10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 9 Application Security



Similar documents
How To Understand And Understand The Security Of A Key Infrastructure

Chapter 17. Transport-Level Security

Computer Networks. Secure Systems

Exam Questions SY0-401

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

SSH The Secure Shell

TELE 301 Network Management. Lecture 16: Remote Terminal Services

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Virtual Private Networks

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Chapter 7 Transport-Level Security

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

CTS2134 Introduction to Networking. Module Network Security

Network Security Fundamentals

Introduction to Computer Security

Know your tools SSH. Dariusz Puchalak Dariusz_Puchalak < at > ProbosIT.pl

SSL VPN Technical Primer

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Secure Shell. The Protocol

Cornerstones of Security

Digital certificates and SSL

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Novell Access Manager SSL Virtual Private Network

MAC Web Based VPN Connectivity Details and Instructions

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Introduction to Computer Security

Network Security. Lecture 3

Secure access to the DESY network using SSH

SSH, SCP, SFTP, Denyhosts. Süha TUNA Res. Assist.

Security Configuration Guide P/N Rev A05

Laboratory Exercises V: IP Security Protocol (IPSec)

Introduction to Security and PIX Firewall

TS-800. Configuring SSH Client Software in UNIX and Windows Environments for Use with the SFTP Access Method in SAS 9.2, SAS 9.3, and SAS 9.

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

The Role of Digital Certificates in Contemporary Government Systems: the Case of UAE Identity Authority

Chapter 6 Virtual Private Networking Using SSL Connections

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

Implementing and Managing Security for Network Communications

Lecture 17 - Network Security

SSH and FTP on Ubuntu WNYLUG Neal Chapman 09/09/2009

Configuring SSH and Telnet

Case Study for Layer 3 Authentication and Encryption

Administering the Web Server (IIS) Role of Windows Server

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Network Security Essentials Chapter 5

(d-5273) CCIE Security v3.0 Written Exam Topics

SSL Tunnels. Introduction

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

Protocol Security Where?

Transport Layer Security Protocols

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Executive Summary and Purpose

Network Access Security. Lesson 10

DRAFT Standard Statement Encryption

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Defeating Firewalls : Sneaking Into Office Computers From Home

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

vcloud Director User's Guide

Virtual Private Networks

Transport Level Security

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Chapter 2 Editor s Note:

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

My FreeScan Vulnerabilities Report

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

CASHNet Secure File Transfer Instructions

CHAPTER 7 SSL CONFIGURATION AND TESTING

Using a VPN with Niagara Systems. v0.3 6, July 2013

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Security + Certification (ITSY 1076) Syllabus

File transfer clients manual File Delivery Services

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Endpoint Security VPN for Mac

Clearswift Information Governance

Virtual Private Networks

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Internet Privacy Options

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

ReadyNAS Remote White Paper. NETGEAR May 2010

Network Management Card Security Implementation

Virtual Private Networks (VPN) Connectivity and Management Policy

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Transcription:

Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 9 Application Security Roadmap ssh SSL IPsec & VPNs 3 1

ssh What is ssh? Secure shell Secure interactive connections to remote hosts over an insecure network Secure data transfers 5 Security Requirements 1. Authentication (who are you?) 2. Authorization (what are you allowed to do?) 3. Confidentiality (nobody else can see the data without 1 & 2) 4. Integrity (nobody else can change it) 5. Availability (you can see the data whenever you want to) 6 2

Security Requirements rtools et alia are naîve nowadays rsh, rcp, rexec, rlogin, rsync weak client authentication, no server authentication, no confidentiality or integrity telnet, ftp cleartext client authentication, no server authentication, no confidentiality or integrity 7 ssh features Remote access like telnet and rlogin Remote transfers like rcp (scp) and ftp (sftp) Transparent connection tunnelling: POP, IMAP, SMTP X connections (-X), VNC, Remote Desktop LDAP clients CVS (CVS_RSH), rsync (RSYNC_RSH) SSHFS: securely mount remote directory 8 But, passwords You (have to) type them all the time Single sign-on remains elusive Conflict between usability & security Too many passwords Varying strength rules Varying length and character class limits Varying aging policies 9 3

Public-key authentication Public-key quick tour Instead of one key (think password) there are two: Public key: published widely Private key: kept secure Something encrypted by one key can only be decrypted by the other To encrypt a message: encrypt with receiver s public key, receiver decrypts with their private key To sign a message: encrypt with your private key, receiver decrypts with your public key 10 Public-key and ssh Generate your key-pair once. Install public key on remote host once. Server authenticates client: Server picks a number n, encrypts with my public key, sends it My client decrypts n with my private key My client re-encrypts n+1 with my private key, sends it Server decrypts with my public key You re authenticated if server recovers n+1 No passwords required! 11 lab: public-key ssh ssh-keygen -t rsa -b 2048! never use RSA-1 (uses SSH1, which we said was broken) You will be asked for a passphrase, which is used to encrypt your private key for secure storage on your computer. Think of this passphrase as a PIN securing your private key. Don t leave passphrase blank unless you want anyone to be able to read it cd ~/.ssh/! cat id_rsa.pub! ls -ltra! 12 4

lab: public-key ssh Copy your public key to your.ssh directory on the remote host ssh user@remotehost mkdir.ssh! scp id_rsa.pub user@remotehost:.ssh/! You ll be prompted for your password! Connect to the remote machine ssh user@remotehost! You ll be prompted for your private key passphrase!! 13 But, passphrases But I m still typing my passphrase! Yes, but your password isn t going to the server So a malicious server can t steal it But I m still typing my passphrase! Enter the ssh-agent Handles your private key(s) Which can be on a smartcard: ssh -I Unlocks private key once, keep in memory So trading some security for convenience Supplies your private key through intervening machines So trading more security for convenience 14 ssh-agent $SHELL! lab: ssh-agent and ssh-add alternatively: eval `ssh-agent`! this second form is easy to add to login scripts! ps ax grep ssh-agent! ssh-add id_rsa! enter your passphrase ssh remotehost! You shouldn t be asked for a passphrase! 15 5

ssh as plumbing ssh & CVS? export CVS_RSH=ssh! ssh & rsync? export RSYNC_RSH=ssh ssh & tar? (this copies over contents of /bin, and doesn t overwrite /bin on the remote host) ssh remotehost cd /; tar cf bin/ tar xvf fire & forget eval `ssh-agent` ; ssh-add ; startx! 16 ssh as plumbing ssh & Kerberos? Add to client s.ssh/config: Host remotehost.fqdn!gssapiauthentication yes!gssapidelegatecredentials yes!gssapitrustdns yes! kinit! Obtain Kerberos creds ssh remotehost! You ll be logged in with Kerberos credentials! 17 Some final thoughts Should I keep upgrading? (yes!) EnableRootLogin? Disable passwords altogether? Protocol 2,1? Read the logfiles -- look for `attack', at least. I keep getting tons of brute-force login attempts! 18 6

References HQ: snailbook.com man pages: ssh, sshd, ssh_config, sshd_config Harvey Allen, Security with SSH, Pre-SANOG VI Workshop, Thimphu Bhutan, 2005. http://ws.edu.isoc.org/workshops/2005/pre-sanog-vi/ha/security/sec-ssh.pdf Acoustic password guessing attacks (90% of 5-character passwords in less than 20 tries, 80% of 10-char < 75) : http://www.freedom-to-tinker.com/?p=893 http://www.cs.berkeley.edu/~tygar/papers/ Keyboard_Acoustic_Emanations_Revisited/preprint.pdf CRC32 exploit: CITI research: http://www.citi.umich.edu/u/provos/ssh/ Warning: http://www.ciac.org/ciac/techbull/ciactech02-001.shtml Analysis: http://staff.washington.edu/dittrich/misc/ssh-analysis.txt 19 X.509 An ITU (nee CCITT) standard PKI Defines standard formats for Public key certificates Binds public key to X.500-flavor distinguished name or alternative (email address, ) Certification path algorithms Certification chain anchored by trusted root certificates Hierarchical Certification Authorities (CAs) Coin of the browser realm because SSL uses X.509 21 7

TLS - Transport Layer Security Aka Secure Sockets Layer (SSL) Operates at transport layer Applications don t have to change Creates secure channel between peers Authenticates server to client Client validates server PK certificate Supports optional mutual authentication Provides confidentiality and integrity 22 SSL Secure Socket Layer HTTPS on TCP port 443 vendor-driven consortium SSLv2/PCT/SSLv3/TLS Global PKI Trusted Certificate Authorities CA keys built into web browsers x509 23 SSL Verify certificate chain Exchange symmetric keys Cookies can be marked secure-only Problems Self-signed certificates Costs a non-trivial amount of money to get a real SSL key Trusting trust CAs pay to include their CERTs in web browsers Privacy backfires You can t see the data either 24 8

IPsec & VPNs Roadmap Definition Types of VPNs Details Pros and Cons 26 Definition A VPN is a link over a shared public network, typically the Internet, that simulates the behavior of dedicated WAN links over leased lines. A VPN uses strong encryption to secure your data as it travels over an insecure network. 27 9

Types of VPNs Application ssh Protocol IPSec IETF standard Supports all protocols Flexible & complicated SSL Vendor consortium HTTP protocol only Rigid & simple(r) 28 IPSec IPSec protocol Authentication Headers (AH) Encapsulating Security Protocol (ESP) 29 IPSec Details AH (Protocol 51) AH Transport Used to authenticate the integrity of the datagram IP Header (with options) A H Transport Layer Header Transport Layer Data All Authenticated (except non mutable fields), e.g., TTL As the entire packet is authenticated, there are some limitations. If using NAT or a firewall where a gateway changes your address, then the packet will fail to authenticate at the far end as the source IP has changed. This is not to say that you cannot use IPSec with a NAT gateway, just that the Gateway will have to be considered the endpoint. 30 10

Internal Server Tunneled ARBL ARBL 141.211.255.196 C I S C O SY S T E M S Public Network Cisco 3030 COOL COOL Pool 141.211.12.10 141.211.12.250 192.168.4.6 Pool 192.168.4.10 192.168.7.249 Wireless User (non-split tunnel) 10/23/12 IPSec Details ESP (Protocol 50) Encapsulation Security Payload ESP will encrypt the payload so that it is private as it passed through the network IP Header (with options) ESP Header Transport Layer Header Transport Layer Data ESP Trailer ESP Authentication Encrypted Authenticated As you can note, the ESP authentication does not authenticate the IP header so this does not have a problem with working behind NAT. 31 Pros/Cons IPSec Full remote access All applications supported All protocols supported SSL Access through firewall (443) Clientless 32 Logical Connection to VPN Concentrator Yahoo Remote Access client (Split Tunnel ) Ethernet UM Backbone Ethernet 33 11

lab install VPN Free encryption VPN Cisco VPN client (ITCom) http://www.itcom.itd.umich.edu/vpn/ Built-in Mac OS X VPN client configuration files http://www.engin.umich.edu/caen/network/wireless/docs/ macosvpn/ SSH, SFTP, SCP SSH Secure Shell (U-M Blue Disc) https://www.itcs.umich.edu/bluedisc/ PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty/ 34 References Steve Friedl, An Illustrated Guide to IPsec, retrieved October 2009. http://unixwiz.net/techtips/iguide-ipsec.html S. Kent and K. Seo, Security Architecture for the Internet Protocol, RFC 4301, IETF, December 2005. http://www.ietf.org/rfc/rfc4301.txt 35 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information