Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

Published byΕυρυδίκη Αναγνώστου Modified over 5 years ago

Similar presentations

Presentation on theme: "IS3440 Linux Security Unit 6 Using Layered Security for Access Control"— Presentation transcript:

1 IS3440 Linux Security Unit 6 Using Layered Security for Access Control

2 Class Agenda 4/20/16 Covers Chapter 7 Learning Objectives
Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulations.

3 Learning Objective Assess how firewall, Transmission Control Protocol (TCP) Wrappers, and Security Enhanced Linux (SELinux) complement one another to secure network applications.

4 Key Concepts Basic layered security concepts of a Linux infrastructure
Firewall with iptables Application layer security with TCP Wrappers Benefits of mandatory access control (MAC) with SELinux

5 EXPLORE: CONCEPTS

6 SELinux Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel SELinux follows the model of least-privilege more closely

7 Modes of SELinux SELinux has three basic modes of operation Disabled:
9/20/2018 Modes of SELinux SELinux has three basic modes of operation Disabled: SELinux is turned off Permissive: SELinux is enabled but will not enforce the security policy, only warn and log actions. For troubleshooting Enforcing The default mode which will enable and enforce the SELinux security policy on the system. To temporarily turn off SELinux for troubleshooting, issue the “setenforce 0” command. To turn on SELinux, issue the “setenforce 1” command. (c) ITT Educational Services, Inc.

8 Common SELinux Commands
chcon: For changing the security context of a file or files Id -Z: To show the current user context ls -Z: To show the context of a file or files Refer to Table 7-2 on pages 203–204 of the textbook for other SELinux commands.

9 EXPLORE: PROCESSES

10 Network services Security
Controlling access to network services is one of the most important security tasks facing a server administrator The iptables-based firewall filters out unwelcome network packets TCP Wrappers add an additional layer of protection by defining which hosts are or are not allowed to connect to "wrapped" network services

11 IPTables Advanced tools for network packet filtering Kernel versions prior to 2.4 relied on ipchains for packet filtering The 2.4 kernel introduced iptables (also called netfilter) Iptables is administration tool for IPv4 packet filtering and NAT

12 Designing a Firewall Turn on the Firewall.
Check if rules that should be cleared are in place ? Yes Flush the current rules using the iptables –F command. List current rules using the iptables –L command . No Write firewall rules for INPUT, OUPUT, and FORWARD chains. Save the new rules using the iptables-save command.

13 Aadvantages over other network service control techniques:
TCP Wrappers package The TCP Wrappers package (tcp_wrappers) is installed by default and provides host-based access control to network services Aadvantages over other network service control techniques: Transparency to both the client and the wrapped network service Centralized management of multiple protocols

14 TCP Wrappers Configuration Files
To determine if a client is allowed to connect to a service, TCP Wrappers reference the following two files, which are commonly referred to as hosts access files: /etc/hosts.allow /etc/hosts.deny

15 Creating TCP Wrapper Rules
The TCP Wrapper rules on the next two slides are created to allow Secure Shell (SSH) access to the fictitious site is418.com. These rules are also used to log all access with a message and date while denying access to all other users.

16 Creating TCP Wrapper Rules (Continued)
Step 1 Open the /etc/hosts.allow file using a text editor. Step 2 Type the following rule to allow and log access from the is418.com domain: ssh:.is418.com:spawn /bin/echo `/bin/date` ssh access granted >> /var/log/sshd.log Step 3 Save and exit.

17 Creating TCP Wrapper Rules (Continued)
Step 4 Open the /etc/hosts.deny file using a text editor. Step 5 Type the following rule to deny everyone else: sshd:ALL Step 6 Save and exit.

18 EXPLORE: ROLES

19 Firewall and TCP Wrappers
Add, remove, and edit rules to a packet filter ruleset List and flush the rules to a packet filter ruleset List counters of matched packets to rules Iptables Provides iptables packet filter in the kernel Performs stateless and stateful packet filtering Provides network address translation Netfilter Allow or deny access to an application based on an Internet Protocol (IP) Address or hostname Allow or deny access to an application based on time TCP Wrappers

20 EXPLORE: CONTEXTS

21 Layered Security for FTP Access
Firewall TCP Wrapper SELinux Protects against unauthorized traffic Performs specific actions based on a network service running under the xinetd super server Protects the network service from unauthorized access based on the subject, such as users, applications, or files Allows access to FTP from local traffic only Sends an to the administrator when access is granted during nonbusiness hours Denies access to home directories to logged-in users

22 xinetd xinetd (extended Internet daemon) is an open-source super-server daemon which runs on many Unix-like systems and manages Internet-based connectivity.

23 EXPLORE: RATIONALE

24 Importance of Firewalls
Can be enabled on bastion hosts in addition to existing network firewalls Provide a layer of security at the network layer to restrict unauthorized traffic Can protect bastion hosts from malicious local network traffic

25 Importance of TCP Wrappers
Adds a layer of security in addition to firewalls Can allow and restrict access to an application based on domain name and time of the day Can spawn processes such as and logging

26 Summary In this presentation, the following concepts were covered:
SELinux and its commands Firewall and TCP Wrappers and their importance Process of designing a firewall by using iptables and creating TCP Wrapper rules Layered security for FTP access

27 Assignment Discussion 6.1 Determining Firewall Rules Lab 6.2 Apply Hardened Security for Controlling Access

Download ppt "IS3440 Linux Security Unit 6 Using Layered Security for Access Control"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security.

Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 Guide to Network Defense and Countermeasures Chapter 6.

1 Guide to Network Defense and Countermeasures Chapter 6.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

Similar presentations

Ads by Google