1 Nixu SNS Security White Paper May 2007 Version 1.2 Nixu Software Limited Nixu Group
2 Contents 1 Security Design Principles... 3 1.1 Defense in Depth... 4 1.2 Principle of Least Privilege... 4 1.3 Principle of Default Deny... 4 2 Application Security... 5 2.1 Software Components... 5 2.2 Authentication... 5 2.3 Authorization and Access Controls...5 2.4 Audit Trail... 6 2.5 Running Root-privileged Shell Commands... 6 3 O/S Security... 7 3.1 O/S Hardening... 7 3.2 Firewall... 7 3.3 IPS... 7 3.4 Patch Management... 7
3 1 Security Design Principles This chapter describes some general security design principles used in Nixu SNS. Nixu SNS has been built on CentOS 4.4 operating system and has been specifically hardened for DNS use. CentOS is a freely distributable operating system built from the RedHat Enterprise Linux source available at: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/4/en/os/i386/srpms. The system architecture of Nixu Secure Name Server (SNS) is depicted in Figure 1 below. Nixu SNS includes a web-based user-interface implemented using web server (Apache) and PHP module. The environment has been hardened using Bastille hardening tool and other security enhancements developed by Nixu Software. For intrusion detection (IDS) and prevention (IPS), PSAD has been used. The general functionality of the firewall and the IPS system is depicted in Figure 2 below. Figure 1 Nixu SNS Architecture Figure 2: IPS Architecture
4 1.1 Defense in Depth Nixu SNS has been designed applying the Principle of Defense in Depth. Defense in Depth has been applied when more than one subsystem has to be compromised to compromise the security of the entire system. Defense in Depth is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to block an attack. In the case of Nixu SNS, the Principle of Defense in Depth involves the following: Encrypted connections In-host firewall IPS system ACLs for enabled services Services are running with secure configurations Web-UI authenticates the users Web UI writes logs of WebUI activity O/S is hardened and backups are taken periodically (Backup policy user-defined) If possible, Perimeter firewall for the network is used 1.2 Principle of Least Privilege Nixu SNS has been designed applying the Principle of Least Privilege. According to the Principle of Least Privilege, every user, process and program should be able to see only such information and resources that are necessary for them to perform a given operation or task. The idea behind the principle is to grant as minimal privileges as possible to permit a legitimate action, thereby enhancing the protection of data and functionality from faults and malicious behaviour. In the case of Nixu SNS, the Principle of Least Privileged involves the following: Services are not running as root There are multiple level user accounts for Web-UI and shell access User accounts have necessary permissions only, to do only the necessary actions Use sudo when privilege escalation is required 1.3 Principle of Default Deny Nixu SNS has been designed applying the Principle of Default Deny. When the Principle of Default Deny has been implemented, anything that is not explicitly allowed is denied regardless of whether the function is related to access, privileges, some security-related attribute or other similar function. In the case of Nixu SNS, the Principle of Default Deny involves the following: Firewall blocks all but explicitly allowed connections Shell access for users needs to be explicitly permitted All but necessary services are disabled All but necessary packages are removed
5 2 Application Security 2.1 Software Components (In Nixu SNS 1.2-1 ISO package) CentOS Linux 4.4 i386: - RPMs have been stripped to the bare minimum. - Updates to CentOS 4.4 are downloaded automatically when available Apache Web Server 2.0.52-28 - Includes security fixes to 2.0.52 CAN-2004-0885, CVE CAN-2004-0942, CVE-2006-3918 - Apache runs as user apache by default Web server; PHP-module (php 4.3.9-3.22.4 currently) - Includes security fixes to 4.3.9 CAN-2004-0958 and other fixes BIND 9.2.4-24 - Secure and stable release of ISC BIND Bastille 3.0.9-1.0 and PSAD 2.0.6 - These components form the basis of the IDS/IPS system. Both are the latest releases and have no known security issues Nixu SNS 1.2-1 (proprietary code by Nixu Software used to integrate software components and in the management utilities) is included in the software package. Both the software architecture and the entire Nixu SNS software package has been audited and tested by independent third-parties; updates will be released and delivered, if and when necessary, by Nixu Software. 2.2 Authentication An attempt to access any script in the WebUI causes system to authenticate the user. If the user is not authenticated or authentication cannot be performed, the user is redirected to login page. Login prompts user for username and password. To defend against brute force attack, the logging system monitors for brute force attempts and slows the attacker down (applies to CLI only). Shell users are authenticated using Unix Password or any other supported authentication module. By default, only Root user exists: additional users should be created by the administrator as needed and Root user should be disabled. 2.3 Authorization and Access Controls User account types are limited to 2 (admin & normal user) to keep access control simple and easy to maintain. Admin users have an access to all functions in the system, whereas normal users do not have an access to the System-area (including User Management). User account level is defined in user editing page as a drop-down menu.
6 The following table describes the quality parameters for a password (some apply only to CLI/Unix accounts) Recommended value Minimum password length 8 characters Maximum password age 180 days, privileged accounts 90 days Force password change on expiry Yes Force password quality Yes Contain at least one alphabetic and one nonalphabetic Yes character Maximum consecutive identical character from any position in the previous 3 password Maximum identical consecutive characters 2 Contain UserID or user name as part of the password No Passwords found in dictionary not allowed Yes Force password change at first logon Yes Minimum time between password changes 24 h Retries before account lockout 5 Minimum delay between retries 5 s, must increase exponentially with each failed attempt Number of previous passwords remembered and 8 prevented to be reused 2.4 Audit Trail In case Nixu SNS is compromised by a security breach, the IDS system has an audit trail showing further information about the occurrence. Preferably, the audit trails should be stored remotely where they can only be appended to, as this approach keeps intruders from covering their tracks. Nixu SNS writes its IDS logs into syslog with special userfacility with different severity levels (e.g. warning, notice, error). This log is separated from the system logs (/var/log/messages) can and should be kept in a separate place. 2.5 Running Root-privileged Shell Commands Nixu SNS s WebUI executes php scripts that execute root privileged scripts performing only one thing, and are not capable of doing anything else. The privilege escalation for running the privileged scripts is handled using sudo. Each script (or directory of scripts) is explicitly mentioned in /etc/sudoers, and Apache is not capable of running anything else as root. The risk of input validation has been eliminated by eliminating the use of arguments in the scripts. If arguments are required, escapeshellcmd and escapeshellarg are used. Remote user namesurf used to control Nixu SNS from Nixu NameSurfer has even more constrained execution policy defined in sudo-commands.
7 3 O/S Security 3.1 O/S Hardening 3.2 Firewall The CentOS 4.4 operating system environment is hardened using Bastille. Bastille is a system hardening/lockdown program enhancing the security level of a UNIX host. Bastille configures daemons, system settings and firewalls to be make them more secure. It switches off unnecessary services such as pwgrd and printing services, and configures client software such as rcp and rlogin for enhanced security. In-host firewall allows only necessary ports from the Internet. TCP 80 (redirected automatically to 443) TCP 443 TCP & UDP 53 TCP 22 Outbound traffic has currently not been restricted. Using system tools, administrators can configure the in-host firewall within the boundaries set by Bastille. By disabling Bastille, administrators can configure iptables without limitations. 3.3 IPS Nixu SNS uses PSAD as an IPS system to monitor attacks and to create temporary rules. PSAD is a collection of three daemons that analyze firewall logs to detect port scans and other suspicious traffic. Figure 2 on page 3 of this White Paper depicts the general IPS functionality in Nixu SNS. PSAD is lightweight and rather simple to configure. 3.4 Patch Management Nixu SNS uses RPM packaging in both O/S and on the application side. Nixu SNS can be configured to download all updates automatically, and to install the downloaded updates either semi-automatically or automatically. Yum is used for updates. CentOS updates are downloaded from repositories; CentOS uses an automatic GeoIP based repository management where Client IP is checked and 10 closest repository addresses are returned. Further information about this functionality can be found from: http://www.centos.org/modules/news/article.php?storyid=118 For updates to Nixu SNS, a separate repository is used. This repository is contacted via separate authentication module operating as a proxy for Yum. Nixu Software tests all software updates over previous versions prior to their release to the end-users. This process has been put into place in order to make sure that customers are offered a safe update path whenever they trigger the update process.
8 Figure 3 YUM Updates in Nixu SNS