1 ait itserv ait itserv & lab supervisors meeting practical how-to for system and network...

1 AIT ITServAIT ITServ

AIT ITServ & Lab Supervisors Meeting AIT ITServ & Lab Supervisors Meeting

- Practical How To for System and Network Security

ITServ Plans on Policies and Services

#50Alain Fauconnet <[email protected]>83

Security Specialist / CISO MMMMMMM31, 2003

20030331V


Presentation RoadmapPresentation Roadmap

1. Introduction1.1. Attacks are not only for others1.2. Potential damage

2. Basic security how-to2.1. General recommendations2.2. Rule #1: Install and configure carefully2.3. Rule #2: Keep software up-to-date2.4. Rule #3: Servers are not workstations


Presentation RoadmapPresentation Roadmap

25 #4. . Rule : Monitor your servers and network

26 #5. . Rule : Do network filtering

3. Useful links and resources 4. ITServ plans

41. . Local resources 42. . Support and consulting 43. . Services 44. . Policies

MMMMMMMMM MMM MMMMMMM


1. Introduction1.1. Attacks are not only for others1. Introduction1.1. Attacks are not only for others

• Frequent lack of real concern about security– “ I have no confidential data”– “ I have a so small network, I’m not concerned”– “ Hackers/abusers inside. So what? Still works…”– -too often: “I have no clue” : )

• Too many misconceptions– “ Hackers only target (large) (US) businesses”– “ I’ve switched to Unix (Linux), so I’m safe”– “ I’m protected by AIT global filtering”– “ Security is expensive and requires experts”



• The facts– All AIT networks are being scanned by hackers sev

eral times a day, known vulnerabilities are activelysearched

– Your network has been scanned already today!– Academic networks especially targeted– Filtering at AIT border can not protect you from all

kind of attacks (there will be more Nimda & SQLsla-mmer like)

– Attacks from inside AIT likely (more and more to come)

– Not only servers open to the Internet exposed



• The facts (cont.)– Basic system and network security:

• is simple:– install and configure properly– update– be consistent

• requires just serious, consistent people with fair IT experience

• blocks 80% (at least) of attacks• can save you a lot of time, efforts and money

– You will learn 5 recipes today: use them!



• The facts (cont.)– An unpatched, unsecured Red Hat Linux serv

er i s at least as vulnerable as Windows– Windows2000(evenwithSP3) i s not saf e

– A misconfigured firewall can make your secu rity worse than no firewall at all

• gi ves wr ong f eel i ng of saf et y

• pr ot ect ser ver s first , t hen set up a fi r e wal l i f you wi sh and i f you can


1. Introduction1.2. Potential damage1. Introduction1.2. Potential damage

• Hackers use the network bandwidth we all share and servers resources that you have paid for

• Damage to the services you provide– Downtime for legitimate users– Defaced web site (reputation, confidence, image)– Loss or alteration of data– Wasted time and efforts to repair damage

• Leaking of confidential data– From LAN sniffing also (data from other servers)


1. Introduction1.2. Potential damage1. Introduction1.2. Potential damage

• Damage to the services we all use– Slow network connections– Slow servers– Part or all of AIT networks / domains banned from

major sites• Loss of connectivity• Cannot send e-mail

• Legal liability– Attacks on other sites / networks from your

network– Offensive or illegal material on your servers


2. Basic Security How-To2.1. General recommendations2. Basic Security How-To2.1. General recommendations

• This simple how-to can avoid at least 80% of the break-ins currently seen

• Do it for all servers (new and old)• This is an ongoing task: never finished• Assign someone to handle security (can

be part-time): must have authority to control that the following rules are applied

• Don’t trust people saying that buying extra software will do it for you


2. Basic Security How-To2.2. Rule #1: Install and configure carefully

2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Do not do full or default installations of

operating system– Lots of useless and dangerous software packages

installed– Alternative: do a full or default install, then

uninstall packages that you don’t use immediately

• Red Hat Linux installation– Consider alternative Linux distributions e.g.:

E-smith at http://www.e-smith.org/ Trustix at http://www.trustix.net/

– Consider FreeBSD instead of Linux



2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Windows 2000

– unless specific need, do not install any of Networking Services, Other Network File and Print Services, Remote Installation Services, Remote Storage, Terminal Services, Windows Media Services...



2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Windows 2000 (cont.)

– do not install unused parts of IIS: SMTP, NNTP…

• Note: SMTP needed by Active Directory Replication• Configure to use RPC transport instead• Internet server should not handle this anyway




– Disable the features of IIS you don’t need using the Microsoft IIS Lockdown Tool

http://www.microsoft.com/technet/security/tools/locktool.asp

– Defaults suggested by tool are generally OK




– Install a virus scanner on Windows servers• AVG is a very decent free virus scanner with

automatic update• Download it from: http://www.grisoft.com• Registration needed, use a “disposable” e-

mail address just in case, but no report of spamming yet

• Free version could well disappear due to the current IT business context: enjoy while it lasts

• Commercial virus scanner: Sophos highly recommended: http://www.sophos.com

– much less problems than with McAfee, Norton– free updates




– Remove Outlook Express in any caseThere is no good reason to have it on a server

– Install an alternate web browserMozilla a good choice:

http://www.mozilla.org– IE is quite difficult to remove completely

• make it a policy not to use it• better: use Windows ACLs to prevent

usage (details upon request)



2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Red Hat Linux installation

– Use an up-to-date distribution: Red Hat Linux 7.2 at least, never 7.0 or earlier

• not a file server: do not install: nfs*, samba, portmap• not a name server: do not install: bind* • not a mail server: do not install: imap, sendmail• not a web server: do not install: apache*• not a DB server: do not install: MySQL*, postgresql*• unless specific need, do not install: dhcpd,

finger.server, anonftp, bootparamsd …

– Uninstalling a Linux RPM package:# rpm -e --nodeps packagename ...



2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Unix configuration: Disable all services not

needed– Services started by connection: file /etc/inetd.conf

finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd

comment out unwanted services by adding ‘#’:

#finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd

Should be commented out unless specific need:ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, gopher, time, linuxconf (Linux-specific) … almost all lines

• Red Hat 7.1+ uses xinetd.conf, can be managed by chkconfig (see next slide)



2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Disable all services not needed

– Services started at boot time: start-up scripts• Details vary a lot from Unix to Unix• Red Hat Linux start-up scripts are controlled using

chkconfig command:# chkconfig --list list all services# chkconfig service off disable a service# chkconfig service on enable a service– Unless needed, you should disable: sendmail (if not

mail server), portmap, nfs, nfslock, netfs, all r*d (rusersd …), all yp* (ypbind…), lpd, samba, identd, named (if not name server), httpd (if not web server), snmpd, xfs, amd




– Unix start-up scripts (cont.)• Most other Unix (and Linux too): rename files in rcN.d (N

= 2, 3…) directories. Solaris has /etc/rcN.d. E.g.:# cd /etc/r2c.d# mv S73nfs.client _S73nfs.client– E.g. for Solaris, you should disable: S73nfs.client, S74autofs,

S80lp, S88sendmail (if not mail server), S15nfs.server, S76snmpx, S77dmi

• Other kind of Unix: use administration tools– FreeBSD: /stand/sysinstall “Do post-install configuration”– HP-UX: sam– AIX: smit– Refer to documentation, but target should be to disable

NFS, RPC, remote printing, SNMP, SMTP server...



2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Enforce a strict login/password policy

– one person = one login account, do not use shared accounts (“operator”, project account…)

– minimise root/administrator account usage: only when needed, not for daily work

– require correct passwords• no password = login name• no default password (especially empty!)• no password = name of department• no password = nickname• no single words found in a dictionary• etc… Everyone knows this already!



2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Have a strict policy on remote administration

– Only when really needed and from a very little number of client workstations (see “filtering”)

– On Unix, do not allow direct remote login to root: log in as normal user and use su or better sudo

– Use only standard tools and well-known ones– Avoid home-made web-based admin tools – Good Unix web-based administration tool: Webmin

http://www.webmin.com/

• Do not use telnet and FTP !



2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Remote administration (cont.)

– Require strong encryption and authentication• Unix: install and use SSH (“encrypted telnet”), not

standard telnet– ssh server part of Linux and FreeBSD– for other Unix: download from http://www.openssh.org/– ready-to-install binaries for Solaris at:

http://www.sunfreeware.com/– freeware Windows SSH client (terminal emulator): TeraTerm

Pro with SSH extensionhttp://hp.vector.co.jp/authors/VA002416/teraterm.htmlhttp://www.zip.com.au/~roca/ttssh.html

– SSH can do file upload/download too: use freeware WinSCP client for Windows (http://winscp.vse.cz/eng/)



2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Remote administration (cont.)

– Require strong encryption and authentication• Windows: use recent version of PC Anywhere with

encryption set at least to “PCAnywhere”

• Windows Remote Desktop has encryption always on• Avoid VNC (freeware PCAnywhere-like) except over an

encrypted tunnel


2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date

2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Fact: off the CD un-patched installation of

Red Hat Linux or Windows + IIS put on the Internet usually hacked within 3 weeks

• All standard O/S distributions have many serious security holes: apply critical patches

• Check vendor web site once a week for new vulnerabilities or subscribe to alert mailing lists: CERT, Securityfocus, SANS...

• Information in next slides to be outdated very soon...



2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Windows (W2K) servers

– CodeRed and Nimda exploit bugs in IIS that have been known since May 2001“There’s no patch for negligence and laziness”

– Microsoftr ef er ence page f or Ni mda:http://www.microsoft.com/technet/security/topics/Nimda.asp

– SQLslammer exploits bug in MS-SQL that has been known since July 2002

– Microsoft reference page for SQLslammer:http://www.microsoft.com/security/slammer.asp

– Microsoft starting point page for security:http://www.microsoft.com/technet/security/



2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Windows (W2K) servers (cont.)

– Bringing up a (reasonably) safe (to external attac ks at least) Windows 2 0 0 0 server is simple:

• 1) Install Windows and IIS (correctly, #1see rule )

• 2 ) Install Service Pack 32000http://www.microsoft.com/windows /downloads/servic

/

• - -3) InstallHotfixesMS02 052, MS02 065,-03001MS

-://..//// .




• - - 4) If your server has MS SQL, install MS SQL SP MMMMMMM MM MMMM MMM3 (: , )

http://www.microsoft.com/sql/downloads/2000/sp3.asp

• 5 ) ’ !Don t forget to patch Internet Explorer too MM MMM 6 1SP and patch it

http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/http://www.microsoft.com/technet/security/bulletin/MS03-004.asp

• 6) Reminder: remove Outlook Express!MMMMM MM no good reason to have it on a server.




– Ifi nf ect ed:• Backupdata, f or mat , r ei nst al l and patch!

If you don’t patch, you will get infected again• Donotrelyon“cleaners”: theycannothandl e 100%of i nf ect i on var i ant s• Rest or e your dat a• CheckallyourHTML and J avascr i pt fi l es: del et e al l ad

dedlinkst o *.EML fi l es• *DeleteanyREADME.EMLor .EXE fi l e i n your dat a



2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Windows (W2K)servers (cont.)

– Use automated tools to check against latest security patches

– Windows automatic update (installed with SP3), in the Control Panel• + already installed

• + easy to use

• - gives little control over what is installed




– MicrosoftHotFi x Checker (newver si on)http://www.microsoft.com/technet/security/tools/

hfnetchk.asp

•+ can scan your network from a single point

•+ on-line checking: always up-to-date (well, nearly)

• + just tells you what you should install, doesn’t install anything

•+ can run on both NT4/IIS4, W2K/IIS5, XP/IIS6

• - command-line console application




– Microsoft “Hot Fix Checker” (cont.)1) Download and install

Can install anywhere, suggested:

C:\Program Files\Hotfix Checker




– Microsoft “Hot Fix Checker” (cont.)

2) Open “Command Prompt” window

Do not run from Explorer




– Microsoft “Hot Fix Checker” (cont.)3) Change directory where installed:

cd “\Program Files\Hotfix Checker”

4) Run program

hfnetchk -v -z -s 1 -nosum




– Microsoft “Hot Fix Checker” (cont.)5) Check results: look for “Patch not found MSXX-YY”




– Microsoft “Hot Fix Checker” (cont.)

6) Search returned missing patches MSXX-YY on Microsoft Technet security site http://www.microsoft.com/technet/security/

7) Install them !

Options described in detail at:303215http://support.microsoft.com/support/kb/articles/q / / .

MMM




– Shavlik ’s HFNetChkPro• improved version of Microsoft’s tool with

GUI, much easier to use• not free, but free “Lite” version for

networks up to 50 nodeshttp://www.shavlik.com/pHFNetChkLT.aspx



2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Linux servers: Red Hat covered in this

presentation, other distributions similar– Check:

http://www.redhat.com/apps/support/errata/

– Review all Security Errata (=bugs!)– At least, install all update RPMs mentioning

“remote root” or “remote compromise” in the description, and all related to:

kernel, ftpd, wu-ftpd, lpd, lprng, rpc, portmap,sendmail, pop, imap, linuxconf, [open]ssh, apache



2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Linux servers (cont.)

– How to install an updated RPM on Red Hat Linux:1) download RPM e.g. wu-ftpd-2.6.0-14.6x.i386.rpm2) type:

# rpm -Uvh name-of-RPMe.g.:# rpm -Uvh wu-ftpd-2.6.0-14.6x.i386.rpm

Other useful commands:• rpm -q -a lists installed RPMs• rpm -ivh name-of-RPM installs a RPM• rpm -e --nodeps name-of-RPM uninstalls a RPM• rpm -V name-of-RPM checks an installed RPM




– Most critical vulnerabilities in Red Hat Linux 7.x:

• OpenSSH (ssh server and client)http://rhn.redhat.com/errata/RHSA-2002-043.htm

• OpenSSL (used by Apache)https://rhn.redhat.com/errata/RHSA-2002-155.html

• Kernelhttp://rhn.redhat.com/errata/RHSA-2001-130.htmlhttp://rhn.redhat.com/errata/RHSA-2003-098.html

• BIND (DNS server)http://rhn.redhat.com/errata/RHSA-2001-007.html

• LprNG (print server)http://rhn.redhat.com/errata/RHSA-2000-065.html




– Most critical vulnerabilities in Red Hat Linux 7.x (cont.):

• xntp3 (time daemon)http://rhn.redhat.com/errata/RHSA-2001-045.html

• telnetd (telnet server)http://rhn.redhat.com/errata/RHSA-2001-099.html

• ucd-snmp-utils (SNMP server)http://rhn.redhat.com/errata/RHSA-2001-163.html

• sendmail (SMTP server)http://rhn.redhat.com/errata/RHSA-2003-073.html

Some may only apply to 7.0, 7.1 or 7.2, check the web pages




– Most critical vulnerabilities in Red Hat Linux 8.0:

• Kernelhttp://rhn.redhat.com/errata/RHSA-2003-098.html

• sendmail (SMTP server)http://rhn.redhat.com/errata/RHSA-2003-073.html

• Apache, mod_ssl, PHPhttp://rhn.redhat.com/errata/RHSA-2002-222.html




– Use automatic update• register to Red Hat Network (needed):

# up2date --register• configure the update agent to your

preferences:# up2date --configure

• run full update:# up2date -u

• use option --nox for non-GUI (text)• Full documentation at:

http://rhn.redhat.com/help/basic/index.html



2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Sun Solaris (on Sun hardware or PC)

– Check:http://sunsolve.sun.comClick on “Security Bulletin Archive”

– Install Recommended Patch BundlesClick on “Recommended & Security Patches”

according to platform (SPARC or x86) and version• 2.6 = 5.6• 2.7 = 5.7 = 7 Sun likes confusing version• 2.8 = 5.8 = 8 numbering...

– Free download: no need for a support contract



2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Sun Solaris (cont.)

– How to install patch bundle (e.g. for Solaris 7):1) download zip file2) unzip it in a temporary directory (100Mb++)

# unzip 7_Recommended.zip3) start the automatic installation script (as root)

# cd 7_Recommended# ./install_cluster

4) wait for a long time5) reboot



2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Special care for name servers

– All versions of BIND (standard Unix DNS name server) prior to 8.2.3 final released version have severe security bugs allowing remote root compromise

– Updates for Red Hat Linux and recommended patch bundles for Sun Solaris take care of this

or:– Compile and install BIND version 8.2.4 at least

(9.1 OK but requires migration work) from:http://www.isc.org/


2. Basic Security How-To2.4. Rule #3: Servers are not workstations2. Basic Security How-To2.4. Rule #3: Servers are not workstations

• Buy new machines for servers, or do full re-format, re-install if you recycle h/w

• Do not use workstations to bring up network services (file server, web server…)

• Convince your staff not to use servers as workstations– No web browsing except trusted sites, and not using IE

except when browsing Microsoft’s sites– On Windows, no e-mail activity, especially not using Outlook– No installation of any program not directly related to server

operation and administration– Avoid program development on server whenever possible


2. Basic Security How-To2.5. Rule #4: Monitor your servers and network

2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Any sudden change in load is suspicious• Monitor the traffic on your link to the Internet

– If you have manageable switches (support SNMP), bring up MRTG to show per-port traffic

Real case: huge rise of the outgoing traffic = scans being launched from a compromised server



2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Monitor CPU load on your servers

– Task Manager on Windows (Ctrl-Alt-Del, click on “Task Manager” button)

– The top command on Unix

• Look for unusual processes running– Become familiar with the names of the

processes running on your server during normal operations

– Check for any new process running– If so, find what it is



2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Look for unusual processes (cont.)

– Windows: use Processes list of Task Manager



2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Look for unusual processes (cont.)

– Unix: use ps command• Linux, FreeBSD: ps -auxww• Solaris, HP-UX, AIX: ps -ef

# ps -auxww

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDroot 1 0.0 0.0 344 80 ? S Jan17 2:20 init [3]root 2 0.0 0.0 0 0 ? SW Jan17 0:03 [kflushd]root 3 0.0 0.0 0 0 ? SW Jan17 6:53 [kupdate]root 4 0.0 0.0 0 0 ? SW Jan17 0:00 [kpiod]root 5 0.0 0.0 0 0 ? SW Jan17 0:04 [kswapd]



2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Look for automatically started programs

– Linux (Red Hat): check for new or modified scripts in /etc/rc.d and below

– Windows: use REGEDIT to look at keys:\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

Run

or run MSCONFIG and look at the “Startup” tab

• Look for new user names– Windows: check with the User Manager– Unix: check /etc/passwd file


2. Basic Security How-To2.6. Rule #5: Do network filtering2. Basic Security How-To2.6. Rule #5: Do network filtering

• Filtering is:– Letting only the network traffic that you

need pass through, blocking all the restE.g.: SMTP, POP, IMAP to a mail server

and/or– Blocking all the traffic that you know you

don’t need, letting all the rest pass throughE.g.: Windows file sharing



• Simple guidelines for minimal filtering– Implement multiple-level filtering– On router, block all LAN-only traffic: file

sharing, printer sharing, database access

Internet

Mail server

Web server

NFS

POPRouter

= block



• Guidelines (cont.)– On server, allow only legitimate traffic to

pass• SMTP, POP, IMAP on a mail server• HTTP, HTTPS on a web server• Domain on a name server

Router

Internet

Mail server

Web server

NFS

POP

= block



• Filtering on router– Block dangerous protocols– Let the rest pass through– More refined filtering can be done

• Filter on source and destination• Filter on direction of connection

– Done globally by ITServ• On border interfaces (Internet & others)• Between AIT networks (schools, labs, entities)• Details upon request



• How to implement filtering on server ?– Use TCP Wrappers by Wietse Wenema

• Standard for Linux and FreeBSD• Download, compile and install for other Unix

– ftp://ftp.porcupine.org/pub/security/index.html#software– http://www.sunfreeware.com has pre-compiled binaries

for Sun Solaris– install into /etc/inetd.conf (more help upon request)

– TCP Wrappers configuration in two files• hosts.allow (in /etc or /usr/local/etc)

– which service (port number) is allowed– from which IP address / network



• How to implement filtering on server ?– TCP Wrappers configuration (cont.)

• hosts.allow (cont.)– Format is:daemon_name : IP address[netmask] …– Examples:

FTP only from a given address:ftpd : 203.159.12.34SSH only from AIT networks:sshd : 203.159.0.0/255.255.0.0 192.41.70.0/255.255.255.0 POP from anywherepopper : ALL



• How to implement filtering on server ?– TCP Wrappers configuration (cont.)

• hosts.deny (in /etc or /usr/local/etc)– What is not allowed– Must have a single line:

ALL: ALL– Do not leave empty (=> allow everything!)

– FreeBSD TCP wrappers have a single configuration file (hosts.allow)

• adds “: allow” or “: deny” at end of line


3. Useful links and resources3. Useful links and resources

• Security alert news– http://www.cert.org– http://www.sans.org– http://xforce.iss.net– http://www.securityfocus.com– http://www.linuxsecurity.com/advisories

• Information and checklists– 20SANS “Top Most Critical Internet Security Vulnera

” ://../20.

• Free automated network scanner available !



• Information and checklists (cont.)– 60NSA “The Minute Network Security Guide”

-http://nsa2.www.conxion.com/support/guides/sd7.pdf

• Linux– Securing and Optimizing Linux Red Hat Edition -

A Hands on Guidehttp://www.linuxdoc.org/guides.html#securing_linux

– Securing Linux Servers for Service Providers (IBM document)http://www.ibm.com/linux/Securing_Linux_Servers_xSP_hil_.



• Linux (cont.)– Linux security checklists

http://www.uga.edu/ucns/wsg/security/linuxchecklist.htmlhttp://www.wfu.edu/~rbhm/linux.html

– TrinityOS Guide to Configuring Linuxhttp://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/mHTML/TrinityOS-m.htmlParts 8.7 to 8.10 especially explain Linux security configuration in great detail

• Windows– Microsoft’s Security Site

http://www.microsoft.com/technet/security/



• Windows sites (cont.)– NT4 / IIS4 Security Checklist

http://www.microsoft.com/technet/security/iischk.asp

– W2K / IIS5 Security Checklisthttp://www.microsoft.com/technet/security/iis5chk.asp

• Sun Solaris– Solaris Network Hardening

http://ist.uwaterloo.ca/security/howto/2000-09-19/Includes a tool to automate configuration

– YASSP (Yet Another Solaris Security Package)http://www.yassp.org/



• Free Security tools (mostly Unix)– Nessus Security Scanner

http://www.nessus.org

– Web-based simple port scannerhttp://www.ntsecurity.com/scan.asp

– Snort Intrusion Detection System (IDS)http://www.snort.org

• Runs on Windows too

– SANS “Top 20” vulnerability scannerhttp://www.cisecurity.org/scanning_tool.html

• Runs on Unix only• Can scan vulnerabilities of Unix and Windows servers



• Free Security tools (Windows)– SwatIt Windows trojan remover

http://lockdowncorp.com/bots/downloadswatit.htm

– Foundstone ’s Windows forensics toolboxhttp://www.foundstone.com/knowledge/free_tools.html

– PrcView process viewerGives much info about DLLs used, how process has been startedhttp://www.teamcti.com/pview/prcview.htm



• Miscellaneous– Lance Spitzner's white papers

http://www.enteract.com/~lspitz/papers.html

– The Center for Internet Securityhttp://www.cisecurity.com


4. ITServ plans 4. ITServ plans

• What we know by now:– Filtering at the border of the AIT network is

only a part of the solution (can’t address all threats)

– Maintaining security easily becomes an almost full-time job for all but the smallest networks inside AIT

– Not all labs/schools/entities have the right people with enough free time to do it

– All that is a lot of duplicated efforts, duplicated investments and duplicated downloads



• Our goals:– Establish a global standard of security for all AIT

• standardisation of environments• validation of servers• fully enforced configuration and update policies

– Rely more on standards and policies observed by all entities inside AIT and less on tight global filtering and on corrective blocking of IP addresses inside AIT

– Provide extensive local resources and consulting



• Our goals (cont.):– Provide centralised services than entities

inside AIT can use without loosing control over their servers and/or contents

• proper configuration• real dedicated firewall, possibly intrusion detection• 24-hour monitoring, regular auditing• software updates• clearly defined, dependable

– The most efficient way: an Internet Data Centre at ITServ for co-location and hosting



• What we need:– Clearly identified people in charge of IT security in

all AIT entities, willing to co-operate– A honest acceptance and support of the common

goals and the means to reach them:• standardise vs. “I like Linux DebDrakeHatGNUXYZ only”• commitment to dedicate enough resources (time)• actual usage of local resources vs. “magic tools”• willingness to “outsource” what can not be managed

locally due to lack of resources vs. “I absolutely want this server in my office”

• accept servers and services being audited and validated


4. ITServ plans4.1. Local resources 4. ITServ plans4.1. Local resources For a limited number of supported operating

systems and environments:• Local cache of all critical patches

– much faster downloads– save Internet bandwidth

• Local “CERT-like” web site to announce vulnerabilities– summarised and targeted at supported

environments: much easier to read– links to local downloads

• Local alert mailing lists


4. ITServ plans4.1. Local resources 4. ITServ plans4.1. Local resources

• Campus license for selected critical security software, with local downloads

• Windows anti-virus software a priority– local download and possibly

transparent/automated installation– local and automatic updates– very cost-effective


4. ITServ plans4.2. Support and consulting4. ITServ plans4.2. Support and consulting

• Provide installation manuals with configuration guidelines tuned to AIT environment for supported O.S.

• Provide security check-lists (more usable than Microsoft’s) with verification tools

• On-demand security auditing– network scanning, possibly real-time (from

AIT Intranet web)– on-site auditing with written report upon

request


4. ITServ plans4.2. Support and consulting4. ITServ plans4.2. Support and consulting

• Emergency assistance in case of intrusion– evaluate damage– save important information to track down

source (computer forensics)– help cleaning or re-install machine while

preserving data– final written report with probable causes of

intrusion, to avoid the same mistakes being done again


4. ITServ plans4.3. Services4. ITServ plans4.3. Services• AIT Internet Data Centre in ITServ building

– co-location of Internet/Intranet servers– shared hosting of Internet servers (mostly web)– provides reliable operation of your servers:

• power, air conditioning• 24-hr operator staff to watch servers, reboot,

restart service• network-based disk back-up facility• web-based real-time monitoring of service

availability (e.g. HTTP server up/down)


4. ITServ plans4.3. Services4. ITServ plans4.3. Services• AIT Internet Data Centre (cont.)

– provides secure environment:• full-featured firewall (not simple port filtering)• O/S installation & hardening service available• software updates installation service• web-based detailed network traffic statistics

and real-time monitoring, alert generation in case of abnormally high traffic

• preventive regular auditing (scanning) to detect anomalies

• possibly: IDS, content-based filtering


4. ITServ plans4.3. Services4. ITServ plans4.3. Services

• AIT Internet Data Centre (cont.)– preserves full control over your equipment

• remote administration (SSH, PC Anywhere, remote desktop…)

• physical access whenever needed• personalised per-server policy on the

firewall, agreed upon and modifiable via on-line requests


4. ITServ plans4.4. Policies4. ITServ plans4.4. Policies• Standardisation of server environment to a

set of supported O.S./server software and versions– installed based used as a start (fill questionnaire!)– reduced to a smaller set (negotiation)– open-source O.S. and software preferred– extensive assistance for migration if needed

• Mandatory anti-virus software on all Windows servers and desktops– campus-wide license– transparent and automatic installation and update


4. ITServ plans4.4. Policies4. ITServ plans4.4. Policies

• Validation and continuous auditing of servers– audit before opening service to the Internet– exclude usage as a workstation– committed delay to do audit

• LAN network services really LAN-only– phase-out cross-network Windows file sharing– provide safer alternatives– help labs to migrate


4. ITServ plans4.4. Policies4. ITServ plans4.4. Policies• Formal but fast and efficient

communication for all security-related issues– web-based “ticket processing” system with 2-

way interactivity– full information on what is being done and why– formal incident reporting and archival

• Regular meetings with designated IT Security Managers in all entities– attendance required– the place where policies will be elaborated


AIT ITServ & Lab Supervisors Meeting AIT ITServ & Lab Supervisors Meeting

• Thank you very much for your attention

• Now let’s talk!

1 ait itserv ait itserv & lab supervisors meeting practical how-to for system and network...

Documents