Scribd Logo
Carica

Benvenuto in Scribd!

  • Chapter 4-Network Security

    Caricato da

    Ram Anand
    3 visualizzazioni10 pagine
    Access Control Lists

    Copyright

    © © All Rights Reserved

    Formati disponibili

    DOC, PDF o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Access Control Lists

    Copyright:

    © All Rights Reserved
    Scarica in formato DOC, PDF o leggi online su Scribd
    Segnala contenuti inappropriati
    3 visualizzazioni10 pagine

    Chapter 4-Network Security

    Caricato da

    Ram Anand
    Access Control Lists

    Copyright:

    © All Rights Reserved
    Scarica in formato DOC, PDF o leggi online su Scribd
    Segnala contenuti inappropriati
    di 10
    Chapter IV Host and Network Security Security planning and system audits ‘There are four basic elements in security’ ¥ Privacy or confidentiality: restriction of access. ¥ Authentication: verification of presumed identity. Integrity: protection against corruption or loss (redundancy, Y Trust: underlies every assumption. A system can be compromised by: ¥ Physical threats: weather, natural disaster, bombs, power failures ete. Y Human threats: cracking, stealing, trickery, bribery, spying, sabotage, accidents. Y- Software threats: viruses, Trojan horses, logic bombs, denial of service. Protecting against these issues requires both pro-active (preventative) measures and damage control after breaches. Our task is roughly as follows: Y" Identify what we are trying to protect. Evaluate the main sources of risk and where trust is placed. Work out possible or cost-effective counter-measures to attacks. A security plan will address some or all of the following issues: ¥ General computer access policies( who can access what ?) Y Preventative measures in effect (for example, the backup schedule, actions to be performed in conjunction with operating system installations and upgrades, and the like), Y What periodic (or continuous) system monitoring is performed and how it is implemented Y How often complete system security audits are performed and what items they encompass. Y Policies and strategies for actively handling and recovering from security breaches, Unix offers three basic ways of preventing security problem: YA variety of network security mechanisms designed to prevent unauthorized connections from being accepted ¥ Passwords are designed to prevent unauthorized users from obtaining any access. to the system. ¥ File permissions are designed to allow only designated users access to the various commands, files, programs, and system resources. Security standards and Levels (ISO 15408 standard) The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification, Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) through the use of Protection Profiles (PPs). Vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims, ‘Common Criteria is used as the basis for a Government driven certification scheme Common Criteria evaluations are performed on computer security products and systems. + Target_Of Evaluation (TOE) — the product or system that is the subject of the evaluation. The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target's security features, This is done through the following: + Protection Profile (PP) — a document, typically created by a user or user community, which identifies security requirements for a class of security devices (for example, smart cards used to provide digital signatures, or network firewalls) relevant t0 that user for a particular purpose. Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product's ST (Security Target, as defined below) + Security Target (ST)~ the document that identifies the security properties of the target of evaluation. The ST may claim conformance with one or more PP: usually published, so that potential customers may determine the spe features that have been certified by the evaluation. + Security Functional Requirements (SFRs)~ specify individual security functions which may be provided by a product. The Common Criteria presents a standard catalogue of such functions. For example, a SFR may state how a user acting a particular role might be authenticated. The list of SFRs can vary from one evaluation to the next, even if two targets are the same type of product. * Security Assurance Requirements (SARs) — descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. + Evaluation Assurance Level (EAL) ~ the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements (SARs, see above) which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL | being the most basic (and therefore cheapest to implement and evaluate) and EAL 7 being the most stringent (and most expensive), Password Security Perhaps the most important issue for network security isthe consistent use of strong passwords. ¥ Unix-like operating systems which allow remote logins from the network are particularly vulnerable to password attacks. ¥_ Password security is the first line of defence against intruders, ¥ Many users have little or no idea about the importance of using a good password ¥ Consider some examples from a survey of passwords at a university. About 40 physicists had the password ‘Einstein’, around 10 had ‘Newton’ and several had ‘Kepler’, v Hundreds of users used their login-name as their password, some added *123° to the end of their login name. Passwords are not visible to ordinary users, but their encrypted form is often visible Modem operating systems have shadow password files or databases that are not readable by normal users. Y For instance, the Unix password file contains an *x’ instead of a password, and the encrypted password is kept in an unreadable file. Y This makes it much harder to scan the password file for weak passwords. v Tools for password cracking (e.g. Alec Muffet’s cr administrators find weak passwords before crackers do. Y Rules for strong password k program) can help > At least eight characters long > should not contain your user name, or your real name or company name > should not contain a complete name > should not be same as the previous passwords( if you are changing the password) > should contain at least one upper case letter, lower case letter, one numeric character, and one special character Access Conttol and monitoring: wrappers Y There are two types of ACLs (access control lists): > access ACLs > default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory. Ifa file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Y Default ACLs are optional. ¥ ACLs can be configured: Per user Per group Via the effective rights mask For users not in the user group for the file (others) vvvv Setting Access ACLs Y The setfacl utility sets ACLs for files and modify the ACL of a file or directory: setfacl -m rules files irectories. Use the -m option to add or Rules (rules) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas. u:uid:perms Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system. Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system: m:perms Sets the effective rights mask, The mask is the union of all permissions of the owning group and all of the user and group entries. Sets the access ACL for users other than the ones in the group for the file. Y Permissions (perms) must be a combination of the characters r, w, and x for read, write, and execute. Y Ifa file or directory already has an ACL, and the setfael command is used, the additional rules are added to the existing ACL or the existing rule is modified. ¥ For example, to give read and write permissions to user andrius: setfacl -m u:andrius:rw /project/somefile To remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions: setfael -x rules files For example, to remove all permissions from the user with UID 500: setfacl -x u:500 /project/somefile Setting default ACLs Y To set a default ACL, add d: before the rule and specify a directory instead of a file name. Y For example, to set the default ACL for the /share/ dit users not in the user group (an access ACL for an indi setfacl -m d:o:rx /share irectory to read and execute for ‘dual file can override it): Retrieving ACLs ¥ To determine the existing ACLs for a file or directory, use the getfael command. ¥ Inthe example below, the getfac! is used to determine the existing ACLs for a file. getfacl home/john/picture.png ¥_The above command returns the following output: # file: home/john/picture.png # owner: john ¥ Ifa directory with a default ACL is specified, the default ACL is also displayed os illustrated below. : ¥_ For example,getfacl home/sales/ will display similar output: i# file: home/sales/ {anand@localhost ~]$ su - Password: [root@locathost ~]# adduser ul {root@locathost ~]# touch f1 Iroot@locathost ~]# setfact -m u:ul:tw- fl [root@locatnost ~]¥ getfacl 12 # file: fi # owner: root # group: root users: fw user:ul: mw group: :r=- mask: :rw- other: [root@tocathost ~}# ‘To remove all permissions for a file,use -x option with setfacl, [root@locatnost ~]# setfact -x u:ul fl {root@locathost ~]# getfacl fl # file: fl # owner: root # group: root user::rw- [root@tocathost ~]# To set an ACL for a directory, [root@locathost ~]# mkdir d1 [root@locathost ~]# addgroup 91 -bash: addgroup: command not found [root@tocathost ~]# groupadd 91 [root@locathost ~]# setfact -R -m g: {root@locatnost ~]# getfact d1/ # tile: di # owner: root # group: root user: in group: ir-x group:gl:r-x mask: i6-x other: i¢-x iroot@locathost ~)# To remove all permissions for a directory, use -b option with setfacl, [root@locathost ~]# setfacl -b d1/ [root@locathost ~]# getfacl d1/ # file: dl # owner: root # group: root [root@locathost 1 18 To set default ACL for a directory , [root@locathost ~]# setfact -m a: [root@locathost ~]# getfact 41 tw \dL # file: di # owner: root # group: root user: :rwx default :user: :rwx defauit default :other: : rw- To remove all permissions for directory dl, [root@locathost ~]# setfacl -b di [root@locathost ~]# getfact di # file: dl # owner: root # group: root TCP Wrappers ¥ The TCP Wrappers package (tep_wrappers) is installed by default and provides host- based access control to network services. The most important component within the package is the /usr/lib/libwrap.a library When a connection attempt is made to a TCP-wrapped service, the service first references the host's access files (/ete/hosts.allow and /ete/hosts.deny) to determine whether or not the client is allowed to connect. ¥ In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting client and the requested service to /var/log/secure or /var/log/messages. Y Ifa client is allowed to connect, TCP Wrappers release contro} of the connection to the requested service and take no further part in the communication between the client and the server. Y Most network services within Fedora are linked to the libwrap.a library. Some such applications include /usr/sbin/sshd, and /usr/sbin/sendmail, Y To determine if a network service binary is linked to libwrap.a, type the following command as the root user: v v { dd | grep libwrap ¥ Replace with the name of the network service ¥ If the command returns straight to the prompt with no output, ‘then the network service is not linked to libwrap.a. Y The following example indicates that /usr/sbin/sshd is linked to libwrap.a. [root@lecathost -]# ldd /use/sbin/sshd | grep Libwrap Libwrap.sa.0 => /14b/Uibwrap-so.8 (0x0037d009) {root@locathost ~J# ldd /usr/spin/sendmail | grep Uibwrap Libwrap.s0.8 => /11b/Libwrap.s0.0 (0x097d7009) [root@tocathost ~}# Firewall A firewall is a nctwork security system that controls the incoming and outgoing network traffic based on applied rule set. Y A firewall establishes a barrier between a trusted, secure intemal network and another network (¢.g., the Internet) that is assumed not to be secure and trusted. Y Ink jora 17 firewall application can be accessed by typing “f" in search box under Click Close button on Firewall Configuration Startup window box. =a | lex Nenweck ention sia eel.” 2 al a ¥ To start the basic firewall configuration, click on the Wizard button near menu bar, to open Firewall Configuration Wizard window. aR wizard | Firewall Configuration Wizard: Preface - displays the information about the firewall configuration wizard. Click Forward button to continue. Geer eee eface oa | This wizard helps you to set up a clean firewall | configuration for your syste: Please answer the question: steps. The wizard leads you back to the main application and hides all unnecessary con"iguration options. Firewall Configuration Wizard: Basic Firewall Settings - Displays the network access settings. Choose "System with network access", and then click on Forward button to continue. Note: there is no need for you to configure any firewall if your system not connected to any network, E CoE) Basic Firewall ertings What kind of system do you [System with network access A “System without network access” does not need a frawall ae a otherwise, Firewall Configuration Wizard: Network Settings - choose "Up to one" or "More than one" from drop down box, then click on Forward button to continue. My suggestion, choose "Up to one” setting for personal computer. Firewall Configuration Wizard Network Settings ————— — Te how many networks do you connect at atime? [wisone Te] Select "More than one" if you are using different retwork connections at the same time. These connections may be to use different networks, to connect networks e.g. by masquerading or to use natwark attached storages (NAS). | This selection enables the network address translation |QWAT) configuration options. Otherwise, select "Up to one”. Firewall Configuration Wizard: User Skill Level - For firewall skills level you can choose from the drop down box "Beginner" or "Expert" base on your knowledge and skill level on firewall rules and networking configuration. ‘Then click on Forward button to continue. CSE User SKIN Level = Please specify your frewall skills Select “Expert if you are rarnitiar with firewall Configurations or if you need to add user customized rules. Otherwise, choose “Beginner, (e@svest | eaver_| [Beton] |S Firewall Configuration Wizard: Configuration - Delete the current Fedora Firewall configuration by unchecking Keep Configuration check box. Then click Ok button to proceed. Configuration Please select keep configuration or choose to load 2 default configuration | (Keen Configuration] Lond configuration iF you clear the keep configuration button, the actual firewall configuration will be overwritten. Y To save the basic firewall configuration setting click on the Apply button on menu bar. con nee Y Click on the Yes button to confirm that you want to save the firewall configuration file. Mutticast BMS (mons), 3353 /ude Y Note: Alll the configuration of the firewall settin, file after you click the Apply button. Y To view the firewall configuration file, execute command below: [root@fedora ~}# cat /etc/sysconfig/iptables ig Will be save on the configuration i Feot@locthore™ [Pe eat View Semen Terminal Help (roor@locetnost “Is cat /otc/sysconfig/iptables ECirocail contaguration written By eyctencrontig-tirewelt 4 Moruat custonifarion of this Tite is no socobansee Hut accepr (0:0) “Pommard “acceot (a0) inter ACCEPT (6:0) Shckt 2 TESS roataze ©oramcisneo.nevaren -y accerr it

    Potrebbero piacerti anche