1 / UnixNetworkSecuirty CIT-ACDS Unix Network Security Mehmet Balman / Introduction A machine connected to phone lines or local network has the potential for intruders. Therefore security aspect of every system must always be kept in mind. Since internet grows rapidly, network services gain more importance in terms of operational and business requirements. This makes security concept one of the key points for the quality and availability of the running service. Basic idea behind secure environments is to decrease the probability for being compromised and analyze the risk of vulnerabilities. This paper presents a brief survey about the security concept in host and network environment according to philosophy behind Unix. Instead of working about the details, we will discuss the general concepts, guidelines to implement basic structure. We will present an implementation as the example in practice. In the first chapter basic concepts about Information security will be explained for motivation and introduction. Next chapter is about properties of Unix systems. Third chapter will provide an architectural view of the overall concepts and introduce idea behind Unix Network Security. Fourth chapter will guide through Unix security concepts. Last chapter is a special example for Solaris implementation. Security Essentials Security is a very general terminology in computer science environment. Since electronic communication and electronic data has an essential importance in all aspects of business and personal process, leaking information may produce harmful damages for different situation. However, securing information will bring difficult tasks and policies which are hard to apply and most probably will affect service given. Thus, security concept must be investigated in such a policy plan which first analyze risks and then reorganize the structure and implementation to improve quality and decrease probability of unexpected conditions. Moreover, security service can not be abandoned in today s environment in which Internet is growing and network is being the basic resource of information industry. Broadly speaking, security is keeping anyone from doing things you do not want them to do to, with, or from your computers or any peripherals -William R. Cheswick
2 Information security deals with three major concepts; confidentiality, integrity, availability. Information Security Classification: Confidentiality Prevention of unauthorized disclosure of information. Integrity Prevention of unauthorized modifications of information. Availability Prevention of unauthorized withholding of information or resources Confidentiality is keeping your data or communication secret to others. Only authorized person should be able to access the information. Integrity is being sure that information has not been changed while processing or communicating. Availability is obtaining resources only to authorized clients. Confidentiality, availability and integrity are the basic term and point to different types of problems technically. They should be analyzed separately for services and systems to provide a composite security mechanism. Confidentiality is the problem that someone obtained the data that must be confidential. If this data is changed or manipulated, it is about integrity. For a secure network or secure system, security services should be applied and possible cases must be investigated in terms of confidentiality, availability and integrity Security services can be defined as methodologies and processes which are needed to enhance system in terms of confidentiality, availability and integrity. A service that enhances the security of the data processing systems and the information transfers of an organization. The service counters security attacks and makes use of one or more security mechanisms to provide the service. -William Stallings Security Service Classification: Confidentiality Restricts information access to authorized parties. Authentication Identification of the user/service/system/etc. Integrity Restricts alterations to authorized parties. Nonrepudiation Yes you did send it or yes you did read it. Access Control Restricts access to resources to authorized parties. Availability Keeping the system up when needed by authorized parties.
3 Security services are implemented for possible attacks which are interruption, interception, modification and fabrication. Each attack class should be prevented with a counter service implementation. Security Attack Classification: Interruption Attack on Availability Interception Attack on Confidentiality Modification Attack on Integrity Fabrication Attack on Authentication Unix Operating System Unix Operating System is an environment which is widely used in different vendor products. It is an approved OS in terms of performance, utilization and also security. In Internet environment Unix machines are mostly used and it has started to be standard as an Operating System and dominant over other systems. Some derivates are Red Hat Linux, Suse Linux, SUN Solaris, IBM AIX, MAC OS X, Debian Linux, FreeBSD, OpenBSD, etc. System has a modular structure in which resources such as memory, CPU and IO are treated in different layers. This behavior makes Unix more flexible for increasing necessities of Information Technology. Os layers: user programs Input/output management Operator-process communication Memory management CPU scheduling Hardware Unix Operating System is designed according to security concepts to provide better qualitative service. It is a multithreaded, time-sharing environment which is very portable for development and enhancements. Some properties of basic Unix environments are the followings: Designed to be a time-sharing system. Has a simple standard user interface (shell) that can be replaced. File system with multilevel tree-structured directories. Files are supported by the kernel as unstructured sequences of bytes. Supports multiple processes.
4 High priority given to making system interactive and providing facilities for program development Most of the security attacks are initiated from forgotten simple administrative or implementation defects. Main intuition while administrating a Unix system is to start from a higher level strong design and not to skip any case. Most of the security attacks are formed due to simple unimportant defects that seem insignificant; even there exists strong security services. Architectural Overview Unix Network security model is based on Internet connectivity and firewall model. Layers of firewalls also determine the layers of vulnerability. In order to understand the concept and start with healthy and working strategy, architectural overview of Unix Network system in terms of security will be introduced. General statements which apply to all network systems are risk, vulnerability, and threat. Analyzes of those statements should be done completely according to the necessities of the network and system. Risk Vulnerability Treat Risk Risk is possibility of successful attack. An intruder may gain access in your local network and work on your system to read confidential data, manipulate or destroy information, or deny your running services. Read Access. Read or copy information from your network. Write Access. Write to or destroy data on your network (including planting trojan horses, viruses, and back-doors). Denial of Service. Deny normal use of your network resources by consuming all of your bandwidth, CPU, or memory. Vulnerability Vulnerability is degree of your security and protection. Security attack may be caused from your network or outside of your network. Most of the attacks are originated from inside of the company, also intrudes will try to hide traces by breaking into the local network from outside.
5 Treat Treat is the intruder who attempt to gain unauthorized access. However, value of your data and training of your trusted users will affect the vulnerability to treats. Motivation and Trust are two common factors. Motivation Trust Motivation is the usability of your data or how useful if your network is destroyed. Trust factor depends on how well you can trust to your users. Moreover, understanding and training of trusted users about feasible or approvable actions influences vulnerability. Therefore, while preparing a security implementation both motivation of intruders and effect of trusted users must be kept in mind. Unix Network Security Architecture can be organized within seven different layers: Security Layers: Layer Name Functional Description LAYER 7 POLICY POLICY DEFINITION AND DIRECTIVES LAYER 6 PERSONNEL PEOPLE WHO USE EQUIPMENT AND DATA LAYER 5 LAN COMPUTER EQUIPMENT AND DATA ASSETS LAYER 4 INTERNAL-DEMARK CONCENTRATOR - INTERNAL CONNECT LAYER 3 GATEWAY FUNCTIONS FOR OSI 7, 6, 5, 4 LAYER 2 PACKET-FILTER FUNCTIONS FOR OSI 3, 2, 1 LAYER 1 EXTERNAL-DEMARK PUBLIC ACCESS - EXTERNAL CONNECT Policy Policy is the high level definition of acceptable risk down to the low level directives of what and how to implement equipment and procedures at the lower layers. It is the most important part of the concept. Without a complete and effective policy, security services can not be accomplished. After analyzing risk, vulnerability and treat, policy which is usually a living and updating documentation is produced according to the service requirements of the organization. It is not a detailed implementation plan; a well defined policy only captures overall structure which will be utilized in the lower layers. Personal Personnel are trained and informed about the policy and strategy. People in the organization should accept the security program and behave with the knowledge of possible risk and treats. This layer includes whole organization not only administrator so, it must be applied carefully. Informing and training is not completed adequately in most companies, but it is the second layer which has high importance.
6 LAN LAN in security layer defines equipments, data assets and some of the monitors and control procedures. It is the local network which is maintained automatically with electronically equipments. Internal Demark It is the connection between local LAN and firewall to provide a buffer zone between LAN and WAN. It is the second protection level in the local area after the external firewall. DMZ can be given as an example for this layer. Gateway Gateway defines transparent firewall service to all WAN services. It monitors and controls OSI Network layer functions. It is basically transparent to users and applications. Firewall services, proxies and NAT are in this layer. Properties of the packets are examined and controlled for the security policy. Filter It is the connection between firewall and WAN to separate LAN from WAN connectivity. Basic Firewall filtering for network protocol is applied. External Demark Lowest layer is the connection to an external device, that we do not have direct control such as telephone circuit, external data line, etc. POLICY PERSONAL LAN E-net E-net GATEWAY E-net PACKET FILTER EXTERNAL-D X.25 EXTERNAL-D
7 Unix Security Basics Security policy is the base stone of such security programs. It is the living documentation about events and guidelines. Since all other implementation depends on this upper layer, preparing a policy document and updating security plan is the most crucial point. Policy should not cover all lower layer details. Simple and general plan is preferable for better quality. Security Policy living documentation indicating events and guiding actions higher level view of authorized response Unix Network security plan can be categorized in five concepts. First one is preventing security holes or closing possible services in terms of vulnerability and risk analyzes. Other aspects include detecting, testing, logging and recovering which are the actions in case of an attack event. Categories: Locking Down - prevent intruders from being able to get into your systems. Logging - clues as to what's going on in your system Detecting automatically alert you about changes in the system Testing - check the external security of the machines Recovering - recover in-place a compromised system. Preventing intruders from being able to get into the system includes securing network, turning of unnecessary services, securing running services, providing a secure access, securing Unix network and filesystem. Overall network structure should be designed according to the risk of the system. Firewall definitions and secure network zones must be provided for critical system. Moreover, a separate network from others where treats are possible is always suitable for monitoring and administrative tasks. Secure network Separation of private and public network Filtering and controlling protocols between network Unnecessary services increase the possibility of vulnerabilities. Thus, configuring internet services, restricting remote access and managing all running services must be accomplished for all systems.
8 Turn off unnecessary services inittab inetd rc.* Application in the system must be secure; they must also be configured within the overall security and network architecture. Securing the communication, applying password policies, and checking for vulnerability updates are some tasks as a checklist. Secure running services Add cryptographic capabilities to needed services (i.e. SSL to web servers, encryption to databases). Use latest versions (especially for larger services like sendmail, bind, or apache) Change any default passwords used to manage services (databases, etc) Make services are running with the least authority (non-root user) Communication must be encrypted for confidentiality and integrity. Managing internet services and restricting, controlling remote access is required. Also there must be a password policy for pushing users to apply policy and programs. Secure access SSH (OpenSSH) tcpwrapper (/etc/hosts.allow /etc/hosts.deny) use shadow passwords user password management, policy for passwords limit superuser access limit physical access Network services specific to Unix system such as NIS and NFS may lead to security holes, they need special importance. Secure Unix network verify NFS access verify NIS maps are only root writable restrict r commands (rsh, rexec, etc.) Unix filesystem is flexible for many operations but it must be configured appropriately not to cause open defects in the filesystem that may lead to system vulnerabilities.
9 Secure UNIX filesystem verify all programs and shells scripts with SUID and SGID verify appropriate filesystem permissions verify system backups and restore procedures Logging System logs provide invaluable information about services and overall system. Centralizing log management also enhances the system security. Some issues about logging are cited related to processing and managing log files. syslogd tcpwrappers increase log level, log to separate filesystem inetd registered services to allow, deny and log each connection smtp, httpd, ftp logs automated analysis of logs automated log rotation process accounting Moreover, critical systems utilize some software packages to log incoming TCP packages, detect port scans and action according to the behavior of possible intruders. Software tool: PortSentry: detect port scan and update /etc/hosts.deny Perro : logging incoming IP/TCP, IP/UDP, IP/ICMP packets Detecting Automatically alert changes in the system will enable administrative people to control and protect system. An attacker is able to change all system commands and hide processes and connection in which administrator will be unable to understand that system is broken. There are rootshell toolkits to detect such kind of manipulations. Preferred option is to checksum all critical applications and packages and watch for changes in the files to understand about any kind of hacking probability with rootkits. rootshell detects root-kits root-kit tools: replacement programs for all standard utilities
10 ifstatus : check NIC s for promiscuous mode lsof : list open files for running processes tcpdump: network packet analysis Tripwire : detect file replacement lpchk, rpm: detect changes in installed packages Testing Testing resistance of your system must be done before any intruders makes successfully and get into the systems. Security concept is getting importance and new and intelligent testing and checking applications are being utilized in the market. Some known programs are listed for testing basic problems that may be forgotten by mistake. secure-sun-check - checks for common SunOS security configuration problems SecureScan - checks for IRIX security problems pmap_tools - tool suite to check for portmap, rpc, rpcbind vulnerabilities nmap - multi-level security scanner ISS - multi-level security scanner Fremont - a network discovery tool Case Study: Hardening Solaris SUN Solaris is one of known Operating System which has a wide range of service implementation in industry. First of all installation of the new machine must be done within the care of security constraints. Installing the minimal software is always a better since most of the development and desktop tools have defects. Since every package has a potential for a treat, installing only required packages and discarding unnecessary applications is the advised strategy. Partition structure is defined in the installation and it is important to have a separate /var partition where log files will reside. In order to eliminate a denial of service attack in which too many log messages fill up the partition space, especially root partition should not be designed to contain any increasing log files. After the installation, recommended patches should be applied immediately. If a machine is connected to network and has some basic announced vulnerability, it can be easily attacked with intruders.
11 Installation: Load the minimum installation The less software that resides on the box, the fewer potential exploits or holes (Core installation) Separate /var partition (denial of service if fill up; logging, ) Install recommended patches security After the installation, unnecessary services should be closed and init level must be reconfigured to activate only required programs. NFS, autofs, print service, sendmail, snmp, and dtlogin are possible applications which must be used carefully not to have an attack disaster. Eliminating Services: /etc/inetd.conf (eliminate unnecessary services) /etc/rc2.d /etc/rc3.d S73nfs.client S74autofs S80lp S88sendmail S71rpc S99dtlogin S15nfs.server S76snmpdx System log mechanism should be initiated. It is advised to keep log files of as much detail as possible. Log messages are inevitable because they are usually the only way of gathering information about a suspicious case. An intruder may change or delete log messages. Thus, centralized log mechanism will enhance the security model of the system. There are useful tools for obtaining and generating alert messages such as syslog-ng (syslog next generation), swatch, rtail, php-syslog-ng and logcheck. Logging: /var/adm/loginlog /var/adm/sulog /etc/ftpusers Network is the must crucial resource for security aspects of the computes. Inet daemon must be configured to filter connections and log of authenticated and unauthenticated access. TCP wrapper is a tool which is capable of managing network connections. Another security hole is the remote login commands. They are used to access and run command in a remote computer. Configuration of this service must be accomplished and should not be skipped. It is usually a good idea to create.hosts and.netrc files as empty and zero permission for superuser, so no one will be able to change and access as administrator from r-commands.
12 /etc/hosts.allow, /etc/hosts.deny defines the access list for the overall system. /etc/hosts.equiv is the configuration of r-commands for all users expects the superuser. Connection: TCP wrapper, configure inetd.conf for services logs: /var/adm/tcpdlog /etc/hosts.deny /etc/hosts.allow SSH connection configure access of r commands.rhosts,.netrc, and /etc/hosts.equiv. Solaris has a flexible network stack; according to the characteristics of the service that will run, IP module should be configured. Another important point is the buffer overflow attacks. System administrator should be aware of such vulnerabilities and recover potential detected programs. Binaries which have suid bit are able to access with the rights of superuser. Thus, search and check all such programs to be sure about open gates for the access. Solaris has a security toolkit, JASS; in order to enhance the quality of security mechanism JASS can be used. Configure IP module, ndd configure /etc/system for user stack (buffer overflow) Check suid root binaries Utilize Solaris Security toolkit (JASS) Reference S. Garfinkel, A. Schwartz, G. Spafford. Practical Unix and Internet Security. O Reilly, Feb
13 Grampp, F. T., and R. H. Morris. "UNIX Operating System Security," AT&T Bell Laboratories Technical Journal, October Bellovin, Steve and Bill Cheswick. Firewalls and Internet Security. Addison-Wesley, 1994 R. Reinhardt. An Architectural Overview of UNIX Network Security, ARINC Research Corporation, 1993 L. Spitzner. Armoring Solaris-Preparing Solaris for a firewall, spitzner.net, 2001