Security+ Domain 3.0: Implementation cont’d

Filtering packets as they arrive is the primary means of protection. Filtering can be by:

      • IP address
      • Domain name
      • Protocol (TCP, UDP, IP)
      • Port
      • Text-based, by word or phrase

The filtering criteria are called a rule base. This is a chain of rules, with a final “cleanup rule,” is scanned in sequence (“rule base scanning“), with any rejection aborting the packet’s passage into the network. Each rule has an action:

      • Allow
      • Deny (which returns rejection informaion to the sender)
      • Drop (which sends no information back to the sender)The critical action for the network administrator is examining log files, no less than weekly.

Securing File Systems

This is all about restricting user access, primary through Access Control Lists (ACLs).

In Windows

    • NTFS allows file and folder access permissions (though older versions only controlled folder permissions).
    • FAT32 provides no access control
    • Active Directory provides domain-based management (and replaces the older NT Domain model)
    • The Microsoft Management Console (MMC) is a utility that can control almost every aspect of a system.
    • MMC accepts “snap-ins” for expanded functionality
    • The Security Template snap-in organizes security attributes in one screen
    • Groups of computers sharing a security configuration are Group Policy Objects
    • Group Policy Settings define these configurations
    • Domain-based settings, however, cannot be overridden by group policy settings

In Linux

    • Basic file and folder permissions can be controlled at the operating system level
    • Larger networks use domain services and directories:
      • Network Information Service (NIS)
      • Novell Directory Services
      • Sun, Netscape and other directory services

In Windows

    • Pick your tool (MSCT, Nessus, OpenVAS/Greenbone, Retina, etc.) analyze
      • Security settings
      • Application update compliance

In Linux

    • Use update management tools from Red Hat, SuSE and others
    • Stay current with specific product updates for applications and services such as Sendmail, Apache and MySQL, for example

You are personally responsible for staying current with vulnerabilities. Subscribe to security bulletins such as Shavlik Technologies [[email protected]].

    • Tightly configure ACLs
    • Delete sample files
    • Delete sample scripts!
    • Delete unused or obsolete scripts and software
    • Use IPSec, SSL (port 22, TCP and UDP) or HTTPS to encrypt sensitive traffic

Web Servers

    • Web servers (HTTP, port 80, TCP and UDP) should provide only this service
    • Web servers should live in a DMZ, not inside a network’s main firewall
    • Use HTTPS or Secure HTTP (port 443 TCP) to encrypt sensitive traffic

Email Servers

    • E-mail servers should live in a DMZ, not inside a network’s main firewall
    • E-mail servers (POP, port 110, SMTP, port 25) should provide only this service
    • E-mail system administrators must know what an “open relay” is, and must make sure their server is not an open relay
    • Visit www.abuse.net/relay.html and enter the name of your email server, and click “Test for relay” for independent verification

FTP Servers

    • Old-fashioned FTP is highly vulnerable because it passes login names and passwords as unencrypted traffic
    • Turn off Anonymous Login unless it is critical to provide it
    • Set the ACL to read-only whenever possible
    • Limit the number of login attempts
    • Limit the number of sessions

DNS Servers

    • DNS servers are the most potentially toxic servers on the Internet
    • DNS servers update each other through Zone Transfers, which is a major vulnerability
      • DNS servers can be attacked by cache poisoning
      • Prevent this by closing port 53 (used for zone transfers), or
      • Rejecting inbound connections on port 53, or
      • Explicitly designating which servers are trusted to receive zone transfers

File and Print Servers

    • Require authentication for access
    • Let users pause or cancel only their own print jobs
    • Give users ACL permissions to their own folders and files, but no others
    • Whenever possible, allow only read-only access to public folders
    • Give read and write access only for group folders
    • Be very cautious with execute permissions for folders:
      • In Windows, denying execute will prevent software execution
      • In Linux, denying execute will prevent browsing and listing

       

DHCP Servers

    • Disable this service unless you specifically  need it
    • Keep DHCP servers patched

In Windows

    • Active Directory controls domains
    • The Security Accounts Manager (SAM) database controls domain accounts, and must be protected

SQL Server also requires protection from:

    • Buffer overflow attacks
    • Malicious SQL commands (including SQL injection from malicious URL formation)
    • As you version of SQL Server permits, encrypt its data
    • Only the user logged into the local host containing the SQL Server should be allowed full administrative rights

Further Info

bastion.inf

“dsniff is a collection of tools for network auditing and penetration testing.”

BelArc Advisor: Knowing what you’ve got that works

Nessus: Knowing what you’ve got that doesn’t

Don’t forget Ethereal/Wireshark: http://www.wireshark.org/