Information Technology Services - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Information Technology Services

Description:

... a bug in the OpenSSL implementation of SSLv2 on Linux based Apache web servers. ... bug effects more than just Apache, anything that it compiled/linked against ... – PowerPoint PPT presentation

Number of Views:107
Avg rating:3.0/5.0
Slides: 18
Provided by: Perk71
Category:

less

Transcript and Presenter's Notes

Title: Information Technology Services


1
Information Technology Services
  • Information Technology Servicessupports QUTs
    vision with leading information technology
    services in partnership with the QUT community.

2
Security Update
  • Barry Lynam
  • Senior Network Engineer - Security

3
Agenda
  • Slapper Worm
  • Tripwire

4
Slapper
  • DISCLAIMER This is not a criticism of just
    Student Copying and Printing Services. It is
    criticism of lots of System Administrators.
  • This incident is being used as an example that we
    can all learn from.

5
Slapper What is it?
  • Worm that exploits a bug in the OpenSSL
    implementation of SSLv2 on Linux based Apache web
    servers.
  • Patches released by,
  • OpenSSL, 30 July 2002,
  • Redhat, 5 August 2002.
  • Uploads a source file to /tmp and compiles it.
  • OpenSSL bug effects more than just Apache,
    anything that it compiled/linked against OpenSSL
    0.9.6d or earlier and uses SSLv2.
  • SSLv1, SSLv3 or TLSv1 OK.
  • Following attacks,
  • Executing arbitrary commands,
  • Creating TCP floods,
  • Creating DNS floods,
  • Searching for email addresses,
  • Supports IPv4 and IPv6.

6
Slapper What happened?
  • Monday 23 September
  • Packet loss QUT Internet link.
  • SCPS two infected machines.
  • Parts of IAS accounting system crashed.
  • Steps to resolve the problem.
  • SCPS
  • two machines rebuilt,
  • removed from QUT firewall,
  • blocked at QRNO router,
  • blocked by IAS.
  • AARNet and Optus blocked traffic to or from UDP
    ports listed as trojan ports.
  • At least 3 variants.
  • SCPS hosts had to change IP addresses as large
    amounts of traffic were still directed to them.

7
Slapper Other costs/impacts
  • SCPS
  • IAS 170
  • External clients inconvenienced (downtime), maybe
    SLA agreement costs???
  • Dented reputation.
  • QUT
  • Dented reputation.
  • Same released date as QUT Virtual 2002
  • Possible uncertainty of problem.

8
Slapper How to avoid
Patch
9
Make the time to patch
  • Talk to your management to arrange a schedule
    downtime period.
  • Explain to them the potential problems of not
    having the downtime. Use this as an example.
  • Use ITS maintenance windows as an example. Does
    not have to be at night.

10
Testing patches
  • Work out the risk of applying patches verses not
    applying them.
  • Find out what your vendor does for patches, for
    example,
  • Redhat backports security patches, never add or
    change features, nothing should break.
  • Microsoft Windows update separates critical
    updates, recommended updates (enhancements) and
    device driver updates.
  • Find out what the patch fixes. May be a work
    around or part of a feature that you dont use.

11
Questions
12
Tripwire
  • Why is it being provided?
  • Security Strategy
  • People
  • Operations
  • Technology
  • Tripwire is a technology.
  • QUT site licence, costs you nothing.

13
Tripwire
  • What does Tripwire do?
  • Monitors your server for changes to
    files/directories and Windows Registry
    keys/values.
  • Changes can be,
  • Creation, modification, access times,
  • Change in size, or no change,
  • Ownerships,
  • New file in directory,
  • File checksums, various methods.
  • Isnt real-time monitoring.
  • Wont stop changes.
  • But does at least report them.

14
Tripwire
  • Two products
  • Tripwire Server,
  • Tripwire Manager.
  • Platforms supported,
  • Server,
  • Windows NT/2000/XP
  • Solaris,
  • Compaq UNIX,
  • HPUX,
  • Linux,
  • FreeBSD,
  • AIX etc.
  • Manager,
  • Windows and Solaris.

15
Tripwire
  • Tripwire Server runs on you servers and monitors
    files.
  • Tripwire Manager is not needed, but make
    management of Tripwire Server easier especially
    if you have lots of servers.
  • Communication between TWS and TWM encrypted and
    protected.
  • TWS runs an agent that TWM connects to.
  • Notifies of changes via e-mail, SNMP, and syslog.

16
Tripwire
  • Get it from, http//net.qut.edu.au/security
  • Click on Tripwire under Host Security.
  • Demo Manager

17
Questions
Write a Comment
User Comments (0)
About PowerShow.com