Perimeter defense
- Keep unauthorized users off the system.
- Limit exposure and resources consumed by unauthorized users.

Inside the Perimeter
- Protection against insider misuse.
- Provide protection after the perimeter has been breached.

Boot into single user mode.
- Boot Passwords
  - Linux - LILO, Grub, sulogin
  - HP-UX - HP-UX trusted mode

Change the boot device.
- Firmware Passwords
  - IA-32 - BIOS password
  - HP-UX - PDC password

Put the hard drive in a different computer (steal the computer)
- Anti-theft Devices
  - TheftGuard(TM)
  - Encrypted hard drives
  - Tamperproof hardware

Often overlooked/forgotten about when reviewing system security.

Transport Protocol is often not encrypted.
- Plain text.
- HTML / Java based.

Usually have poor authentication/authorization methods.
- Password based.
- Trivial encryption schemes.

Usually requires additional infrastructure to secure.
- Private console subnet(s).
- Jump-point (or ACL) access to console subnet(s).

What is the relevant network topology?
- Who needs to talk to this host?
- Who does this host need to talk to?
- What risk does this host add to the rest of the network?

What is the function of this host?
- What applications are essential to run on this host?
- Can some of the services be re-directed or replaced if needed?
- What privileges do the applications need? why?

$ netstat -an --inet
tcp 0 0 127.0.0.1:1971 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 192.151.81.14:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*

$ lsof -ni TCP:953
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
named 410 root 13u IPv4 763 TCP 127.0.0.1:953 (LISTEN)
named 411 root 13u IPv4 763 TCP 127.0.0.1:953 (LISTEN)
named 412 root 13u IPv4 763 TCP 127.0.0.1:953 (LISTEN)
named 413 root 13u IPv4 763 TCP 127.0.0.1:953 (LISTEN)
named 414 root 13u IPv4 763 TCP 127.0.0.1:953 (LISTEN)

$ lsof -p 410
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
named 410 root cwd DIR 58,1 4096 144290 /var/cache/bind
named 410 root rtd DIR 9,2 4096 2 /
named 410 root txt REG 58,2 244952 96392 /usr/sbin/named

$ nmap -sT -O -P0 -n 10.0.0.1

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Interesting ports on 10.0.0.1:
(The 1604 ports scanned but not shown below are in state: closed)

Port State Service
22/tcp open ssh

Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 42.567 days (since Mon Apr 28 07:56:00 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 23.081 seconds

Many Unix services are started from the Internet Daemon (inetd).
- echo, daytime, telnet, ftp, etc.

Other services can be registered via portmaper.
- nfs, nis, etc.
- rpcinfo -p -- displays registered RPC programs with ports information.

Daemons can also be stand-alone.
- sshd, rsync, etc.

Many Unix protocols were not designed with security in mind.

telnet, ftp, nfs, etc

Replace with a better designed (security wise) application when possible.

sendmail -> postfix, qmail
rcp -> ssh
telnet -> ssh
ftp -> sftp, vsftpd, proftpd
imap -> imap/SSL
inetd -> xinetd

Restrict xinetd by using the bind attribute.
- bind = x.x.x.x

Restrict BIND by using the listen-on in the named.conf file.
- listen-on { 127.0.0.1; };

Restrict Apache by using the Listen directive.
- Listen x.x.x.x:80

Not all applications have this feature.

xinetd does this with the allow_from and no_access directives.
- only_from = 10/8, 127/8
- no_access = hp.com, localnet

HP-UX controls access to inet services via /var/adm/inetd.sec file.
- ftp allow hp loopback

Applications that have tcp_wrappers support
- /etc/hosts.deny: ftp: 127.0.0.1, 10.0.0.2
- /etc/hosts.allow: esound: 127.0.0.1

Not all applications have this feature.

Kernel based packet filter are not available in all Unix(es).

Linux netfilter provides a powerful, stateful, flexible, extensible packet-filter firewall.
- Interfaces
- MAC Addresses
- Rates Filtering
- Source and Destination subnets and/or ports
- Multiple response (ACCEPT, REJECT, DROP, LOG, etc)
- Packet fragments can be reassembled
- Inspects all packet packets.
- String matches.

HP-UX has an ipfilter package.

Does not require changes to user-space applications.

Many applications only require root to bind to restricted ports (1 - 1023).
- bind: -u argument
- xinetd: user attribute
- su command.

Limit System exposure by starting the application in a jail.
- bind: -t argument
- chroot command.

Compartimentazation is a method to reduce risk by using labels and privileges to control access to system resources.

HP Virtual Vault
- B2 Security Rating.
- Four compartments: System Low, System Outside, System Inside, System High.
- Can be used to bridge a network where an air-gap is required (Banks, etc).

HP-LX (Trusted)
- Many compartments: user definable.
- Not available any longer.

/proc/sys/net/ipv4/tcp_syncookies
- Protect against SYN attacks.

/proc/sys/net/ipv4/ip_forward
- Allow/Disallow IP forwarding.

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- Smurf attacks.

/proc/sys/net/ipv4/conf/*/rp_filter
- Source route verification.

/proc/sys/net/ipv4/tcp_timestamps
- Disable RFC1323 TCP timestamps.

kmtune
- executable_stack -> 0 (or 2)

ndd
- ip_forward_directed_broadcasts -> 0
- ip_forward_src_routed -> 0
- ip_forwarding -> 0
- tcp_sync_rcvd_max -> 500
- ip_respond_to_echo_broadcast -> 0

Modems
- Configure not to accept inbound calls.
- Configure for dial back.
- Isolate from critical systems.

Serial/Other
- This is a gateway into the system, review the authentication and authorization procedures.
- IP over serial is a reality, review the security on the other end as well.
- Apply the rules for the Network (IP) access when possible.

Minimal install base
- Less software, less risk.
- Linux system: 50 - 80 MB
- HP-UX system: 150 - 250 MB

Use the package management system
- Software installs need to be tracked.
- Software verification.

Keep the systems patched (or understand/mitigate the risk)
- Ramen Worm (Jan 2001)
  - RedHat Patches: http://www.redhat.com/support/alerts/ramen_worm.html
  - Initial CERT advisory: http://www.cert.org/incident_notes/IN-2000-10.html
  - 4 months to patch systems before worm was released.

Shared vs. Static libraries
- Recent OpenSSL vulnerabilities
- Oracle, HP OpenView, Apache, OpenSSH, etc.

Locate the SUID/SGID bits, remove any un-necessary privileges.
- find / -type f -perm +6000

Locate files that have world and/or group write permissions.
- find / -type f -perm +0022

Locate files that do not have a valid user or group.
- find / -nouser -o -nogroup

Verify file permissions are secure on "sensitive files"
- i.e. /etc/shadow, crontabs, mail files, etc

Verify device file permissions
- i.e. disk devices, backup devices, etc.

Investigate mount options (nodev, noexec, nosuid, etc)
- Watch out for tricks...
  - /home is mounted with the noexec option.
  - /home/rbrad/bin/ls: Permission denied --> rbrad and root.
  - /lib/ld-2.3.1.so /home/rbrad/bin/ls works --> rbrad and root.

Investigate mount options for remote file systems.
- NFS -- root_squash, secure, ro, etc
- Samba -- -r, -u , -g , -d , etc

Security tools such as Bastile, TARA/Tiger and tripwire can help initially harden a host, verify its compliance with corporate policy, and detect/report on changes to the filesystem.

Enable shadow passwords

Minimize the number of users on the host.

Try not to use passwords.
- public/private key pairs (SSH, etc).
- SecureID (or token card).
- Kerberose Tickets

For accounts that must have passwords
- Enable password aging for users that need passwords.
- crypt(3) is dead (http://attila.stevens-tech.edu/~khockenb/crypt3.html)
  - Time to crack a single password.
  - 1997 Technology.

Use a different encryption scheme such as MD5 or SHA.
Run a password cracking program such as Crack or John The Ripper.

Limit access to UID-0 (root) accounts.

Broker commands where possible.
- Tools: PowerBroker(tm), sudo
- Watch out unintended side-effects
  - vi -- shell escape
  - find -- -exec and -ok options
  - newgrp -- spawns new shell

Traditional Unix implements Discretonary Access Controls (DAC)
- UID-0 (root) is all powerful.
- Once the intruder/inside misuser has root, game is over.

To reduce risk and exposure from root in traditional Unix, UID-0 need to be treated as just another user.

This can be done by breaking UID-0 powers into capabilities
- CAP_NET_BIND_SERVICE
- CAP_NET_ADMIN
- CAP_NET_RAW
- CAP_SYS_RAWIO
- CAP_SYS_CHROOT

Linux Intrusion Detection System (LIDS - www.lids.org) is a kernel patch that extends the standard Linux capabilities to implement Mandatory Access Control (MAC) security.

HP Virtual Vault uses a combination of privileges and labels to implement MAC security.

Looked at two layers for host security:
- Perimeter defense
- Inside the perimeter defense.

Identified some threats for each layer and reviewed methods to address the risk/exposure to the threat.

Hopefully provided a general feel for why defending inside the perimeter is still a hard problem, vs. defending the perimeter.

(page 32)