security strategies in linux platforms and applications lesson 7 networks, firewalls, and more
DESCRIPTION
Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More. Learning Objective. Assess how firewall, Transmission Control Protocol (TCP) Wrappers, and Security Enhanced Linux ( SELinux ) complement one another to secure network applications. Key Concepts. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/1.jpg)
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Security Strategies in Linux Platforms and Applications
Lesson 7Networks, Firewalls, and More
![Page 2: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/2.jpg)
Page 2Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Learning ObjectiveAssess how firewall, Transmission Control
Protocol (TCP) Wrappers, and Security Enhanced Linux (SELinux) complement one another to secure network applications.
![Page 3: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/3.jpg)
Page 3Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Key ConceptsBasic layered security concepts of a Linux
infrastructureFirewall with iptables Application layer security with TCP
Wrappers Benefits of mandatory access control
(MAC) with SELinux
![Page 4: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/4.jpg)
Page 4Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONCEPTS
![Page 5: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/5.jpg)
Page 5Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Bastion Servers in DMZ
![Page 6: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/6.jpg)
Page 6Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux Firewall on a Bastion Host
Perimeter firewall allows accessto Ports 80, 443, 22, and 21
Bastion host firewall allows access only to Ports 80, 443, and 22
Port 80 Hypertext Transfer Protocol (HTTP)
Port 21File Transfer Protocol (FTP) Port 21
access is denied here
![Page 7: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/7.jpg)
Page 7Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Modes of SELinux
DisabledPermissiveEnforcing
![Page 8: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/8.jpg)
Page 8Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SELinux Administration Tool
![Page 9: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/9.jpg)
Page 9Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Common SELinux Commandschcon: For changing the security context of
a file or files Id -Z: To show the current user context ls -Z: To show the context of a file or files
Refer to Table 7-2 on pages 203–204 of the textbook for other SELinux commands.
![Page 10: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/10.jpg)
Page 10Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SELinux Troubleshooter
![Page 11: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/11.jpg)
Page 11Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
An AppArmor Configuration Tool
![Page 12: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/12.jpg)
Page 12Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: PROCESS
![Page 13: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/13.jpg)
Page 13Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Are rules that should be cleared in place?
Designing a Firewall
Turn on firewall.
List current rules using the iptables –L command.
Flush the current rules using the iptables –F command.
Save the new rules using the iptables-save command.
Write firewall rules for INPUT, OUPUT, and FORWARD chains.
Yes
No
![Page 14: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/14.jpg)
Page 14Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Creating TCP Wrapper RulesThe TCP Wrapper rules on the next two
slides are created to allow Secure Shell (SSH) access to the fictitious site is418.com. These rules are also used to log all access with a message and date while denying access to all other users.
![Page 15: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/15.jpg)
Page 15Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Creating TCP Wrapper Rules (Continued)
Step 1 Open the /etc/hosts.allow file using a text editor.
Step 2
Type the following rule to allow and log access from the is418.com domain: ssh:.is418.com:spawn /bin/echo `/bin/date` ssh access granted >> /var/log/sshd.log
Step 3 Save and exit.
![Page 16: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/16.jpg)
Page 16Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Creating TCP Wrapper Rules (Continued)
Step 4Open the /etc/hosts.deny file using a text editor.
Step 5Type the following rule to deny everyone else:sshd:ALL
Step 6Save and exit.
![Page 17: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/17.jpg)
Page 17Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: ROLES
![Page 18: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/18.jpg)
Page 18Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
FirewallsAdd, remove, and edit rules to
a packet filter rulesetList and flush the rules to a
packet filter rulesetList counters of matched
packets to rules
iptables
Provides iptables packet filter in the kernel
Performs stateless and stateful packet filtering
Provides network address translation
Netfilter
![Page 19: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/19.jpg)
Page 19Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Firewall Rules from /etc/sysconfig/iptables
![Page 20: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/20.jpg)
Page 20Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
GUI Security Level Configuration Tool
![Page 21: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/21.jpg)
Page 21Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Console-based Security LevelConfiguration Tool
![Page 22: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/22.jpg)
Page 22Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
GNOME Uncomplicated Firewall(Gufw) Tool
![Page 23: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/23.jpg)
Page 23Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
TCP Wrappers
Allow or deny access to an application based on an Internet Protocol (IP) Address or hostname
Allow or deny access to an application based on time
TCPWrappers
![Page 24: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/24.jpg)
Page 24Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONTEXTS
![Page 25: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/25.jpg)
Page 25Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Firewall TCP Wrapper SELinuxProtects against unauthorized traffic
Performs specific actions based on a network service running under the xinetd super server
Protects the network service from unauthorized access based on the subject, such as users, applications, or files
Allows access to FTP from local traffic only
Sends an e-mail to the administrator when access is granted during non-business hours
Denies access to home directories to logged-in users
Layered Security for FTP Access
![Page 26: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/26.jpg)
Page 26Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: RATIONALE
![Page 27: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/27.jpg)
Page 27Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Importance of FirewallsCan be enabled on bastion hosts in
addition to existing network firewallsProvide a layer of security at the network
layer to restrict unauthorized trafficCan protect bastion hosts from malicious
local network traffic
![Page 28: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/28.jpg)
Page 28Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Importance of TCP WrappersAdds a layer of security in addition to
firewalls Can allow and restrict access to an
application based on domain name and time of the day
Can spawn processes such as e-mail and logging
![Page 29: Security Strategies in Linux Platforms and Applications Lesson 7 Networks, Firewalls, and More](https://reader036.vdocuments.site/reader036/viewer/2022062410/56816387550346895dd4729c/html5/thumbnails/29.jpg)
Page 29Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Summary
SELinux and its commandsFirewall and TCP Wrappers and their
importanceProcess of designing a firewall by using
iptables and creating TCP Wrapper rulesLayered security for FTP access