Nixu SNS Security White Paper May 2007 Version 1.2



Similar documents
Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

Security Advice for Instances in the HP Cloud

CloudPassage Halo Technical Overview

VMware vcenter Log Insight Security Guide

A Decision Maker s Guide to Securing an IT Infrastructure

USM IT Security Council Guide for Security Event Logging. Version 1.1

74% 96 Action Items. Compliance

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Global Partner Management Notice

Locking down a Hitachi ID Suite server

SonicWALL PCI 1.1 Implementation Guide

Achieving PCI-Compliance through Cyberoam

Host/Platform Security. Module 11

Dragonframe License Manager User Guide Version 1.2.2

F-SECURE MESSAGING SECURITY GATEWAY

CloudPassage Halo Technical Overview

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Railo Installation on CentOS Linux 6 Best Practices

VMware vcenter Log Insight Security Guide

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

Cloud Security:Threats & Mitgations

Did you know your security solution can help with PCI compliance too?

Security Correlation Server Quick Installation Guide

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Management, Logging and Troubleshooting

Penetration Testing Report Client: Business Solutions June 15 th 2015

Windows Remote Access

Plesk 11 Manual. Fasthosts Customer Support

VoipSwitch Security Audit

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

without the fixed perimeters of legacy security.

Linux VPS with cpanel. Getting Started Guide

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Introduction to Endpoint Security

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

Linux Security Ideas and Tips

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Installing and Configuring Active Directory Agent

SOA Software API Gateway Appliance 7.1.x Administration Guide

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

How To - Implement Clientless Single Sign On Authentication with Active Directory

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

How To Protect Your Network From Attack From Outside From Inside And Outside

1. Building Testing Environment

Setting Up One Search

GFI White Paper PCI-DSS compliance and GFI Software products

Security Audit Report for ACME Corporation

Avatier Identity Management Suite

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Configuring User Identification via Active Directory

User Management Guide

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

PCI DSS Requirements - Security Controls and Processes

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

My FreeScan Vulnerabilities Report

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Avaya Operational Analyst 7.0 Security Guide COMPAS Issue 1.0 February 2005

W H IT E P A P E R. Salesforce CRM Security Audit Guide

Aspera Connect Linux 32/64-bit. Document Version: 1

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

4. Getting started: Performing an audit

March

Network Defense Tools

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Thick Client Application Security

The Self-Hack Audit Stephen James Payoff

F-Secure Messaging Security Gateway. Deployment Guide

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Worms, Trojan Horses and Root Kits

IBM Security QRadar Version (MR1) WinCollect User Guide

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

LifeCyclePlus Version 1

Network Security. Mike Trice, Network Engineer Richard Trice, Systems Specialist Alabama Supercomputer Authority

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

SYSTEM ADMINISTRATION MTAT LECTURE 8 SECURITY

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Firewalls. Chapter 3

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 5

SCP - Strategic Infrastructure Security

Security Best Practices Overview

Maruleng Local Municipality

Codes of Connection for Devices Connected to Newcastle University ICT Network

Cyber Essentials Scheme

Hardening Guide. Installation Guide

FileMaker Server 15. Getting Started Guide

System Security Guide for Snare Server v7.0

FileCloud Security FAQ

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

IIS, FTP Server and Windows

Server Installation/Upgrade Guide

Central Agency for Information Technology

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Secure Software Programming and Vulnerability Analysis

Transcription:

1 Nixu SNS Security White Paper May 2007 Version 1.2 Nixu Software Limited Nixu Group

2 Contents 1 Security Design Principles... 3 1.1 Defense in Depth... 4 1.2 Principle of Least Privilege... 4 1.3 Principle of Default Deny... 4 2 Application Security... 5 2.1 Software Components... 5 2.2 Authentication... 5 2.3 Authorization and Access Controls...5 2.4 Audit Trail... 6 2.5 Running Root-privileged Shell Commands... 6 3 O/S Security... 7 3.1 O/S Hardening... 7 3.2 Firewall... 7 3.3 IPS... 7 3.4 Patch Management... 7

3 1 Security Design Principles This chapter describes some general security design principles used in Nixu SNS. Nixu SNS has been built on CentOS 4.4 operating system and has been specifically hardened for DNS use. CentOS is a freely distributable operating system built from the RedHat Enterprise Linux source available at: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/4/en/os/i386/srpms. The system architecture of Nixu Secure Name Server (SNS) is depicted in Figure 1 below. Nixu SNS includes a web-based user-interface implemented using web server (Apache) and PHP module. The environment has been hardened using Bastille hardening tool and other security enhancements developed by Nixu Software. For intrusion detection (IDS) and prevention (IPS), PSAD has been used. The general functionality of the firewall and the IPS system is depicted in Figure 2 below. Figure 1 Nixu SNS Architecture Figure 2: IPS Architecture

4 1.1 Defense in Depth Nixu SNS has been designed applying the Principle of Defense in Depth. Defense in Depth has been applied when more than one subsystem has to be compromised to compromise the security of the entire system. Defense in Depth is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to block an attack. In the case of Nixu SNS, the Principle of Defense in Depth involves the following: Encrypted connections In-host firewall IPS system ACLs for enabled services Services are running with secure configurations Web-UI authenticates the users Web UI writes logs of WebUI activity O/S is hardened and backups are taken periodically (Backup policy user-defined) If possible, Perimeter firewall for the network is used 1.2 Principle of Least Privilege Nixu SNS has been designed applying the Principle of Least Privilege. According to the Principle of Least Privilege, every user, process and program should be able to see only such information and resources that are necessary for them to perform a given operation or task. The idea behind the principle is to grant as minimal privileges as possible to permit a legitimate action, thereby enhancing the protection of data and functionality from faults and malicious behaviour. In the case of Nixu SNS, the Principle of Least Privileged involves the following: Services are not running as root There are multiple level user accounts for Web-UI and shell access User accounts have necessary permissions only, to do only the necessary actions Use sudo when privilege escalation is required 1.3 Principle of Default Deny Nixu SNS has been designed applying the Principle of Default Deny. When the Principle of Default Deny has been implemented, anything that is not explicitly allowed is denied regardless of whether the function is related to access, privileges, some security-related attribute or other similar function. In the case of Nixu SNS, the Principle of Default Deny involves the following: Firewall blocks all but explicitly allowed connections Shell access for users needs to be explicitly permitted All but necessary services are disabled All but necessary packages are removed

5 2 Application Security 2.1 Software Components (In Nixu SNS 1.2-1 ISO package) CentOS Linux 4.4 i386: - RPMs have been stripped to the bare minimum. - Updates to CentOS 4.4 are downloaded automatically when available Apache Web Server 2.0.52-28 - Includes security fixes to 2.0.52 CAN-2004-0885, CVE CAN-2004-0942, CVE-2006-3918 - Apache runs as user apache by default Web server; PHP-module (php 4.3.9-3.22.4 currently) - Includes security fixes to 4.3.9 CAN-2004-0958 and other fixes BIND 9.2.4-24 - Secure and stable release of ISC BIND Bastille 3.0.9-1.0 and PSAD 2.0.6 - These components form the basis of the IDS/IPS system. Both are the latest releases and have no known security issues Nixu SNS 1.2-1 (proprietary code by Nixu Software used to integrate software components and in the management utilities) is included in the software package. Both the software architecture and the entire Nixu SNS software package has been audited and tested by independent third-parties; updates will be released and delivered, if and when necessary, by Nixu Software. 2.2 Authentication An attempt to access any script in the WebUI causes system to authenticate the user. If the user is not authenticated or authentication cannot be performed, the user is redirected to login page. Login prompts user for username and password. To defend against brute force attack, the logging system monitors for brute force attempts and slows the attacker down (applies to CLI only). Shell users are authenticated using Unix Password or any other supported authentication module. By default, only Root user exists: additional users should be created by the administrator as needed and Root user should be disabled. 2.3 Authorization and Access Controls User account types are limited to 2 (admin & normal user) to keep access control simple and easy to maintain. Admin users have an access to all functions in the system, whereas normal users do not have an access to the System-area (including User Management). User account level is defined in user editing page as a drop-down menu.

6 The following table describes the quality parameters for a password (some apply only to CLI/Unix accounts) Recommended value Minimum password length 8 characters Maximum password age 180 days, privileged accounts 90 days Force password change on expiry Yes Force password quality Yes Contain at least one alphabetic and one nonalphabetic Yes character Maximum consecutive identical character from any position in the previous 3 password Maximum identical consecutive characters 2 Contain UserID or user name as part of the password No Passwords found in dictionary not allowed Yes Force password change at first logon Yes Minimum time between password changes 24 h Retries before account lockout 5 Minimum delay between retries 5 s, must increase exponentially with each failed attempt Number of previous passwords remembered and 8 prevented to be reused 2.4 Audit Trail In case Nixu SNS is compromised by a security breach, the IDS system has an audit trail showing further information about the occurrence. Preferably, the audit trails should be stored remotely where they can only be appended to, as this approach keeps intruders from covering their tracks. Nixu SNS writes its IDS logs into syslog with special userfacility with different severity levels (e.g. warning, notice, error). This log is separated from the system logs (/var/log/messages) can and should be kept in a separate place. 2.5 Running Root-privileged Shell Commands Nixu SNS s WebUI executes php scripts that execute root privileged scripts performing only one thing, and are not capable of doing anything else. The privilege escalation for running the privileged scripts is handled using sudo. Each script (or directory of scripts) is explicitly mentioned in /etc/sudoers, and Apache is not capable of running anything else as root. The risk of input validation has been eliminated by eliminating the use of arguments in the scripts. If arguments are required, escapeshellcmd and escapeshellarg are used. Remote user namesurf used to control Nixu SNS from Nixu NameSurfer has even more constrained execution policy defined in sudo-commands.

7 3 O/S Security 3.1 O/S Hardening 3.2 Firewall The CentOS 4.4 operating system environment is hardened using Bastille. Bastille is a system hardening/lockdown program enhancing the security level of a UNIX host. Bastille configures daemons, system settings and firewalls to be make them more secure. It switches off unnecessary services such as pwgrd and printing services, and configures client software such as rcp and rlogin for enhanced security. In-host firewall allows only necessary ports from the Internet. TCP 80 (redirected automatically to 443) TCP 443 TCP & UDP 53 TCP 22 Outbound traffic has currently not been restricted. Using system tools, administrators can configure the in-host firewall within the boundaries set by Bastille. By disabling Bastille, administrators can configure iptables without limitations. 3.3 IPS Nixu SNS uses PSAD as an IPS system to monitor attacks and to create temporary rules. PSAD is a collection of three daemons that analyze firewall logs to detect port scans and other suspicious traffic. Figure 2 on page 3 of this White Paper depicts the general IPS functionality in Nixu SNS. PSAD is lightweight and rather simple to configure. 3.4 Patch Management Nixu SNS uses RPM packaging in both O/S and on the application side. Nixu SNS can be configured to download all updates automatically, and to install the downloaded updates either semi-automatically or automatically. Yum is used for updates. CentOS updates are downloaded from repositories; CentOS uses an automatic GeoIP based repository management where Client IP is checked and 10 closest repository addresses are returned. Further information about this functionality can be found from: http://www.centos.org/modules/news/article.php?storyid=118 For updates to Nixu SNS, a separate repository is used. This repository is contacted via separate authentication module operating as a proxy for Yum. Nixu Software tests all software updates over previous versions prior to their release to the end-users. This process has been put into place in order to make sure that customers are offered a safe update path whenever they trigger the update process.

8 Figure 3 YUM Updates in Nixu SNS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information