Internal Security Concepts Users Guide

Transcription

1 orrelog Internal Security Concepts Users Guide This guide provides overview information on the internal security concepts of the CorreLog Server needed to provide secure operation and data safety. This information summarizes other data found within the CorreLog document set, and furnishes a single starting point for establishing internal security. CorreLog Server, in addition to managing the security of an enterprise, is intended to be a highly secure platform for storing and accessing security information. As outlined in this document, the server hardware should be maintained as physically secure, and various configuration items can be applied to enhance the security through simple procedures, including upgrades to the basic server system, enhancements to the Apache server configuration, as well as internal configuration items that limit user access to data only when needed. This guide applies to all versions of the program, and will be of interest to administrators and operators, as well as security analysts. Physically Securing the CorreLog Server The CorreLog server should be physically secure and hardened to prevent unauthorized access. If an unauthorized individual obtains access to the CorreLog server, it is possible to modify system executables and configuration files that may compromise security. To physically secure the CorreLog Server: 1. Avoid using Active Directory logins to CorreLog Server. If possible, the CorreLog Server node should use local logins only. If this is a not practical, then only specific group or individuals should be permitted access. This may entail creation of a special "Security" organizational unit.

2 2. Provide secure and tight permissions to the CorreLog directory. CorreLog does not encrypt the data on the disk (although Windows can perform this operation for the user.), Only administrative and background processes should be able to read the CorreLog Server log data and configuration data. 3. If possible, place the CorreLog Server in a location, which is difficult to physically access, such as in a network operations center. This prevents unauthorized reboots or shutdowns of the system. 4. Limit other application programs that can run on the CorreLog Server, including remote desktop. 5. Enable the Enhanced Firewall Settings of the Server. Using Co-Apache-TLS Encrypted HTTP The CorreLog Apache-TLS software is added into any CorreLog Server installation via the following package: Documentation for this option is incorporated within the package, and is also available at the following URL: The CorreLog HTTP server that comes with the standard product is a fairly hardened version of the Apache 1.3 server. However, this version of Apache does not include HTTPS support. Additionally, the 1.3 version of the Apache Server had several vulnerabilities that make it poorly suited for a general and non-embedded application. (For an embedded application like CorreLog, these vulnerabilities are not significant, but will appear in a vulnerability scan of the server, which may be hard to explain.) The CorreLog Apache-TLS system may be installed on the system in order to provide a much more hardened version of the server, and include HTTPS / TLS encryption. This optional package also includes encryption for agent programs, available by clicking down into the "Remote Agent Config" and then uploading an encryption key to the agent. CorreLog Internal Security Guide, Page - 2

3 HTTP Login Authentication And Security CorreLog uses standard HTTP Authentication as front-door security, which provides a well established and verifiable security method. This security is preconfigured, and operates rather simply, using a special "htaccess.txt" file, as follows: 1. The "htaccess.txt" file resides in the "CorreLog/s-cgi/htaccess.txt" location of the system, and forces the browser to log into the system when any attempt is made to access this file, or any file within the current directory of the file. 2. The "htaccess.txt" file checks the login of the user against the password file of the system, residing in the "CorreLog/apache/passwords.dat" file. This file is encrypted, and maintained by the CorreLog "System > Logins" screen. 3. In addition to the "htaccess.txt" file in the "s-cgi" directory, there are additional files in other directories, such as "s-cgi/gadgets/htaccess.txt", and "s-html/reports/htaccess.txt" 4. The user can disable authentication by renaming or removing the "htaccess.txt" file from any directory. The user should never remove or tamper with the "s-cgi/htaccess.txt" file, since this is file provides the central protection for all CorreLog screens. This authentication method is slightly confusing to those that don't understand the principles behind it. The user must supply a valid username and password each and every time any page protected by the "htaccess.txt" file is accessed. To make it easy for the user, the browser remembers the URL and supplies this username and password automatically to the HTTP server (after initial login.) Therefore, the user will remain logged into the system until the browser is closed. Note that there is no way to log out of an HTTP Authentication session, because the user is actually logged out each time the page is requested. The resubmission of the username and password occurs by the browser the next time the URL is accessed. Limiting Web Access By IP Address The Apache Server provides a rich assortment of directives, many of which are related to security. The CO-Apache-TLS program is specifically tailored by default to make the program highly secure, with no changes needed to the configuration. Detailed information on these directives (which are configured in the "CorreLog/apache-tls/conf/httpd.conf" file, or within an "htaccess.txt" file) can be found from a variety of locations, including the "Apache.Org" website. CorreLog Internal Security Guide, Page - 3

4 In particular, the Apache Server provides multiple techniques for limiting the range of IP Addresses that can access the server. This may be useful to prevent unauthorized users from accessing the web interface. For example, to limit the Apache TLS Server to just those devices on the " " network, or the localhost, the administrator can apply edits to the "CorreLog/s-cgi/htaccess.txt: file and insert the following directives at the bottom of the file. This limits the access to the "/s-cgi" URL to just the specified devices: Order allow,deny Allow from Allow from After performing the above modification, any attempt to access the server from an address other than those specified with the "Allow" directive will cause a "Page Not Found" message to be displayed. The administrator can configure a wide variety of "Allow" directives, as well as allow from all and deny only specific addresses. Any errors encountered by the HTTP server (due to mistyping or other reasons) are logged in the "CorreLog/apache-tls/logs/error.log" file. Logging Access to the CorreLog Apache Server By default, the Apache Server maintains its error log in the "apachetls/logs/error.log" file. The user can optionally log all access to the web server to the "apache-tls/logs/access.log" (useful for tracking access to the server) by modifying the "apache-tls/conf/httpd.conf" file to add the following directives. These directives may be added after the "ErrorLog" directives within the httpd.conf file. # Access log specification, Added to httpd.conf file CustomLog logs/access.log common LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent After making the above modification, the user should stop and restart the "CorreLog Apache TLS" Service. (The CO-Apache-TLS process reads its CorreLog Internal Security Guide, Page - 4

5 configuration file only on startup.) Subsequently, all access to the web server will be logged to the new "apache-tls/logs/access.log" file. Note that the transfer log can become quite large over the course of time, and is not truncated by the system. Therefore, adding this directive can eventually require a large amount of disk space. Finally, both the transfer log and access log can be monitored by the CorreLog Agent Log Monitor to create threads, alerts, and pivot reports on user access. This may or may not be a requirement for internal security. Using Enhanced Login Security CorreLog provides a special function for enhanced login security. This value should be set on the "System > Logins" screen to "Enabled" in order to provide extra features such as auto-logout, password expiration, user lockout, etc. Detailed notes about the "Enhanced Login Security Configuration" screen, including all fields and settings, can be found in the CorreLog "Screen Reference Manual", downloadable from the "Home" screen in CorreLog. (See Section 9 of that manual, selectable from the PDF Bookmarks pane.) Creating Custom Logins CorreLog provides special functions for creating custom user profiles, and limiting the user's access to specific screens and settings. These can be created rather simply from the web interface on a one-by-one basic, or can be created programmatically by professional services (based upon the requirements of the enterprise.) Typically, Custom Logins provide data to one or two threads on the system (pinned in the user's profile) and a single dashboard (set to the user's preferences.) This limits access to particular devices and dashboard, which will be adequate for most applications. To programmatically create these items, the following procedure can be used: 1. The administrator creates a thread or two for each user on the system that will access CorreLog. (Note that this can be a shared login for a particular group of users.) 2. The administrator creates a dashboard for each user on the system that will access CorreLog. The dashboard can show a device group (Top- Devices-Gadget) and several graphs of message rates (Graph-Thread- Rate-Gadget) as well as any alerts of interest or special items. CorreLog Internal Security Guide, Page - 5

6 3. The administrator creates a "Custom Login" for each user, selecting the "Dashboard" and "Correlation > Threads" screens. 4. The administrator logs in as the custom user, selects the user's dashboard via the "System > Preferences" screen, and pins the thread of interest in the user's profile. 5. The administrator logs out as the custom user, logs back in as administrator, and "Locks" the user profile via the "System > Logins" screen. If the administrator has only a few users to consider, then the above process can be performed manually. Otherwise, the above steps can be automated by programmatically generating files in the "CorreLog/config/$prefs" directory for each user. Notes about "Advanced Permissions" screen (a.k.a. the Custom Login facility) can be found in the CorreLog "Screen Reference Manual", downloadable from the "Home" screen in CorreLog. (See Section 9 of that manual, selectable from the PDF Bookmarks pane.) Maintaining Tamper Proof Files CorreLog automatically makes a "digest" file with a one-way encryption algorithm, placing this file in the "archive\digest" folder of the system for each archive file. These special digest files can be used to detect file tampering, and provide "chain-of-evidence" associated with archive files, to verify that these files have not been modified. If archive files are copied to a new location, the associated digest file should accompany the archive file. The digest file can later be used to verify the integrity of the archive using the standard CorreLog "ChkSC.exe" program, residing in the "system" directory. This verifies (based upon the encrypted checksum) that a file has not been tampered with. More information on the "ChkSC.exe program can be found by launching the program from the "system" directory at a command prompt. (Brief help is provided if no arguments are specified to the program.) Also, see the CorreLog User Reference for more information on this program and its role in maintaining chain-of-evidence. CorreLog Internal Security Guide, Page - 6

7 For Additional Help Detailed specifications regarding the CorreLog Server, add-on components, and resources is available from our corporate website. Test software may be downloaded for immediate evaluation. Additionally, CorreLog is pleased to support proof-of-concepts, and provide technology proposals and demonstrations on request. CorreLog, Inc., a privately held corporation, has produced software and framework components used successfully by hundreds of government and private operations worldwide. We deliver security information and event management (SIEM) software, combined with deep correlation functions, and advanced security solutions. CorreLog markets its solutions directly and through partners. We are committed to advancing and redefining the state-of-art of system management, using open and standards-based protocols and methods. Visit our website today for more information. CorreLog, Inc. mailto:support@correlog.com CorreLog Internal Security Guide, Page - 7