Network and Filesystem Security

Size: px

Start display at page:

Download "Network and Filesystem Security"

Isaac Norman
5 years ago
Views:

1 Network and Filesystem Security Powell Molleti 1

2 Agenda Netfilter and TCP Wrappers for Network Security including SNORT for NIDS and tools for checking network vulnerabilities Filesystem Security with a look at Cryptographic Filesystems along with file integrity checking tools Linux Kernel Security Enhancements, some special patches and introduction to SE Linux. Log Security in Linux. 2

3 Network Security Netfilter The Linux Firewalling Architecture

4 Table of contents Netfilter Architecture Using Netfilter as a Packet Filter Netfilter for Statefull Firewalling and NAT TCP Wrappers for Host based access SNORT as a Network Intrusion Detection System Tools for the Network! 4

5 Netfilter Architecture firewalling for linux Netfilter is a framework for packet mangling, outside the normal Berkley socket interface. In addition to this it has an extensible Network Address Translation(NAT) system and an extensible packet filtering system. Each protocol defines hooks where it calls the Netfilter framework entry calls passing the packet and certain other information. Netfilter is available from 2.4 onwards. 5

6 Netfilter Architecture firewalling for linux [ 1 ] [ ROUTE ] [ 3 ] [ 4 ] Conntrack Mangle NAT (dst) 1: NF_IP_PRE_ROUTING [ 2 ] Filter Conntrack Mangle Mangle Filter [ ROUTE ] [ 5 ] Conntrack Mangle NAT (dst) Filter Mangle NAT (src) Conntrack 2: NF_ IP_LOCAL_IN 3: NF_IP_FORWARD 4: NF_IP_POST_ROUTING 5: NF_IP_LOCAL_OUT 6

7 Table of contents Netfilter Architecture Using Netfilter as a Packet Filter Netfilter for Statefull Firewalling and NAT TCP Wrappers for Host based access SNORT as a Network Intrusion Detection System Tools for the Network! 7

8 Packet filtering with Netfilter firewalling for linux Incoming [ ROUTE ] [ FORWARD chain ] Outgoing [ INPUT chain ] [ ROUTE ] [ OUTPUT chain ] 1: INPUT chain is walked by any packet that is desitned for the box. 2: FORWARD chain is walked by any packet that is desitned for the other network interface. 8 3: OUTPUT chain is walked by any packet that is orginated from the box.

9 Packet filtering with Netfilter firewalling for linux Learning to filter by example : # iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination # iptables -P INPUT DROP # iptables -A INPUT -s / p tcp dport http -j ACCEPT # iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp /24 anywhere tcp dpt:http Now the server will get the HTTP requests only from network /

10 Table of contents Netfilter Architecture Using Netfilter as a Packet Filter Netfilter for Statefull Firewalling and NAT TCP Wrappers for Host based access SNORT as a Network Intrusion Detection System Tools for the Network! 10

11 Statefull firewalling with Netfilter with ip_conntrack Netfilter indentifies any connection at a point of time with the following states: NEW, ESTABLISHED, RELATED and INVALID. A typical example usage: Let us say a router has eth0 conntected to external network and eth1 to an internal trusted network. We want to allow any outgoing connection from internal network but disallow any connection from external network to the internal network. # iptables -P FORWARD DROP # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT # iptables -A FORWARD -i eth0 -m state --state NEW -j DROP 11

12 NAT with Netfilter with iptable_nat Pre Routing D-NAT [ ROUTE ] Post Routing S-NAT [ Local Processes ] Example of Post Routing NAT: ## Change source addresses to # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ## Change source addresses to , or # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ## Change source addresses to , ports # iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to : Specific case of Masquerading: ## Masquerade everything out ppp0. # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE 12

13 NAT with Netfilter with iptable_nat Example of Pre Routing NAT: ## Change destination addresses to # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to ## Change destination addresses to , or # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to ## Change destination addresses of web traffic to , port # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to :8080 ## Send incoming port-80 web traffic to our squid proxy Transparent Proxy stuff! # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port

14 Table of contents Netfilter Architecture Using Netfilter as a Packet Filter Netfilter for Statefull Firewalling and NAT TCP Wrappers for Host based access SNORT as a Network Intrusion Detection System Tools for the Network! 14

15 TCP Wrappers for host based access Can be use to monitor incoming request and enforce access control for servers that can be mapped to a single executable. Features: Pattern Based access control Protection against hosts faking host name Protection against hosts faking network address Client user name look up according to RFC

16 TCP Wrappers for host based access Ways To Use: Via INETD Daemon in.fingerd in.fingerd Edit /etc/inetd.conf to replace the server name with /usr/bin/tcpd. Example: modify the string finger stream tcp nowait nobody /usr/bin/in.fingerd <to> finger stream tcp nowait nobody /usr/bin/tcpd Application that have option to enable libwrap.a support can be compiled and directly used. Configuration Files to implement access control : /etc/hosts.allow, /etc/hosts.deny Man pages: hosts_access(5), tcpd(8), host_options(5) 16

17 Table of contents Netfilter Architecture Using Netfilter as a Packet Filter Netfilter for Statefull Firewalling and NAT TCP Wrappers for Host based access SNORT as a Network Intrusion Detection System Tools for the Network! 17

18 Snort The open NIDS Can be used as a packet logger,sniffer, and an intrusion detection tool. Care should be taken on how an IDS should be deployed. Admin has to update the attack signatures manually, tonnes of them are available on The attack can only be reported but cannot be stopped. A stack based IDS is needed for that. 18

19 Table of contents Netfilter Architecture Using Netfilter as a Packet Filter Netfilter for Statefull Firewalling and NAT TCP Wrappers for Host based access SNORT as a Network Intrusion Detection System Tools for the Network! 19

20 Tools for the Network There are many tools available and listed in Nessus is the best comprehensive tool available. Can be used to discovery of known security problems. It is based on client sever architecture. Server maintains all the plug ins installed. Client connects to it via SSL and then downloads the list of available plug-in list. Plug-ins can be written in most any language but usually are written in the Nessus Attack Scripting Language (NASL). New plug-ins for new attack signatures can be downloaded from Existing plug-ins can be update by simply running a script nessus-update-plugins. 20

21 Filesystem Security

22 Table of contents Basic things in Filesystems. Umask and its uses Cryptographic file systems. Integrity checking tools. 22

23 Basic Filesystem Security Using nosuid option in /etc/fstab for partitions that are writable other than root. Using nodev and noexec for parititions such as /var and even /home Keep track of all the SUID/SGID files on the system. 23

24 Table of contents Basic things in Filesystems. Umask and its uses Cryptographic file systems. Integrity checking tools. 24

25 Setting proper umask Is used by open(2) to set initial file permissions on a newly-created file. On creation of file the new permissions will be (permissions) & ~ (umask) 25

26 Table of contents Basic things in Filesystems. Umask and its uses. Cryptographic file systems. Integrity checking tools. 26

27 Cryptographic File systems Loop Back encrypted Filesystem lets look at the steps to setup and use 1. insmod loop.o 2. Add entry to /etc/fstab /dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop Our encrypted filesystem dd if=/dev/urandom of=/etc/cryptfile bs=1m count=10 4. Run this command and set a password losetup -e xor /dev/loop0 /etc/cryptfile 5. create ext2 filesystem and mount it mkfs -t ext2 /dev/loop0 mount -t ext2 /dev/loop0 /mnt/crypt 6. Do what ever you want like creating files etc then unmount and detach it umount /dev/loop0 losetup -d /dev/loop0 27

28 Cryptographic File systems CFS A complete user level implementation 1. It works via loopback NFS mount 2. Commands are cmkdir, cattach, cdetach. TCFS An encrypted filesystem transparent to applications Implementation available for 2.2 and 2.0 kernels only 28

29 Table of contents Basic things in Filesystems. Umask and its uses. Cryptographic file systems. Integrity checking tools. 29

30 Integrity checking tools - Tripwire - It can be setup to periodically verify integrity of the files on the machine and send alerts to the admin. Good to install tripwire at the time of installation of OS. Uses site key to sign the configuration files and a local key to sign the databases. Has wide range of options for checking the files for specific changes. Can be configured to send alert to a specific id for a specific change to a file etc. One can setup a cron job to run it periodically. 30

31 Integrity checking tools - Osiris - (osiris) (osirismd) [ Trusted Host ] (osirisd) [Host1] (osirisd) [Host2] osiris - Management Console Application osirismd Management Console Daemon osirisd Scan agent 31

32 Integrity checking tools - Osiris - All information is kept on Management console machine hence it should be deployed on a trusted host Scan agent is responsible scanning the local filesystem and send the information to the management host The management application is used by admin to manage the details of scanned host. It communicates directly with the management console. 32

33 Kernel Security

34 Table of contents Openwall Patches LIDS Intro to SE Linux 34

35 Openwall - Following are the enhancements provided by patches from openwall project. Non executable user stack area Restricted links and FIFOs in /tmp. Restricted /proc. Enforce RLIMIT_NPROC on execve(2) Destroy shared memory segments not in use. 35

36 Table of contents Openwall Patches LIDS Intro to SE Linux 36

37 Linux Intrusion Detection System (LIDS) - A different frame work to enforce security policies on the system providing Protection, Detection and Response. Protection 1. Protect important files and directories disallowing even root. 2. Protect important processes from being killed. 3. Preventing loading of modules etc. 4. Routing rules protection. 5. Port scan detector in kernel. 6. Disabling sniffer. Reporting the detected intrusion to admin. 37

38 Table of contents Openwall Patches LIDS Intro to SE Linux 38

39 Introduction to SE Linux - Has a very innovative and cleaner design compared to LIDS. Provides a clean separation between policy enforcement code and policy decision making code. Policy decision making code is encapsulated in separate component of the operating system. Policy enforcement code is spread across respective subsystems. 39

40 Syslog Security

41 SDSC Syslog Supports new syslog protocol RFC Implements drafts from ietf syslog charter ( Compatible with older syslog High performance (millions of records per hour) Transport (and store) data in a "forensically-sound" manner. 41

42 Where Is Linux Security Today? Linux can be secure as well as any other OS (with proper patching, configuration and maintainence). Linux has achieved EAL3+ certification. LSM hooks and SE Linux in 2.6 Kernel. Lots of good free security software Snort, Nessus, OpenSSH, OpenSSL, SELinux, Tripwire Lots of good paid software Main distros concerned and handling security well Redhat, SuSE,Mandrake, Turbo.. Secure distributions exist Immunix, Engarde, Trustix, Commercial SE Linux. 42

43 IBM and IBM(logo) are trademarks of International Business Machines Corporation in the United States, other countries, or both. Linux is trademark of Linus Trovalds Other company, product or service names may be trademarks or service marks of others. 43

44 The end Comments and suggestions - powell@in.ibm.com 44

The Research and Application of Firewall based on Netfilter

Available online at www.sciencedirect.com Physics Procedia 25 (2012 ) 1231 1235 2012 International Conference on Solid State Devices and Materials Science The Research and Application of Firewall based