Implementing Internet Security

Transcription

1 Implementing Internet Security Frederic J. Cooper Chris Goggans John K. Halvey, Larry Hughes / ' Lisa Morgan Karanjit Siyan William Stallings Peter Stephenson 8UB Qattlngen New Riders Publishing lulkala Indianapolis, Indiana NEW RIDERS PUBLISHING

2 IMPLEMENTING INTERNET SECURITY TABLE OF CONTENTS 1 Definition of Security 1 The Times, and Security Requirements, Change 2 What Is Security, Anyway? 3 Implementing Security 7 Layering Security 8 Some Approaches 9 2 Applicable Standards and Principles 13 Department of Defense C2 Principles 14 Security Policy 15 Accountability 18 Assurance 19 Design Documentation 22 Putting C2 in Context with Your Requirements 22 Using the Red Book to Interpret C2 for Networks 24 Security Policy 24 Accountability 26 Assurance 27 Documentation 29 The Generally Accepted System Security Principles (GSSP) 30 The Role of Standards 35 3 Authentication and Authorization 37 Access Control 38 The Authentication Dilemma 40 Monitoring and Control 46 Access Control Subsystems and Secure Single Sign-On 49 Vlll

3 TABLE OF CONTENTS 4 Local Workstation and Networking Holes 55 Prevention 56 Protect the root Account 56 Secure Terminals 56 User Account and Password Management 58 Limit Account Lifetime 58 Choose Secure Passwords 58 Crack Your Own Passwords 59 Implement Shadow Passwords 59 Implement Password Aging 60 Server Filters 60 TCP Wrapper 61 xinetd 63 Network Applications and Services 64 Trusted Hosts 64 sendmail 65 finger 68 Tape Backup and Restore 69 File Transfer Protocol (FTP) 70 tftpd 72 TheXWindow System 72 NFS 74 Detection 75 Observe System Files 75 Monitor User Login Habits 76 Detection Tools 76 Cure. 77 Change the Account Shell 78 Disable Local FTP Access 79 Change the Account Password 79 Expire the Account 79 Disable or Restrict Trusted Host Access 79 Change File Ownerships and Protections...80 Remove Files Owned by the Account 80 IX

4 IMPLEMENTING INTERNET SECURITY 5 Firewalls 81 Firewall Components 82 Screening Routers 83 Identifying Zones of Risk 83 Screening Routers and Firewalls in Relation to the OS1Model 85 Packet Filtering 86 Packet Filtering and Network Policy 86 A Simple Model for Packet Filtering 87 Packet Filter Operations 88 Designing a Packet Filter 90 Packet Filter Rules and Full Associations 95 Dual-Homed Host 97 Compromising the Security ofa Dual-Homed Firewall 100 Services on a Dual-Homed Firewall 101 Bastion Host 101 Simplest Deployment of a Bastion Host 102 Screened Host Gateway 102 Application Level Gateways Secure Transactions: PGP and Kerberos 107 Pretty Good Privacy 108 Public Keys 110 Private Keys Ill Digital Signatures Ill Compression 113 Message Encryption 114 Radix-64Conversion 115 The Order of Operations in PGP 116 Public Key Management 117 PGP Versions 118 Where To Get PGP 119 X

5 TABLE OF CONTENTS Kerberos 119 The Kerberos Protocol 120 Kerberos Realms and Multiple Kerberi 124 Version 4 and Version Performance Issues 126 Kerberos Now Audit Trails 129 Audit Trails under Unix 130 Common Unix Logs 130 Process Accounting 138 Useful Utilities in Auditing 140 Other Reporting Tools Available Online 142 Audit Trails under Windows NT 144 Using the Event Viewer 145 Logging the ftp Server Service 147 Logging httpd Transactions 148 Logging by Other TCP/IP Applications under NT 148 Audit Trails under DOS 149 PC/DACS 149 Watchdog 150 LOCK 150 Using System Logs to Discover Intruders 150 Common Break-In Indications 151 Potential Problems Legal Considerations 155 Electronic Rights: Copyrights Online 156 An Overview of Copyright Law 156 The National Infrastructure Task Force Proposed Changes to the Copyright Act 160 Copyrights on the Internet 161 XI

6 IMPLEMENTING INTERNET SECURITY Freedom of Expression 163 The First Amendment and Its Protection 163 Defamation 166 Privacy 168 Federal and State Law 170 The Electronic Communications Privacy Act 170 The Computer Fraud and Abuse Act 172 State Computer Crime Law 172 Trademark Law and the Internet Internet Commerce 189 Internet Commerce Isn't New 190 Credit Cards 191 Modern Internet Commerce 192 Internet Commerce: What's the Big Deal? 193 Management Issues 194 Threats from Employees and Criminal Hackers 194 VANs and Internet Commerce 195 How Real Is Internet Commerce? 195 How Does Internet Commerce Relate to Existing Financial Systems? 196 How Financial Systems Are Affected by Online Capabilities 196 Internet Commerce Companies and Organizations 196 CommerceNet 197 CyberCash, Inc. 198 DigiCash 199 First Virtual Holdings, Inc. 200 Internet Shopping Network 202 Netscape Communications Corporation 203 Open Market 203 Proprietary Systems 205

7 TABLE OF CONTENTS Digital Cash 206 The Importance of Digital Cash Anonymity 207 How Digital Cash Is Generated 207 The Internet: The First Nation in Cyberspace 208 Digital Checks 209 Blind Signatures An Added Measure of Privacy 209 Digital Signatures 209 Sales, Marketing, and IS 210 Keeping an Eye on Implementation 210 The Role of the Network Manager Improving the Security of Your Site by Breaking Into It 213 Overview 215 Gaining Information 217 Trust 227 Protecting the system 229 Conclusions 230 Appendix A 231 Appendix B 231 Appendix C 232 Appendix D 233 Bibliography 234 Suggested reading 234 A RFC Index List 235 B RFC The Site Security Handbook 273 Contributing Authors Introduction Purpose of thiswork Audience Definitions Related Work Scope 276

8 IMPLEMENTING INTERNET SECURITY 1.6 Why Do We Need Security Policies and Procedures? Basic Approach Organization of this Document Establishing Official Site Policy on Computer Security Brief Overview Risk Assessment Policy Issues What Happens When the Policy is Violated Locking In or Out Interpreting the Policy Publicizing the Policy Establishing Procedures to Prevent Security Problems Security Policy Defines What Needs to be Protected Identifing Possible Problems Choose Controb to Protect Assets in a Cost-Effective Way Use Multiple Strategies to Protect Assets Physical Security Procedures to Recognize Unauthorized Activity Define Actions to Take When Unauthorized Activity is Suspected Communicating Security Policy Resources to Prevent Security Breaches Types of Security Procedures System Security Audits Account Management Procedures Password Management Procedures Configuration Management Procedures 325 XIV

9 5. Incident Handling Overview Evaluation Possible Types ofnotification Response Legal!Investigative Documentation Logs Establishing Post-Incident Procedures Overview Removing Vulnerabilities Capturing Lessons Learned Upgrading Policies and Procedures References Annotated Bibliography Computer Law Computer Security Ethics The Internet Worm National Computer Security Center (NCSC) Security Checklists Additional Publications Acknowledgments 363 " 10. Security Considerations Authors'Addresses 363 Index 365 XV