Arthur Petrosyan arthursci'am - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Arthur Petrosyan arthursci'am

Description:

Contrary to popular managerial belief, there is a plethora of reliable FOSS ... only reason for using FOSS. RENs often tend to use FOSS for a number of other ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 22
Provided by: arthurpetr
Category:

less

Transcript and Presenter's Notes

Title: Arthur Petrosyan arthursci'am


1
Network Security Practices for Research and
Education Networks
  • Arthur Petrosyan (arthur_at_sci.am)
  • Academic Scientific Research Network of Armenia
    (ASNET-AM)
  • Institute for Informatics and Automation Problems
    (IIAP) of the National Academy of Sciences of
    Armenia (NAS RA)
  • www.asnet.am www.sci.am

2
Outline
  • ASNET-AM overview
  • Free and OpenSource Software for RENs
  • Multiple layer onion approach
  • Firewalls
  • IDS -Intrusion Detection Systems
  • Link-level security (Ssh,)
  • VPN - virtual tunneling
  • Anti-SPAM
  • Host security
  • TCP Wrappers
  • Root Security
  • Misc. Security Tips
  • Tips to Secure your Apache Web Server
  • Security Analysis Tools
  • Conclusion

3
Academic Scientific Research Network of Armenia
(ASNET-AM)
  • Largest REN in Armenia
  • Over 10 years of experience in IT Services
    Networking
  • Distributed network in 4 cities of Armenia
  • Complex network infrastructure (fiber, copper,
    wireless, dial-up)
  • Wide range of Internet/Intranet network services
  • IT Training Education

4
(No Transcript)
5
Use of Free and Open Source Software (FOSS) for
RENs
  • Contrary to popular managerial belief, there is a
    plethora of reliable FOSS (OS, packages,
    utilities) for establishing, maintaining and
    monitoring secure systems and networks
  • Cost isnt the only reason for using FOSS
  • RENs often tend to use FOSS for a number of other
    reasons (many packages, required for Scientific
    Research are FOSS)
  • FOSS and proprietary can work well together

6
Security issue
  • Security issue - Unique to each user/company
  • Is Never 100. Complete solution should contain
    three components (1-Prevention, 2- Detection,
    3-Reaction)
  • Different Platforms different issues (Cisco,
    UNIX, Linux, Windows NT/2000/Pro/98/ME/XP/2003,
    Novell, etc.)
  • Nothing is secure in default out of the box
    configuration
  • Any system/application requires proper
    configuration

7
The onion approach
  • Network security similar to an onion - both have
    multiple layers
  • Every layer depends on the next layer to provide
    integrity
  • Layered security is best
  • Even obscurity is one layer
  • The more layers, the better

8
Security Policy
  • The core of the security onion is based on having
    good security policy
  • Good security policy includes
  • Appropriate OS choice and minimum installation
  • Regular update of all critical programs
  • OS patching
  • Running an anti-virus, anti-spyware
  • Enforcing good password policies...

9
Firewall-first line of network security
Control the flow of information into and out of
your network
External Networks (Internet)
Firewall
Internal network
  • Hardware firewalls (Cisco, )
  • Linux/UNIX based firewalls

10
IDS - Intrusion Detection Systems
  • IDS - a valuable part of security scheme
  • Burglar alarm system for your network
  • Examples
  • Snort - the de facto standard for intrusion
    detection/prevention
  • DenyHosts - Python script to block SSH server
    brute force attacks (ASNET-AM about 500 brute
    force attacks blocked monthly)

http//denyhosts.sourceforge.net/
http//www.snort.org/
11
Link-level security
  • Network connection encryption
  • Ssh instead of Telnet
  • Sftp instead of FTP
  • Stunnel - Universal SSL Wrapper (encapsulation
    for POP3, IMAP, LDAP,etc.)
  • SSL for HTTP, where needed

12
VPN - virtual tunnelling
  • Many VPN realizations exist (PPTP, IPIP, GRE, PPP
    atop SSH, IPsec, FreeS/WAN, CIPE, etc.)
  • VTUN - Simple effective client-server tunnelling
    application with wide spectrum of options
  • IP, Serial (PPP,SLIP), Ethernet, Pipe tunnels,
    Encryption (BlowFish 128 bits), Compression
    (zlib,lzo), Traffic shaping, etc.
  • Works both over TCP and UDP
  • Uses universal TUN/TAP device driver, which is
    already included in the kernel of most UNIX
    distributions

http//vtun.sourceforge.net/
13
Anti-SPAM
  • Unsolicited junk E-mail messages (SPAM) blocking
  • RBLs (Realtime Block List)
  • 11 RBLs proved to be effective at ASNET-AM
  • spamcop.net
  • spamhaus.org (sbl, xbl)
  • dsbl.org
  • abuseat.org
  • spambag.org
  • dul.ru
  • ahbl.org
  • njabl.org
  • ordb.org
  • msrbl.net
  • dul.dnsbl.sorbs.net
  • Spamassassin (www.spamassassin.org) highly
    customizable open source tool

ASNET-AM current result 95 of Spam is being
blocked!
14
Host security - Basic tools
  • Separate security layer are actual hosts
  • Ping/telnet/dig/host/traceroute/whois/netstat
    While there are many complex high-tech tools out
    there to assist in security auditing, don't
    forget about the basics!
  • Every system administrator should be very
    familiar with these tools as most of them come
    with operating systems by default
  • other FOSS tools
  • arpwatch - monitor your ARP tables and notify you
    if and when a MAC/IP address pairing change
  • tcpdump, netwatch, iptraf, ettercap, ntop -
    Realtime Network Protocol Monitors

15
TCP Wrappers
  • TCP Wrapper layer to monitor and control
    servers incoming TCP traffic on application
    level
  • Flexible effective configuration
    (/etc/hosts.allow, /etc/hosts.deny)
  • man 5 hosts_access
  • TCP wrapper support (also called "libwrap
    support") is mostly compiled into the sshd binary
  • /etc/hosts.allow example
  • sshd 192.168.
  • /etc/hosts.deny example
  • sshd ALL

16
Root Security
  • No user must login directly as root
  • PermitRootLogin no in /etc/ssh/sshd_config
  • Administrators must login with their own
    accounts, and then use su to become root.
  • This ensures accountability.
  • Viable alternative of su is the sudo utility,
    which allows
  • Limited privileges for specified user accounts
  • Actions that can be taken by these accounts
  • Timeout for logged in users, so they have to
    re-authenticate in order to use sudo
  • Set TMOUT Shell Variable (TMOUT3600 in
    /etc/profile)

17
Misc. Security Tips
  • Keep Network Services at a minimum (turn off
    unnecessary ports/apps)
  • netstat nlpt to check current open ports/apps
  • Restrict access to
  • Mail server (access_db)
  • Proxy server (ACLs)
  • Define and configure access to particular Web
    resources (.htaccess) by Username/Password/IP
    address (Apache HTTP Server AAA)
  • Ensure Strong Passwords at critical servers
  • Periodical audit of Users/groups (Remove/Block
    inactive users)
  • Proper File/folder access
  • Use of Private IP-networks (RFC 1918) /10.,
    172.16., 192.168. addressing/ for internal
    networks
  • Consider the use of a remote log server monitor
    the logs!
  • Logging is useless without monitoring
  • Regular Backups

18
Example Tips to Secure your Apache Web Server
  • Hide your Apache version
  • ServerTokens Prod, ServerSignature Off in
    httpd.conf
  • Disable TRACE and TRACK methods
  • Dont store critical data on the WWW server
    itself if possible (reverse proxy or remote
    database)
  • Consider placing static content on a CD-ROM where
    possible
  • Run Web server on non-standard port where
    applicable
  • Control access to Web servers IP/port on
    Firewall level
  • On dual-homed hosts bind only to required IP
    address
  • Not trivial directory name for Website CMS part
    (backend) - http//mywebsite.domain.com/admin -
    bad choice
  • Secure directories by Apache AAA mechanism
    (.htaccess) where applicable

19
Security Analysis Tools
  • New security tools appear on the Internet every
    day.
  • Tools discussed here are a minuscule sample of
    all that is currently available.
  • Applications presented here have withstood the
    test of time and remain popular and viable
    security assessment tools today.
  • A vigilant system administrator should also
    download and try many other tools.
  • Knowing how these tools work will help to secure
    systems against attacks.

20
Conclusion
  • No one single security measure is a panacea
  • A combination of different methods works best
  • Nothing is 100 secure
  • Always proceed in these three ways
  • Prevention
  • Detection
  • Reaction
  • Monitor your network continuously!

21
  • Thank You!

Arthur Petrosyan (arthur_at_sci.am) Academic
Scientific Research Network of Armenia (ASNET-AM)
www.asnet.am
Write a Comment
User Comments (0)
About PowerShow.com