Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Baselines Chapter 13.

Published byMarilynn Owens Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Baselines Chapter 13."— Presentation transcript:

1 Security Baselines Chapter 13

2 Learning Objectives Gain an understanding of OS/NOS vulnerabilities and hardening practices Understand the operation of a file system and how to secure a file system Explore common network hardening practices, including firmware updates and configuration best practices continued…

3 Learning Objectives Identify network services commonly exploited by attackers and learn best practices for writing access control lists Explore vulnerabilities regarding network services such as Web, FTP, DNS, DHCP, Mail, File/Print Servers and Data Repositories as well as best practices in securing such services

4 Operating System (OS) Performs basic tasks
Recognizes input from keyboard Sends output to display screen Keeps track of files and directories on the disk Controls peripheral devices (disk drives, printers)

5 Network Operating System (NOS)
Includes special functions for connecting computers and devices into a LAN Some have built-in networking functions

6 OS/NOS Hardening Process of modifying an OS’s default configuration to make it more secure to outside threats May include removal of unnecessary programs and services May include application of patches to system kernel to limit vulnerability

7 OS/NOS Hardening

8 Actions that Can Disrupt Functionality of a System
Attacks Malfunctions Errors

9 Best Practices for System Hardening
Remove unused applications, services, and unused or unnecessary file shares Implement and enforce strong password policies; remove or disable expired or unneeded accounts Limit number of administrative accounts Set account lockout policies to discourage password cracking continued…

10 Best Practices for System Hardening
Keep track of latest security updates and hot fixes Maintain logging of all user account and administrative activity Back up the system periodically Keep external log of each critical system Maintain records of backups and upgrades

11 File Systems Store data that enable communication between an application and its supporting disk drives Setting privileges and access controls protect information stored on the computer Common privileges: read, write (modify), lock, append, and execute Group users by common needs Additional rights can be granted to a single user in a group Principle of least privilege

12 Creating Needed User Groups
System administrator configures operating system to recognize certain user groups Individual users are assigned to appropriate groups

13 Configuring Access Controls
System administrator configures access controls for all protected files, directories, devices, and other objects

14 Common Practices for Setting File and Data Privileges
Disable write and execute privileges for all executable and binary files Restrict access of OS source files, configuration files, and their directories For UNIX systems: No world-writable files unless specifically required Mount files systems as read only and nosuid continued…

15 Common Practices for Setting File and Data Privileges
For NT systems No permissions allowing “Everyone” group to modify files Assign access permission of immutable to all kernel files Establish all log files as “append only” Prevent users from installing, removing, or editing scripts Pay attention to access control inheritance when defining categories of files and users

16 Installing and Configuring File Encryption Capabilities
File encryption is useful if the OS Lacks adequate access controls to maintain confidentiality Does not support access control lists Encryption is resource-consuming; carefully weigh benefits

17 Systematic Approach for Addressing Updates
Establish procedures for monitoring security-related information Evaluate updates for applicability Plan installation of applicable updates Install updates using a documented plan Deploy new systems with latest software

18 Network Hardening Crucial to have a network with availability as well as adequate security

19 Firmware Updates Made available by vendors as vulnerabilities and malfunctions are discovered with previous versions

20 Configuration Routing functions Firewall systems
Designed to route packets efficiently and reliably, but not securely Not to be used to implement a security policy Firewall systems Should govern security of information flow in and out of the network Provide a policy enforcement mechanism at a security domain boundary

21 Assigning Network Addresses for Interfaces on a Firewall Device
For the Internet Obtain IP addresses from ISP that connects to the firewall For internal networks Obtain IP addresses from within the organization, typically from RFC 1918 specification

22 Establishing Routing Configuration
Should be performed in an environment isolated from the production network Should specify what connectivity is to be permitted with the specific statements and deny all other connectivity Derived from network topology; should not be used to implement aspects of a security policy

23 Best Practices for Configuring Router and Firewall Systems
Keep copy of current configurations of network devices in safe location Never allow IP-directed broadcasts through the system Configure devices with meaningful names Use a description for each interface Specify bandwidth on the interfaces continued…

24 Best Practices for Configuring Router and Firewall Systems
Configure a loopback address Handle SNMP with care Avoid common names for password and naming schemes Deploy logging about interface status, events, and debugging Restrict data traffic to required ports and protocols only

25 Access Control List (ACL)
Set of data that informs a computer’s OS which permissions (access rights) each user or group has to a specific system object Control flow of packets through a device based on certain parameters and information contained within a packet Implement a certain type of security policy, but not considered a policy by themselves Implement packet filtering

26 Packet Filtering Process of deciding disposition of each packet that can pass through a router Provides basic protection mechanism for a routing firewall device through inspection of packet contents Can be based on intrinsic or extrinsic information pertaining to a data packet

27 Best Practices for Designing Filtering Rules for New Networks
Add “deny all” rule to articulate the security policy more completely Design antispoofing rules and place them at top of the ACL Identify protocols, ports, and source and destination addresses that need to be serviced continued…

28 Best Practices for Designing Filtering Rules for New Networks
Configure filtering rule set of the ACL by protocol and by port Collapse matching protocols rows and consecutive ports rows together into one new row that specifies a range Place all permission rules between antispoofing rules and “deny all” rule at the end of the rule set

29 Enabling and Disabling of Services and Protocols
Many services can be easily targeted by attackers unless disabled by system administrators Evaluate every service for need and risks; remove unnecessary ones Evaluate and install required services in a manner to lower potential risk

30 Commonly Exploited Services
Remote Procedure Call (RPC) Network File System (NFS) Web services Simple Mail Transfer Protocol (SMTP) Bootstrap Protocol DoS attacks are successful when unnecessary services are running on network devices

31 Commonly Exploited Services on Cisco Platforms
Cisco Discovery Protocol (CDP) TCP small servers UDPT small servers Finger HTTP server Bootp server Configuration autoloading IP source Proxy ARP continued…

32 Commonly Exploited Services on Cisco Platforms
IP-directed broadcast Classless routing behavior IP unreachable notifications IP mask relay IP redirects NTP service Simple Network Management Protocol Domain Name Service

33 Application Hardening
Process of making applications software secure by ensuring that the software contains security enabling technology: Sign in capabilities for authenticated network connections Ability to run properly in secured configurations

34 Applications that Need Hardening
Web servers servers FTP servers DNS servers NNTP servers File and print servers DHCP servers Data repositories Directory services

35 Web Servers Associated with more attacks and vulnerabilities than any type of server Designed to make information accessible, rather than to protect it

36 High Level Best Practices for Securing Web Servers
Isolate a Web server on a DMZ Configure a Web server for access privileges Identify and enable Web server-specific logging tools Consider security implications Configure authentication and encryption

37 Isolating a Web Server on a DMZ

38 Servers Serious risks associated with ability to receive from the outside world Attachments with malicious contents s with abnormal MIME headers Scripts embedded into HTML-enabled mail

39 Protecting Against E-mail Vulnerabilities
Use latest software updates and patches on server Deploy dedicated relay (gateway) server between internal network and Internet Deploy virus-scanning tools on the server Use attachment-checking mechanisms on the server Use HTML Active Content removal

40 FTP Servers File Transfer Protocol
Used to transfer files between a workstation and an FTP server

41 Vulnerabilities Associated with FTP
Protecting against bouncebacks Restricting areas Protecting usernames and passwords Port stealing Other documented vulnerabilities

42 DNS Servers Domain Name Service (DNS)
Collective name for system of servers that translate names into addresses in a process transparent to the end user

43 Vulnerabilities Associated with DNS
Inaccurate data on IP address ownership Customer registry communication DNS spoofing and cache poisoning Out-of-date root.hints file Recursive queries Denial-of-service attacks

44

45

46 NNTP Servers Network News Transfer Protocol (NNTP)
Delivers news articles to users on the Internet Stores articles in a central database; users choose only items of interest Makes few demands on structure, content, or storage of news articles NNTP servers can index and cross reference messages, and allow for notification of expiration

47 NNTP Servers Similar vulnerabilities to other network services
Effective methods of preventing attacks Use proper authentication mechanisms Disable unneeded services Apply relevant software and OS patches

48 File and Print Servers Store many of an organization’s most valuable and confidential information resources

49 Protecting Against File and Print Server Vulnerabilities
Offer only essential network and OS services on a server Configure servers for user authentication Configure server operating systems Manage logging and other data collection mechanisms Configure servers for file backups

50 DHCP Servers Dynamic Host Configuration Protocol (DHCP)
Software that assigns dynamic IP addresses to devices on a network Reduces administrative burden No security provisions

51 Preventing Attacks on DHCP Servers
Assign permanent addresses Collect Media Access Control (MAC) addresses of all computers on network and bind them to corresponding IP addresses Use dynamic addressing, but monitor log files Use intrusion detection tools continued…

52 Preventing Attacks on DHCP Servers
Configure DHCP server to force stations with new MAC addresses on the network to register with the DHCP server Implement latest software and patches

53 Data Repositories Store data for archiving and user access
Contain an organization’s most valuable assets in terms of information Should be carefully protected

54 Directory Services Lightweight Directory Access Protocol (LDAP)
Industry standard protocol for providing networking directory services for the TCP/IP model Can store and locate information about entities and other network resources Based on simple, treelike hierarchy called a Directory Information Tree (DIT)

55

56 Directory Service-Oriented Threats
Unauthorized access to data by monitoring or spoofing authorized users’ operations Unauthorized access to resources by physically taking over authenticated connections and sessions Unauthorized modification or deletion of data or configuration parameters Spoofing of directory services Excessive use of resources

57 Nondirectory Service-Oriented Threats
Common network-based attacks against LDAP servers to compromise availability of resources Attacks against hosts by physically accessing the resources Attacks against back-end databases that provide directory services

58 Security of LDAP Is Dependent on…
Authentication Anonymous Simple Simple Authentication and Security Layer (SASL) for LDAPv3 Authorization

59 Principles of Security to Protect Databases
Authentication of users and applications Administration policies and procedures Initial configuration Auditing Backup and recovery procedures

60 Chapter Summary Role of operating and file systems as they relate to security of information resources stored on computer systems Operating system vulnerabilities Use of OS hardening practices to prevent attacks and system failures continued…

61 Chapter Summary Vulnerabilities associated with common services installed on computer systems (WWW services, FTP, DNS) and best practices in protecting against threats to these services Maintenance and upgrade of computer systems

Download ppt "Security Baselines Chapter 13."

Similar presentations

FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google