Securing IT Assets with Linux

1
Securing IT Assets with Linux Presented
by Matthew Will Bass Associates, Inc.Steven
Kohrs Open Source Experts
2
Securing IT Assets with Linux Security In Todays
Internet

• The Internet resources currently available today
  to individuals, businesses, and organizations
  allow for the innovative exchange of information.
  However, the widespread storage and transfer of
  information creates an opportunity for security
  breaches, even in the most secure systems. It is
  important to recognize the sources of threat, and
  take educated preventative measures.
• Why is Security Important?
• Security should be a concern in every situation.
  Whether youre building a network for a small
  trucking firm or working for NASDAQ as a
  financial advisor.
• The Internet is a vast system of information
  with varying degrees of confidentiality it is
  inviting to criminal activity because users may
  be as anonymous as they want. Internet crime
  continues to grow it is important that security
  be a serious consideration for every user.
• Statistics About Common Threats
• CERT/CC (Computer Emergency Response Team
  Coordination Center)
• national computer response team that addresses
  and records security issues
• publishes list of statistics dealing with
  computer security
• 
  

3
Securing IT Assets with Linux Security In Todays
Internet

• Future Potential Security Problems
• The need for security in the future will be even
  greater than it is now. Hopefully by then most
  basic security precautions will be second nature.
• However, even in the future when higher security
  measures are taken, new ways will be developed to
  get around them.
• There is no guaranteed way to know what the
  future security concerns will be, only the
  guarantee that security will always be an issue.
• Futility of Security
• Security will always be an ongoing process.
  Security is much like trying to patch holes in a
  dam. Although some of the water might
  occasionally leak through, it is important to
  never stop patching holes enough holes and the
  dam falls apart.
• Always be on the watch for security holes.
  Monitoring sites can help in this process. Join
  trusted list services that deal with security
  problems.

4
Securing IT Assets with Linux Security In Todays
Internet

• Security is Never 100
• There is NO way to be completely secure.
  Skilled crackers can gain entrance to secure
  systems without leaving a trace.
• Government agencies, like the CIA and FBI, have
  been breached before, despite their almost
  unlimited resources and abilities. Lately the
  CIA and the FBI have been off-limits for
  crackers, but this is mainly because of their
  ability to catch crackers, not because they can
  prevent them from breaking in.
• Solutions for an Insecure World
• What should we do to protect ourselves? There
  are several methods of security planning.
• Protect a system from inside and outside
  attacks.
• Basic protection methods include
• set up firewalls to protect networks setup
  firewalls behind firewalls
• set up tripwires to send alerts if and
  unauthorized person gains access
• patch those security holes and perform regular
  backups
• use encryption when sending/receiving any data

5
Securing IT Assets with Linux Firewall using
IPTABLES

• Without some form of security, a connection
  between a local network and the Internet is an
  unrestricted pathway. Users inside the network
  can use resources outside of the network and vice
  versa. This accessibility can be beneficial.
  However, for security, outside access to the
  network should be restricted, monitored, and
  controlled. The most common method of
  controlling the flow of information on a network
  is through the use of packet filtering programs
  such as iptables.
• Packet Filtering
• Data is sent across networks in the form of
  packets containing information on the packets
  origin, destination, and protocol.
• A packet filter is a program which examines the
  packets as they enter or leave a system,
  selectively restricting passage.

6
Securing IT Assets with Linux Firewall using
IPTABLES

• Why filter?
• Packets that are filtered increase security.
• Prevent ousiders from using services on a
  system.
• Prevent malicious attacks such as Denial of
  Service (DoS) and ping flood attacks.
• Control the flow of information.
• Prevent internal system users from using certain
  sites or types of protocols.

7
Securing IT Assets with Linux Firewall using
IPTABLES

• The Rules Chain Concept
• The most common method used by packet filtering
  for the organization of the filters is the rules
  chain. A rule chain contains a listing of each
  filter, or rule, that has been configured on the
  local system.
• Linux uses four main chains
• Input packets traveling to the host
• Output packets leaving from the host
• Forward packets received by the host and will
  be forwarded by the host
• User Defined special type of chain created by
  the user that receives packets from the three
  main chains for processing
• Rules chains allow for complex filtering of data
  entering or leaving a system while making it easy
  to install and maintain the rules.

8
Securing IT Assets with Linux Firewall using
IPTABLES

• What is iptables?
• iptables is the building block of a framework
  inside the Linux kernel. This framework enables
  packet filtering, network address translation
  (NAT), network port translation (NPT), and other
  packet mangling.
• iptables is a generic table structure for the
  definition of rulesets. Each rule with an IP
  table consists of a number of classifiers
  (iptables matches) and one connection action
  (iptable target).
• What can I do with iptables?
• build internet firewalls based on stateless and
  stateful packet filtering
• use NAT and masquerading for sharing internet
  access
• use NAT to implement transparent proxies
• do further packet manipulation (mangling) like
  altering the bits of the IP header
• http//www.netfilter.org/

9
Securing IT Assets with Linux Snort An Intrusion
Detection System

• Why Use Intrusion Detection?
• - Intrusion detection devices are an integral
  part of any network. The Internet is constantly
  evolving, and new vulnerabilities and exploits
  are found regularly. They provide an additional
  level of protection to detect the presence of an
  intruder, and help to provide accountability for
  the attacker's actions.
• Snort
• - Detect and alert based on pattern matching for
  threats including buffer overflows, stealth port
  scans, CGI attacks, SMB probes and NetBIOS
  queries, NMAP and other portscanners, well-known
  backdoors and system vulnerabilities, DDoS
  clients, and many more.
• - Use syslog, SMB "WinPopUp" messages, or a file
  to alert an administrator.
• - Develop new rules quickly once the pattern
  (attack signature) is known for the
  vulnerability.
• - Record packets in their human-readable form
  from the offending IP address in a hierarchical
  directory structure.
• Used as a "passive trap" to record the presence
  of traffic that should not be found on a network,
  such as NFS or P2P connections.
• http//www.linuxsecurity.com/feature_stories/using
  -snort.html

10
Securing IT Assets with Linux Snort An Intrusion
Detection System

• Where to Place a Snort System?
• its effectiveness depends largely on where on
  your network Snort runs and how that computer is
  connected to the rest of your network.
• Hubs vs. switches.
• Although switches are better for network
  efficiency, hubs are better for use with Snort.
  However, some switches can be configured to echo
  all traffic to a specific port in addition to
  sending the data to the destination computer.
  Consult your switch's documentation to learn if
  yours can do this. If it can't, you may be
  limited in your ability to monitor internal
  traffic.
• Firewalls.
• If you put Snort outside of the firewall, it can
  monitor external attacks on your network, but
  won't see most internal traffic. If you put
  Snort behind the firewall, it can monitor
  internal traffic and attacks that manage to
  breach the firewall, but not attacks blocked by
  the firewall.
• http//www.linux-mag.com/2003-05/guru_01.html

11
(No Transcript)
12
Securing IT Assets with Linux Snort An Intrusion
Detection System

• How to keep Snort rules up to date?
• Oinkmaster
• Oinkmaster is simple Perl script released under
  the BSD license to help you update your Snort
  2.0 rules and comment out the unwanted ones
  after each update. It also has a few other useful
  features regarding rules management. Oinkmaster
  will tell you exactly what had changed since the
  last update, giving you good control of your
  rules. It is most often used to update the
  official rules from www.snort.org, but can just
  as well be used for managing/distributing your
  homemade rules.
• What problem does Oinkmaster solve?
• Since we always want to run the latest and
  greatest rules, we download the new rules from
  www.snort.org as soon as they have been updated.
  Oops - all our customized rules are now
  overwritten, and we have to do it all over again.
  This is where Oinkmaster comes in - it will
  automatically do those boring modifications to
  the rules that you would usually have to do
  manually after each update.
• - www.snort.org/dl/rules

13
Securing IT Assets with Linux Packet Sniffer -
Ethereal

• Network Protocol Analyser
• capture data live IP frames off the wire or save
  the capture for later analysis
• data can be read from ethernet, PPP, Token-Ring,
  IEEE 802.11, ect
• browse data via a GUI or TTY mode
• over 500 protocols can be dissected
• Filter data to find exactly what you want
• Monitor the traffic on your network
• verify misuse of your network by internal users
• great way to locate attacks by monitoring
  suspicous activity
• http//www.ethereal.com/

14
Securing IT Assets with Linux Monitoring Network
Integrity with Nmap

• Network Intrusion Detection Systems (NIDS) are
  one way to maintain network integrity. However,
  a commercial NIDS can be costly to install and
  maintain.
• If you can't afford a NIDS, basic network
  mapping techniques are still beneficial. The
  best tool for network scanning, also known as
  port scanning, is the open-source Nmap.
• Nmap performs all sorts of network scans, from
  simple ping scans to see what hosts on a network
  are "alive" to more advanced scans by protocol
  and packet type.
• Nmap is clearly designed to enable rapid
  pinpointing of hosts vulnerable to attack, and
  that's exactly its strength.
• Nmap scans a list of target machines and outputs
  a list of the interesting ports on each.
• Protected areas behind firewalls are
  frequently left unrestricted. This is folly most
  security breaches are inside jobs, and a firewall
  is no substitute for good host-based security. On
  a properly secured host, ALL network traffic
  should be accounted for, incoming and outgoing.
• Periodic nmap scans are a key component of any
  well-rounded security infrastructure.
• http//www.certcities.com/editorial/columns/story.
  asp?EditorialsID109

15
Securing IT Assets with Linux System Monitoring

• Check the Log Files
• When monitoring a network for possible breaches,
  the log files are a rich source of data. They
  provide a vast amount of information concerning
  login attempts, system messages, and remote
  access. Using this information, the detection of
  a break-in and perhaps the subsequent
  identification of the intruder is possible.
• Security Audits
• The key elements to network security are the
  ability to analyze a network for tampering and
  the correction of vulnerabilities which could
  possibly invite a breach. There are two types of
  software and techniques that are available to aid
  administrators with either issue.
• One type deals with intruder detection by
  detecting if a security breach has occurred and
  whether anything has been altered, moved, or
  deleted.
• Another type of security measure is to implement
  a way of testing a network for security weakness.
  Ideally, security breaches in the network will
  not occur at all, and to prevent those breaches,
  preventive measures are extremely important.
• Several programs aid a network administrator in
  both of these types if security analysis.

16
Securing IT Assets with Linux Nessus

• Nessus is a professional-grade security scanner,
  but it's a free and 100 customizable one.
• Plug-in architecture. Each security test is
  written as an external plugin. This way, you can
  easily add your own tests without having to read
  the code of the nessusd engine.
• NASL. The Nessus Security Scanner includes NASL,
  (Nessus Attack Scripting Language) a language
  designed to write security test easily and
  quickly. (security checks can also be written in
  C)
• Up-to-date security vulnerability database. We
  mostly focus on the development of security
  checks for recent security holes. Our security
  checks database is updated on a daily basis.
• Client-server architecture. The Nessus Security
  Scanner is made up of two parts a server, which
  performs the attacks, and a client which is the
  front-end. You can run the server and the client
  on different systems. That is, you can audit your
  whole network from your personal computer,
  whereas the server performs its attacks from the
  main frame which is upstairs.
• Can test an unlimited amount of hosts at the
  same time. Depending of the power of the station
  you run the Nessus server onto, you can test two,
  ten or forty hosts at the same time
• Smart service recognition. Nessus does not
  believe that the target hosts will respect the
  IANA assigned port numbers. This means that it
  will recognize a FTP server running on a
  non-standard port (31337 say), or a web server
  running on port 8080

17
Securing IT Assets with Linux Nessus

• Nessus
• - Multiples services. Imagine that you run two
  web servers (or more) on your host, one on port
  80 and another on port 8080. When it will come to
  testing their security, Nessus will test both of
  them
• - Tests cooperation. The security tests performed
  by Nessus cooperate so that nothing useless is
  made. If your FTP server does not offer anonymous
  logins, then anonymous-related security checks
  will not be performed.
• - Complete reports Nessus will not only tell
  you what's wrong on your network, but will, most
  of the time, tell you how to prevent crackers
  from exploiting the security holes found and will
  give you the risk level of each problem found
  (from Low to Very High)
• - Exportable reports The Unix client can export
  Nessus reports as ASCII text, LaTeX, HTML,
  "spiffy" HTML (with pies and graphs) and an
  easy-to-parse file format.
• - Full SSL support Nessus has the ability to
  test SSLized services such as https, smtps,
  imaps, and more. You can even supply Nessus with
  a certificate so that it can integrates into a
  PKI-fied environement
• - Smart plugins (optional) Nessus will
  determine which plugins should or should not be
  launched against the remote host (for instance,
  this prevents the testing of Sendmail
  vulnerabilities against Postfix).

18
Securing IT Assets with Linux Nessus

• Nessus
• Non-destructive (optional) If you don't want
  to take the risk to bring down services on your
  network, you can enable the "safe checks" option
  of Nessus, which will make Nessus rely on banners
  rather than exploiting real flaws to determine if
  a vulnerability is present
• Nessus Plugins
• Backdoors - CGI abuses - CISCO - Default
  Unix Accounts - Denial of Service - Finger
  abuses - Firewalls - FTP - Gain a shell
  remotely - Gain root remotely - Netware -
  NIS- Peer-To-Peer File Sharing - Port scanners
  - Remote file access - RPC- System Settings
  - SMTP problems - SNMP - Useless services
  - Windows - Windows User management
• (There are 2095 plugins in the database, covering
  1332 unique CVE ids and 1548 unique Bugtraq IDs)

19
Securing IT Assets with Linux Intrusion Detection
System

• Tripwire
• - What is Tripwire software?Tripwire software is
  a tool that checks to see what has changed on
  your system. The program monitors key attributes
  of files that should not change, including binary
  signature, size, expected change of size, etc.
• What is Tripwire used for?Tripwire is
  originally known as an intrusion detection tool,
  but can be used for many other purposes such as
  integrity assurance, change management, policy
  compliance and more.
• Does Tripwire keep out intruders?Sadly speaking
  no, but the whole essence of this system is to
  put into place invisible cameras on your system
  that are completely invisible to the intruder who
  manages to bypass your existing security
  framework. Thus Tripwire running stealthily on
  your system, just sits and waits for something to
  go wrong. As soon as a violation occurs it throws
  a detailed postmortem, having analyzed the crime
  scenario. Thus Tripwire will help you determine
  damage to any of your data, whether it is
  corrupted, what is the extent of damage over the
  network, what System files have been replaced
  (possible placement of TROJANS on you System
  binaries) and in general, the extent of damage.
• http//www.freeos.com/articles/3404/

20
Securing IT Assets with Linux Samba 3.0 Does
Windows Even Better

• Enables machines to join an Active Directory
  domain as a native member and to authenticate
  users with LDAP and Kerberos. For companies that
  use Active Directory, these improvements can make
  a mixed- platform server environment easier to
  manage. One logon ID for both Windows and Linux
  systems.
• Its capability as an NT-style primary domain
  controller offers sites that have held off on
  deploying Active Directory a strong option for
  replacing their Windows file and print servers
  with Linux boxes running Sambafor which they
  needn't buy client access licenses.
• Samba will maintain user, group and domain
  security identifiers for businesses that are
  switching from Windows NT 4.0 domains to Samba
  domains.
• 'Stacking' VFS (virtual file system) layer
  allows dynamic checking of file access.
• Virus scanning, auditing, security.
• SWAT (Samba Web Administration Tool)
• a Web-based management and setup client that
  offers a basic interface into the universe of
  different configuruation options for Samba.
• http//www.eweek.com/article2/0,1759,1449497,00.as
  p?rsDisSamba_3.0_Does_Windows_Even_Better-Page001
  -110499http//us1.samba.org/samba/ftp/slides/ente
  rprisesamba.pdf

21
Securing IT Assets with Linux Securing Microsoft
Groupware Environments with Linux

• Large portions of many mid- to large-size
  corporations have based their core IT
  infrastructure on Microsoft technologies.
• It's much simpler to create malicious code if
  you only have to worry about one flavor of
  operating system or mail client or office suite,
  especially one that facilitates programmatic
  access either through built-in mechanisms (e.g.
  macros) or inherent security flaws (e.g. buffer
  overflows).
• It is this very environment, which was designed
  to facilitate easy administration, global
  collaboration and information exchange, that
  requires the most protection.
• Qmail
• - is a secure, reliable, efficient, simple
  message transfer agent.
• - Secure Security isn't just a goal, but an
  absolute requirement. Mail delivery is critical
  for users it cannot be turned off, so it must be
  completely secure.
• - Reliable qmail's straight-paper-path
  philosophy guarantees that a message, once
  accepted into the system, will never be lost.
  qmail also supports maildir, a new,
  super-reliable user mailbox format. Maildirs,
  unlike mbox files and mh folders, won't be
  corrupted if the system crashes during delivery.
• - Efficient qmail can easily sustain 200,000
  local messages per day.

22
Securing IT Assets with Linux Securing Microsoft
Groupware Environments with Linux

• Qmail
• Simple qmail is vastly smaller than any other
  Internet MTA.
• (1) qmail has one simple forwarding mechanism
  that lets users handle their own mailing lists.
  (2) qmail-send is instantly triggered by new
  items in the queue(3) qmail's design inherently
  limits the machine load
• - In short, it's up to speed on modern MTA
  features.
• Qmail-Scanner
• - an addon that enables a Qmail server to scan
  all gateway-ed email for certain characteristics
  (i.e. a content scanner). - typically used for
  its anti-virus protection functions, in which
  case it is used in conjunction with external
  virus scanners. - can be used as an archiving
  tool for auditing or backup purposes. - is
  integrated into the mail server at a lower level
  than some other Unix-based virus scanners,
  resulting in better performance. - is capable of
  scanning not only locally sent/received email,
  but also email that crosses the server in a relay
  capacity.

23
Securing IT Assets with Linux Securing Microsoft
Groupware Environments with Linux

• Clam AntiVirus
• - is a GPL anti-virus toolkit for UNIX. The main
  purpose of this software is the integration with
  mail servers (attachment scanning). The package
  provides a flexible and scalable multi-threaded
  daemon, a command line scanner, and a tool for
  automatic updating via the Internet. The programs
  are based on a shared library distributed with
  the Clam AntiVirus package, which you can use
  with your own software. Most importantly, the
  virus database is kept up to date .
• SpamAssassin
• is one of the most well known spam fighting
  tools in the open source world. It is regularly
  maintained and updated, works for individual
  users as well as in site-wide configurations, is
  highly customizable and integrates with many
  different mail servers.
• The never-ending battle
• As your inbox no doubt proves, spammers get
  smarter every day, virus writers get more clever
  by the second and users never stop complaining
  about spam. As a result, you'll need to do
  regular checks for software updates to qmail,
  qmail-scanner, ClamAV, and (especially)
  SpamAssassin.
• http//www.securityfocus.com/infocus/1772

24
Securing IT Assets with Linux Paros SPIKE
Fuzzing detection

• Paros
• is a HTTP/HTTPS proxy for assessing web
  application vulnerability. It supports
  editing/viewing HTTP messages on-the-fly with
  client-certificate, proxy-chaining, filtering and
  intelligent vulnerability scanning.
• works on a principle common to the new
  generation of Web security tools. It runs as a
  local proxy on your scanning workstation, and all
  the interaction between your local browser and
  the target Web server is brokered by the security
  tool.
• can capture an outbound query, alter or fuzz it
  and then send it along to the server.
• SPIKE
• - Automated SQL Injection Detection
• - Web Site Crawling (guaranteed not to crawl
  sites other than the one being tested)
• - Login form brute forcing
• - Automated overflow detection
• - Automated directory traversal detection

25
Securing IT Assets with Linux F.I.R.E - Forensics
and Incident Response Environment

• F.I.R.E.
• is a single CD-ROM Linux distribution geared
  toward analyzing compromised systems and
  recovering data from them.
• can use it either by rebooting the compromised
  system with the F.I.R.E. CD-ROM or by mounting
  the CD-ROM in a running but feared-compromised
  Linux system and running tools directly off the
  CD.
• makes it easy to copy data from the compromised
  system to other hosts on your network.
• includes the X Windows System and a variety of
  both command-line and X-based security tools
  (including Nmap and Nessus).
• can use F.I.R.E. to transform an ordinary
  Windows laptop into an awesome penetration-testing
  juggernaut.
• at no extra charge, F.I.R.E.'s major functions
  can be accessed from a menu system comprehendable
  even by those of us who aren't full-time computer
  forensics specialists.
• http//www.linuxjournal.com/article.php?sid7235

26
Securing IT Assets with Linux Conclusion

• Dont believe your network cannot be breached.
  Before making any software or hardware changes
  you should first answer one question How will
  this effect security in this environment?
• Keep up to date on all security technology.
  Dont let your security model become stagnant.
  New security holes or leaks are found almost on a
  daily basis.
• Dont be afraid of Open Source or the products
  produced from the Open Source community.
• Open source is not just for hackers. Its a new
  way of organizing people to create complex
  products in a knowledge-based economyOpen Source
  is an alternative way of spurring innovation
• Steven Weber, author of The Success of Open
  Source Harvard University
  Open Sources Untapped Potential - San
  Francisco Chronicle - April 19, 2004

27
Securing IT Assets with Linux Discussion
Thank You for Attending
28
Securing IT Assets with Linux Links and
Additional Information

• Webmin manage nearly all system services from
  a web interface
• www.webmin.com
• Big Brother monitor your network from printers
  to servers right down to a specific service
• www.bb4.com
• Netfilter iptables for linux
• www.netfilter.org
• Tripwire intruder detection
• www.tripwire.org
• Ethereal packet sniffer utility to monitor
  network traffic
• www.ethereal.com
• SANS Internet Storm Center cyber threat
  monitor and alert system
• isc.sans.org

29
Securing IT Assets with Linux Links and
Additional Information

• CERT coordination center of Internet security
• www.cert.org
• Linux Security Linux community for security
• www.linuxsecurity.com
• PacketStorm portal for Linux security
  information
• www.packetstorm.org
• BugTraq keep informed on bugs
• www.bugtraq.org
• Revolution OS get the story on the open source
  movement (highly recommended)
• www.revolution-os.com
• Snort Intrusion Detection System
• www.snort.com

30
Securing IT Assets with Linux Links and
Additional Information

• Oinkmaster Snort rules manager / updater
• oinkmaster.sourceforge.net
• Nessus system security scanner
• www.nessus.org
• Tripwire file integrity checker
• www.tripwire.org
• Samba file and printer sharing server
• www.samba.org
• qmail safe and secure Mail Transport Agent
  (MTA)
• www.qmail.org
• qmail-scanner content scanner for qmail
• qmail-scanner.sourceforge.net

31
Securing IT Assets with Linux Links and
Additional Information

• Clam AntiVirus open source antivirus scanner
• www.clamav.net
• SpamAssassin a mail filter to identify spam
• www.spamassassin.org
• Paros Web application security assessor
• www.proofsecure.com
• SPIKE Web application security assessor
• www.immunitysec.com/spikeproxy.html
• F.I.R.E. Forensics and Incident Response
  Environment
• fire.dmzs.com

32
Securing IT Assets with Linux Contact Information
Bass Associates, Inc. Open
Source Experts A HunTel
Company SiLK
Enterprises, Inc.

Matthew Will
Steven L. Kohrs
Bass Associates, Inc.
Open Source Experts
2027 Dodge Street Suite 500
1536 N 105th Street
Omaha, Ne 68102
Omaha, Ne 68114
402.346.1505
402.498.0457
mwill_at_bass-inc.com
skohrs_at_opensourceexperts.
com www.bass-inc.com

www.OpenSourceExperts.com