
- New security tools appear on the Internet every
day. - Tools discussed here are a minuscule sample of
all that is currently available. - Applications presented here have withstood the
test of time and remain popular and viable
security assessment tools today. - A vigilant system administrator should also
download and try many other tools. - Knowing how these tools work will help to secure
systems against attacks.
20Conclusion
- No one single security measure is a panacea
- A combination of different methods works best
- Nothing is 100 secure
- Always proceed in these three ways
- Prevention
- Detection
- Reaction
- Monitor your network continuously!
21Arthur Petrosyan (arthur_at_sci.am) Academic
Scientific Research Network of Armenia (ASNET-AM)
www.asnet.am