Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... ·...
Transcript of Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... ·...
![Page 1: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/1.jpg)
Security and Protection
René Serral-Gracià Xavier Martorell-Bofill1
1Universitat Politècnica de Catalunya (UPC)
May 26, 2014
![Page 2: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/2.jpg)
Introduction About security Security components
Lectures
1 System administration introduction2 Operating System installation3 User management4 Application management5 System monitoring6 Filesystem Maintenance7 Local services8 Network services9 Security and Protection
10 Virtualization
R. Serral-Gracià, et. al Security 2
![Page 3: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/3.jpg)
Introduction About security Security components
Outline
1 IntroductionGoals
2 About security
3 Security components
R. Serral-Gracià, et. al Security 3
![Page 4: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/4.jpg)
Introduction About security Security components
Goals
Knowledge
Main aspects of system’s securityLocal securityNetwork security
Network services security
Abilities
Installation, execution and analysis about the results ofsecurity auditing tools
R. Serral-Gracià, et. al Security 4
![Page 5: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/5.jpg)
Introduction About security Security components
Outline
1 Introduction
2 About security
3 Security components
R. Serral-Gracià, et. al Security 5
![Page 6: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/6.jpg)
Introduction About security Security components
What does security mean?
ConfidentialityProtection against undesired data access
IntegrityProtection against unwanted destruction modification, ordata loss
AvailabilitySystem must be up and running for legitimate users
ConsistencyAvoid unwanted changes to system behavior
IsolationAvoid unauthorized access to external people (hackers)
R. Serral-Gracià, et. al Security 6
![Page 7: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/7.jpg)
Introduction About security Security components
Perfect security?
There is not such a thingEven if the machine is downWith enough resources (time, money, . . . ) everything ishackableNatural disasters
Goal: get a “secure enough” system
Secure against automatic attacks (script kiddies)Easy to be back up and running
R. Serral-Gracià, et. al Security 7
![Page 8: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/8.jpg)
Introduction About security Security components
Security and usability
Normally two sides of the same coin
Highest security, lowest usabilityLimited access to services and appsConstant identifications
Burdensome to the usersSlow and tiring
More usability means less security
Too much security can have the opposed effect
Users write all their passwords in a post-itUse tools to automate resource access
R. Serral-Gracià, et. al Security 8
![Page 9: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/9.jpg)
Introduction About security Security components
Goals in attacking a computer
Get informationGet/destroy dataDenial of ServiceObtain resourcesUse machines as proxy to other attacks (DDoS)
R. Serral-Gracià, et. al Security 9
![Page 10: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/10.jpg)
Introduction About security Security components
Some attacks
Obtain passwordsFilesystem abuseUnexpected parametersBuffer overflowsRace conditionsResource abuseTroyan, Viruses, . . .Port scanning
Spoofing: IP, DNS, ARP,. . .
Man-in-the-middleSniffersWorms, . . .Social Engineering. . .
R. Serral-Gracià, et. al Security 10
![Page 11: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/11.jpg)
Introduction About security Security components
Outline
1 Introduction
2 About security
3 Security componentsPhysical Security (I)Local SecurityNetwork Security
R. Serral-Gracià, et. al Security 11
![Page 12: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/12.jpg)
Introduction About security Security components
Physical Security
Physical access to the consoleReboot with a system diskData stealing (hard drive, backups)System alterationComputer stealing
Physical access to network cablesNetwork MonitoringDenial of Service
Physical access to the officeLook for passwords below the keyboard!
Access to destroyed documents
R. Serral-Gracià, et. al Security 12
![Page 13: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/13.jpg)
Introduction About security Security components
Physical Security (II)
Sometimes it doesn’t take a malicious attack to destroydata
Accidents: power shortages, fire, . . .Ambient conditions: temperature, humidity, . . .Natural catastrophes: hurricanes, earthquakes, . . .Other: bugs, food, beverages, . . .
Sensors, special materials, raised floor, . . .
R. Serral-Gracià, et. al Security 13
![Page 14: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/14.jpg)
Introduction About security Security components
Local Security
Goal: protect against attacks form the users of the system
Attacker has a non privileged user accountEven a privileged oneUsers willing to escalate privilegesProtect the system locally before connecting it to thenetwork
R. Serral-Gracià, et. al Security 14
![Page 15: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/15.jpg)
Introduction About security Security components
Passwords
Enforce a strong password policyLong passwords (+8 characters)Mix of numbers, letters, and special charactersHard to guessEasy to rememberNOT a dictionary word – or variation
Password expiration policyBe careful it can become quite annoying
Check password strength on each change/periodicallyProtect encrypted passwords (/etc/shadow)
R. Serral-Gracià, et. al Security 15
![Page 16: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/16.jpg)
Introduction About security Security components
Permission and protection
Minimum access policy
An user should not access a file he/she doesn’t needGrant the minimum privileges and . . .
assign more under demandGrant only group level permissions
Assign a sensible file creation maskumask 027 (rwx r-x ---), 022 (rwx r-x r-x)
Be aware of potentially dangerous fileswith SetUID bitHolding system configuration
R. Serral-Gracià, et. al Security 16
![Page 17: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/17.jpg)
Introduction About security Security components
Resource abuse
Excessive use of resources by a single userCPU/processesMemoryDisk
Set up limits and quotas/etc/security/limits.confulimitdisk quotas
R. Serral-Gracià, et. al Security 17
![Page 18: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/18.jpg)
Introduction About security Security components
Filesystem integrity
Often attackers modify the filesystem to hide the attackModification of log filesRootkits
Tools to detect changes in the filesystemThrough digital signature of files
Partition/Devices in read-only
R. Serral-Gracià, et. al Security 18
![Page 19: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/19.jpg)
Introduction About security Security components
System Logs
May contain information about the attacksPermit to know if a system has been compromisedPost-mortem analysis
Unsecure to store them on the same serverBetter in a remote serverPrint them?
R. Serral-Gracià, et. al Security 19
![Page 20: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/20.jpg)
Introduction About security Security components
Local security – Example
tiger: security auditing tool$ sudo tigerConfiguring...Will try to check using config for x86_64 running Linux 3.6.8...--CONFIG-- [con005c] Using configuration files for Linux 3.6.8. Using
configuration files for generic Linux 3.Tiger security scripts *** 3.2.3, 2008.09.10.09.30 ***11:21> Beginning security report for asuso.lomillor.org.11:21> Starting file systems scans in background...11:21> Checking password files...11:21> Checking group files...11:21> Checking user accounts...11:29> Checking .rhosts files...11:29> Checking .netrc files...11:29> Checking ttytab, securetty, and login configuration files...11:29> Checking PATH settings...11:30> Checking anonymous ftp setup...11:30> Checking mail aliases...11:30> Checking cron entries...11:30> Checking services configuration...11:30> Checking NFS export entries...11:30> Checking permissions and ownership of system files...11:30> Checking for indications of break-in...11:30> Performing rootkit checks...11:37> Performing system specific checks...12:12> Performing root directory checks...12:12> Checking for secure backup devices...12:12> Checking for the presence of log files...12:12> Checking for the setting of user s umask...12:12> Checking for listening processes...12:12> Checking SSHD s configuration...12:12> Checking the printers control file...12:12> Checking ftpusers configuration...12:12> Checking NTP configuration...12:12> Waiting for filesystems scans to complete...12:12> Filesystems scans completed...12:12> Performing check of embedded pathnames...12:14> Security report completed for asuso.lomillor.org.Security report is in /var/log/tiger/security.report.hostname.121204-11:21
R. Serral-Gracià, et. al Security 20
![Page 21: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/21.jpg)
Introduction About security Security components
Exercise
Which issues might present if an attacker modifies theenvironment variables? (i.e., PATH)
R. Serral-Gracià, et. al Security 21
![Page 22: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/22.jpg)
Introduction About security Security components
Network Security
Goal: Protect against attacks coming from the outside
Aimed at:The services we are offeringThe network itselfThe information our servers is keeping
R. Serral-Gracià, et. al Security 22
![Page 23: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/23.jpg)
Introduction About security Security components
Network Security
Mandatory to use firewallsTwo level security: Protected vs DMZ
Public services
HTTP
SMTP
Private network
R. Serral-Gracià, et. al Security 23
![Page 24: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/24.jpg)
Introduction About security Security components
Offered services
Security level depends on the offered services
System and user informationfinger, rdate, rusers, . . .
Remote login and connectiontelnet, rlogin, rsh, . . .
File and data sharingNFS, Samba, LDAP, FTP, HTTP, . . .
R. Serral-Gracià, et. al Security 24
![Page 25: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/25.jpg)
Introduction About security Security components
Network security
Minimum access policy
Disable all the servicesOr even uninstall them
Enable only the required servicesand limit the access only to current users
Validate the configuration of the installed services
Even if disabled
R. Serral-Gracià, et. al Security 25
![Page 26: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/26.jpg)
Introduction About security Security components
Network security
Monitor the activity of the installed services
nmap: list running services$ nmap 10.1.1.1
Starting Nmap 6.00 ( http://nmap.org ) at 2012-12-04 12:03 CETNmap scan report for 10.1.1.1 (10.1.1.1)Host is up (0.00031s latency).Not shown: 989 closed portsPORT STATE SERVICE22/tcp open ssh25/tcp open smtp111/tcp open rpcbind139/tcp open netbios-ssn445/tcp open microsoft-ds631/tcp open ipp2049/tcp open nfs3306/tcp open mysql5900/tcp open vnc8080/tcp open http-proxy9090/tcp open zeus-admin
R. Serral-Gracià, et. al Security 26
![Page 27: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/27.jpg)
Introduction About security Security components
Limit access to the services
Who has acces to what services?How to validate user identity
Through IP addresses? → IP Spoofing
Reverse DNS→ DNS SpoofingUser level – authentication, digital certificates, . . .
Service forwardingssh -R 12443:10.1.1.10:443 [email protected] -L 443:gw.ac.upc.edu:12443 [email protected]
Kerberos
R. Serral-Gracià, et. al Security 27
![Page 28: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/28.jpg)
Introduction About security Security components
Kerberos
Protocol used for network authentication
Based on Secret key cryptography (password)Kerberos server is used as identity proof
Client contacts Key Distribution Center for a ticketKDC encrypts a ticket using client’s passwdClient gets the ticket
The ticket enables access to specific services
Transparent for the user
R. Serral-Gracià, et. al Security 28
![Page 29: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/29.jpg)
Introduction About security Security components
Intrusion Detection Systems (IDS)
Network basedTraffic analysis to search for attacks
Host basedSystem activity to search for attacks
logs, filesystem, . . .
R. Serral-Gracià, et. al Security 29
![Page 30: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/30.jpg)
Introduction About security Security components
Security through obscurity
Not a very good security policyOffers a false sense of security
Added security on an already secured environmentExamples
Change web server versionChange default ports for applications
R. Serral-Gracià, et. al Security 30
![Page 31: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/31.jpg)
Introduction About security Security components
Contingency plan
Actuation protocol in case of system failure
What to do?Who to notify? Using which information?It must be defined for each failure
Service failureHardware failureData center collapsing
Do simulations to prove its usefulnessAccordingly to company policies
R. Serral-Gracià, et. al Security 31
![Page 32: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/32.jpg)
Introduction About security Security components
Security tools
Local system configurationtitantiger
Network system configurationnmapnessus
IDStripwiresnortlocgcheck
R. Serral-Gracià, et. al Security 32
![Page 33: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/33.jpg)
Introduction About security Security components
Some advice
Never be overconfidentThere is always someone smarter
Be somewhat paranoidBe prepared for the worst
BackupsVirtualization
Run attacks to your systemsBetter yet from the outside
Be up to dateSecurity evolves constantlySecurity forums, newsletters, . . .
R. Serral-Gracià, et. al Security 33
![Page 34: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/34.jpg)
Introduction About security Security components
Activitat
De la xarxa vista al final del tema de Xarxa indica:On posaries el (o els) firewallQuines consideracions tindries a l’hora de configurar-los
Internet
Servidor 1
Client 11
Servidor 2
Client 1
Client 10
Client 25
R. Serral-Gracià, et. al Security 34
![Page 35: Security and Protection - Docènciadocencia.ac.upc.edu/FIB/grau/ASO/files/slides/09... · 2020-02-05 · IntroductionAbout security Security components Lectures 1 System administration](https://reader033.fdocuments.us/reader033/viewer/2022042105/5e832c677167a602c574dc57/html5/thumbnails/35.jpg)
Introduction About security Security components
Activitat
Preguntes
Indica si compraries algun equip mà c©s a part dels equipsde xarxa anteriorsDistribueix els serveis entre tots els servidorsIndica on instal·laries el (o els) firewall i quins criterisseguiries per configurar-los
R. Serral-Gracià, et. al Security 35