security baselines l.
Skip this Video
Loading SlideShow in 5 Seconds..
Security Baselines PowerPoint Presentation
Download Presentation
Security Baselines

Loading in 2 Seconds...

play fullscreen
1 / 61

Security Baselines - PowerPoint PPT Presentation

  • Uploaded on

Security Baselines. Chapter 13. Learning Objectives. Gain an understanding of OS/NOS vulnerabilities and hardening practices Understand the operation of a file system and how to secure a file system

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Security Baselines' - daniel_millan

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
learning objectives
Learning Objectives
  • Gain an understanding of OS/NOS vulnerabilities and hardening practices
  • Understand the operation of a file system and how to secure a file system
  • Explore common network hardening practices, including firmware updates and configuration best practices


learning objectives3
Learning Objectives
  • Identify network services commonly exploited by attackers and learn best practices for writing access control lists
  • Explore vulnerabilities regarding network services such as Web, FTP, DNS, DHCP, Mail, File/Print Servers and Data Repositories as well as best practices in securing such services
operating system os
Operating System (OS)
  • Performs basic tasks
    • Recognizes input from keyboard
    • Sends output to display screen
    • Keeps track of files and directories on the disk
    • Controls peripheral devices (disk drives, printers)
network operating system nos
Network Operating System (NOS)
  • Includes special functions for connecting computers and devices into a LAN
  • Some have built-in networking functions
os nos hardening
OS/NOS Hardening
  • Process of modifying an OS’s default configuration to make it more secure to outside threats
  • May include removal of unnecessary programs and services
  • May include application of patches to system kernel to limit vulnerability
best practices for system hardening
Best Practices for System Hardening
  • Remove unused applications, services, and unused or unnecessary file shares
  • Implement and enforce strong password policies; remove or disable expired or unneeded accounts
  • Limit number of administrative accounts
  • Set account lockout policies to discourage password cracking


best practices for system hardening10
Best Practices for System Hardening
  • Keep track of latest security updates and hot fixes
  • Maintain logging of all user account and administrative activity
  • Back up the system periodically
  • Keep external log of each critical system
  • Maintain records of backups and upgrades
file systems
File Systems
  • Store data that enable communication between an application and its supporting disk drives
  • Setting privileges and access controls protect information stored on the computer
    • Common privileges: read, write (modify), lock, append, and execute
    • Group users by common needs
    • Additional rights can be granted to a single user in a group
    • Principle of least privilege
creating needed user groups
Creating Needed User Groups
  • System administrator configures operating system to recognize certain user groups
  • Individual users are assigned to appropriate groups
configuring access controls
Configuring Access Controls
  • System administrator configures access controls for all protected files, directories, devices, and other objects
common practices for setting file and data privileges
Common Practices for Setting File and Data Privileges
  • Disable write and execute privileges for all executable and binary files
  • Restrict access of OS source files, configuration files, and their directories
  • For UNIX systems:
    • No world-writable files unless specifically required
    • Mount files systems as read only and nosuid


common practices for setting file and data privileges15
Common Practices for Setting File and Data Privileges
  • For NT systems
    • No permissions allowing “Everyone” group to modify files
  • Assign access permission of immutable to all kernel files
  • Establish all log files as “append only”
  • Prevent users from installing, removing, or editing scripts
  • Pay attention to access control inheritance when defining categories of files and users
installing and configuring file encryption capabilities
Installing and Configuring File Encryption Capabilities
  • File encryption is useful if the OS
    • Lacks adequate access controls to maintain confidentiality
    • Does not support access control lists
  • Encryption is resource-consuming; carefully weigh benefits
systematic approach for addressing updates
Systematic Approach forAddressing Updates
  • Establish procedures for monitoring security-related information
  • Evaluate updates for applicability
  • Plan installation of applicable updates
  • Install updates using a documented plan
  • Deploy new systems with latest software
network hardening
Network Hardening
  • Crucial to have a network with availability as well as adequate security
firmware updates
Firmware Updates
  • Made available by vendors as vulnerabilities and malfunctions are discovered with previous versions
  • Routing functions
    • Designed to route packets efficiently and reliably, but not securely
    • Not to be used to implement a security policy
  • Firewall systems
    • Should govern security of information flow in and out of the network
    • Provide a policy enforcement mechanism at a security domain boundary
assigning network addresses for interfaces on a firewall device
Assigning Network Addresses for Interfaces on a Firewall Device
  • For the Internet
    • Obtain IP addresses from ISP that connects to the firewall
  • For internal networks
    • Obtain IP addresses from within the organization, typically from RFC 1918 specification
establishing routing configuration
Establishing Routing Configuration
  • Should be performed in an environment isolated from the production network
  • Should specify what connectivity is to be permitted with the specific statements and deny all other connectivity
  • Derived from network topology; should not be used to implement aspects of a security policy
best practices for configuring router and firewall systems
Best Practices for Configuring Router and Firewall Systems
  • Keep copy of current configurations of network devices in safe location
  • Never allow IP-directed broadcasts through the system
  • Configure devices with meaningful names
  • Use a description for each interface
  • Specify bandwidth on the interfaces


best practices for configuring router and firewall systems24
Best Practices for Configuring Router and Firewall Systems
  • Configure a loopback address
  • Handle SNMP with care
  • Avoid common names for password and naming schemes
  • Deploy logging about interface status, events, and debugging
  • Restrict data traffic to required ports and protocols only
access control list acl
Access Control List (ACL)
  • Set of data that informs a computer’s OS which permissions (access rights) each user or group has to a specific system object
  • Control flow of packets through a device based on certain parameters and information contained within a packet
  • Implement a certain type of security policy, but not considered a policy by themselves
  • Implement packet filtering
packet filtering
Packet Filtering
  • Process of deciding disposition of each packet that can pass through a router
  • Provides basic protection mechanism for a routing firewall device through inspection of packet contents
  • Can be based on intrinsic or extrinsic information pertaining to a data packet
best practices for designing filtering rules for new networks
Best Practices for Designing Filtering Rules for New Networks
  • Add “deny all” rule to articulate the security policy more completely
  • Design antispoofing rules and place them at top of the ACL
  • Identify protocols, ports, and source and destination addresses that need to be serviced


best practices for designing filtering rules for new networks28
Best Practices for Designing Filtering Rules for New Networks
  • Configure filtering rule set of the ACL by protocol and by port
  • Collapse matching protocols rows and consecutive ports rows together into one new row that specifies a range
  • Place all permission rules between antispoofing rules and “deny all” rule at the end of the rule set
enabling and disabling of services and protocols
Enabling and Disabling of Services and Protocols
  • Many services can be easily targeted by attackers unless disabled by system administrators
  • Evaluate every service for need and risks; remove unnecessary ones
  • Evaluate and install required services in a manner to lower potential risk
commonly exploited services
Commonly Exploited Services
  • Remote Procedure Call (RPC)
  • Network File System (NFS)
  • Web services
  • Simple Mail Transfer Protocol (SMTP)
  • Bootstrap Protocol
  • DoS attacks are successful when unnecessary services are running on network devices
commonly exploited services on cisco platforms
Cisco Discovery Protocol (CDP)

TCP small servers

UDPT small servers


HTTP server

Bootp server

Configuration autoloading

IP source

Proxy ARP

Commonly Exploited Services on Cisco Platforms


commonly exploited services on cisco platforms32
Commonly Exploited Services on Cisco Platforms
  • IP-directed broadcast
  • Classless routing behavior
  • IP unreachable notifications
  • IP mask relay
  • IP redirects
  • NTP service
  • Simple Network Management Protocol
  • Domain Name Service
application hardening
Application Hardening
  • Process of making applications software secure by ensuring that the software contains security enabling technology:
    • Sign in capabilities for authenticated network connections
    • Ability to run properly in secured configurations
applications that need hardening
Web servers

E-mail servers

FTP servers

DNS servers

NNTP servers

File and print servers

DHCP servers

Data repositories

Directory services

Applications that Need Hardening
web servers
Web Servers
  • Associated with more attacks and vulnerabilities than any type of server
  • Designed to make information accessible, rather than to protect it
high level best practices for securing web servers
High Level Best Practices for Securing Web Servers
  • Isolate a Web server on a DMZ
  • Configure a Web server for access privileges
  • Identify and enable Web server-specific logging tools
  • Consider security implications
  • Configure authentication and encryption
e mail servers
E-mail Servers
  • Serious risks associated with ability to receive e-mail from the outside world
    • Attachments with malicious contents
    • E-mails with abnormal MIME headers
    • Scripts embedded into HTML-enabled mail
protecting against e mail vulnerabilities
Protecting Against E-mail Vulnerabilities
  • Use latest software updates and patches on e-mail server
  • Deploy dedicated e-mail relay (gateway) server between internal network and Internet
  • Deploy virus-scanning tools on the server
  • Use attachment-checking mechanisms on the server
  • Use HTML Active Content removal
ftp servers
FTP Servers
  • File Transfer Protocol
    • Used to transfer files between a workstation and an FTP server
vulnerabilities associated with ftp
Vulnerabilities Associated with FTP
  • Protecting against bouncebacks
  • Restricting areas
  • Protecting usernames and passwords
  • Port stealing
  • Other documented vulnerabilities
dns servers
DNS Servers
  • Domain Name Service (DNS)
    • Collective name for system of servers that translate names into addresses in a process transparent to the end user
vulnerabilities associated with dns
Vulnerabilities Associated with DNS
  • Inaccurate data on IP address ownership
  • Customer registry communication
  • DNS spoofing and cache poisoning
  • Out-of-date root.hints file
  • Recursive queries
  • Denial-of-service attacks
nntp servers
NNTP Servers
  • Network News Transfer Protocol (NNTP)
    • Delivers news articles to users on the Internet
    • Stores articles in a central database; users choose only items of interest
    • Makes few demands on structure, content, or storage of news articles
  • NNTP servers can index and cross reference messages, and allow for notification of expiration
nntp servers47
NNTP Servers
  • Similar vulnerabilities to other network services
  • Effective methods of preventing attacks
    • Use proper authentication mechanisms
    • Disable unneeded services
    • Apply relevant software and OS patches
file and print servers
File and Print Servers
  • Store many of an organization’s most valuable and confidential information resources
protecting against file and print server vulnerabilities
Protecting Against File and Print Server Vulnerabilities
  • Offer only essential network and OS services on a server
  • Configure servers for user authentication
  • Configure server operating systems
  • Manage logging and other data collection mechanisms
  • Configure servers for file backups
dhcp servers
DHCP Servers
  • Dynamic Host Configuration Protocol (DHCP)
    • Software that assigns dynamic IP addresses to devices on a network
    • Reduces administrative burden
    • No security provisions
preventing attacks on dhcp servers
Preventing Attacks on DHCP Servers
  • Assign permanent addresses
    • Collect Media Access Control (MAC) addresses of all computers on network and bind them to corresponding IP addresses
  • Use dynamic addressing, but monitor log files
  • Use intrusion detection tools


preventing attacks on dhcp servers52
Preventing Attacks on DHCP Servers
  • Configure DHCP server to force stations with new MAC addresses on the network to register with the DHCP server
  • Implement latest software and patches
data repositories
Data Repositories
  • Store data for archiving and user access
  • Contain an organization’s most valuable assets in terms of information
  • Should be carefully protected
directory services
Directory Services
  • Lightweight Directory Access Protocol (LDAP)
    • Industry standard protocol for providing networking directory services for the TCP/IP model
    • Can store and locate information about entities and other network resources
    • Based on simple, treelike hierarchy called a Directory Information Tree (DIT)
directory service oriented threats
Directory Service-Oriented Threats
  • Unauthorized access to data by monitoring or spoofing authorized users’ operations
  • Unauthorized access to resources by physically taking over authenticated connections and sessions
  • Unauthorized modification or deletion of data or configuration parameters
  • Spoofing of directory services
  • Excessive use of resources
nondirectory service oriented threats
Nondirectory Service-Oriented Threats
  • Common network-based attacks against LDAP servers to compromise availability of resources
  • Attacks against hosts by physically accessing the resources
  • Attacks against back-end databases that provide directory services
security of ldap is dependent on
Security of LDAP Is Dependent on…
  • Authentication
    • Anonymous
    • Simple
    • Simple Authentication and Security Layer (SASL) for LDAPv3
  • Authorization
principles of security to protect databases
Principles of Securityto Protect Databases
  • Authentication of users and applications
  • Administration policies and procedures
  • Initial configuration
  • Auditing
  • Backup and recovery procedures
chapter summary
Chapter Summary
  • Role of operating and file systems as they relate to security of information resources stored on computer systems
  • Operating system vulnerabilities
  • Use of OS hardening practices to prevent attacks and system failures


chapter summary61
Chapter Summary
  • Vulnerabilities associated with common services installed on computer systems (WWW services, FTP, DNS) and best practices in protecting against threats to these services
  • Maintenance and upgrade of computer systems