Security Assurance: A Sysad's Perspectivesiva/talks/secAss.pdf · Good Bad Ugly Security Assurance: A Sysad’s Perspective िशवकुमारG.Sivakumarசிவகுமார்

Good Bad Ugly

Security Assurance: A Sysad’s Perspective

िशवकुमार G. Sivakumar சிவகுமார்

Computer Science and Engineeringभारतीय ौोिगकी संान म ुबंई (IIT Bombay)

[email protected]

May 18, 2014

• The Good (Web 1.0, 2.0, 3.0)• The Bad (Threats, Vulnerabilities, Attacks)• The Ugly? (Configure, Monitor, Analyze, React)

िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective

Good Bad Ugly

Blind men and the Elephant - अ-गज ायः


Good Bad Ugly

Partial Landscape


Good Bad Ugly

Tomorrow’s Info, Yesterday’s Professional

Moksha Story: copper, fibre, ...


Good Bad Ugly

Small Science (Last 4 centuries)

How much data? computation? collaboration?िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective

Good Bad Ugly

e-Science

Computation and Data-enabled science.

G. DjorgovskiApplied computer science is now playing the role that mathematicsdid from the 17th through the 20th centuries: providing an orderly,formal framework and exploratory apparatus for other sciences.

Quite different from• Real-time Internet security (altas.arbor.net)• Real-time fraud monitoring in financial transactions• Real-time screening of Facebook/Google posts


Good Bad Ugly

Surviving Computers and Internet

1 MathematiciansTurn coffee into theorems!Principia Mathematica (Newton/Russel)Mechanical Theorem Proving, Automated mathematician,Godel’s Undecidability Theorem

2 BankersBrick and mortar? Vaults? Cashless? Financial Advice?P2P payments (PayPal, Square, ...), Bitcoin

3 University ProfsAre we still world class? (Narayanamurthy)NPTEL (National Program on Technology EnhancedLearning), NKN (National Knowledge Network)Akash (MHRD tablet that will cure all ills!)

No denying that computers/Internet have changed the paradigm!


Good Bad Ugly

Atlas.arbor.net


Good Bad Ugly

Atlas.arbor.net


Good Bad Ugly

Atlas.arbor.net


Good Bad Ugly

Atlas.arbor.net


Good Bad Ugly

Real-time Intelligence- atlas.arbor.net


Good Bad Ugly

Who is scanning?


Good Bad Ugly

Who is hosting phising sites?


Good Bad Ugly

Malicious Servers


Good Bad Ugly

Vulnerabilities• Application Security

• Buggy code• Buffer Overflows

• Host Security• Server side (multi-user/application)• Client side (virus)

• Transmission Security

A B

C

Network Security

Secrecy

Integrity

Availability

A B

C

A B

C

A B

C

(Modification)(Fabrication)

(Denial of Service attack)िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective

Good Bad Ugly

Internet Attacks Toolkits (Youtube)


Good Bad Ugly

Internet Attacks TimelineFrom training material at http://www.cert-in.org.in/


Good Bad Ugly

Internet Attack TrendsFrom training material at http://www.cert-in.org.in/


Good Bad Ugly

Security Requirements

Informal statements (formal is much harder)• Confidentiality Protection from disclosure to unauthorized persons• Integrity Assurance that information has not been modified

unauthorizedly.• Authentication Assurance of identity of originator of information.• Non-Repudiation Originator cannot deny sending the message.• Availability Not able to use system or communicate when desired.• Anonymity/Pseudonomity For applications like voting, instructor

evaluation.• Traffic Analysis Should not even know who is communicating with

whom. Why?• Emerging Applications Online Voting, Auctions (more later)

And all this with postcards (IP datagrams)!


Good Bad Ugly

Defending a Critical National Infrastructure

Recent fibre cut.


Good Bad Ugly

Defending a Critical National Infrastructure

Our Solutionिशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective

Good Bad Ugly

Attacking IIT Bombay

Use dnsstuff.com to get some information.


Good Bad Ugly

Mail Servers Information

Use dnsstuff.com


Good Bad Ugly

Mail Servers Information

Use dnsstuff.com


Good Bad Ugly

TraceRoute

Very sophisticated tools (nmap, nessus, metasploit) available toattackers.Let’s get back to defence and security assurance.


Good Bad Ugly

The Big Picture

Where all does security figure?Let’s focus on network first.


Good Bad Ugly

Overview

• Campus Network Infrastructure• Academic Area• Hostels• Residential• Hardware and Network (the easy part!)

• Gigabit L3 switches• 10 Mbps Internet (4 Links)• 5000+ nodes

• Applications (Complex enough)• Mail• Web Browsing/Hosting

• Users and Management (Nightmare begins)• MisUse (mp3, movie, porn, hacking, fake mails, ...)• CCTeam

• We carry your Bytes• Our T-shirt (cows, dogs, leopards!)


Good Bad Ugly

Residential Network


Good Bad Ugly

IIT-B’s WAN Links and Firewall


Good Bad Ugly

Important LAN Issues

Important Considerations• Virus, Spware• Wrong IP addresses• Wireless Access (guest house, conference halls)• Static MAC-IP mapping• Software Piracy• Illegal Content (pornography,...)• ...

Good LAN design can help a lot with this...


Good Bad Ugly

Critical Network Services

• Firewall (Security sine qua non)

• Domain Name Service (DNS) http://cr.yp.to/djbdns/

• Directory Services (LDAP)

• Virus Scanning clamav.elektrapro.com


Good Bad Ugly

Critical Network (WAN) Services

• E-mail (www.qmail.org)• Newsgroups (inn)

• Web Proxy• WWW Servers (httpd.apache.org)


Good Bad Ugly

Firewall

• Inside IIT we have 50+ IP subnets.• Over 5000 nodes.• All Private addresses 10.x.y.z• 4 Different WAN subnets

• 128, 64, 32, 32 address only!• iptables (www.iptables.org) to the rescue.• Selective services/machines opened up

• Incoming ssh to different dept. servers.• Outgoing ssh, Yahoo/MSN chat• Outgoing port for SciFinder• Outgoing ftp from select machines

• Making a good policy is the hardest!


Good Bad Ugly

IPtablesStateful firewalling. See www.netfilter.orgWhat is IPtables?• IPtables is an implementation of a Firewall in Linux• IPtables is an userspace command line program used to

configure the Linux packet filtering ruleset.• The framework inside kernel is called Netfilter• Full matching on IP, TCP, UDP and ICMP packet headers• Lesser matching on other packet headers possible

Advantages• Protection from external entities• Regulate Traffic based upon user’s security requirement• Provide choke point for screening the packets entering your

networkिशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective

Good Bad Ugly

IPtablesStateful firewalling. See www.netfilter.orgWhat is IPtables?• IPtables is an implementation of a Firewall in Linux• IPtables is an userspace command line program used to

configure the Linux packet filtering ruleset.• The framework inside kernel is called Netfilter• Full matching on IP, TCP, UDP and ICMP packet headers• Lesser matching on other packet headers possible

Advantages• Protection from external entities• Regulate Traffic based upon user’s security requirement• Provide choke point for screening the packets entering your

networkिशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective

Good Bad Ugly

IPtables

Packet Filters• List consisting of sequence of rules• Every packet is matched with the rules• If a rule does not match, try to match next rule• If a rule matches, take appropriate action


Good Bad Ugly

Basic Functionalities

• NAT (Network Address Translation)• DNAT - Destination Network Address Translation• SNAT - Source Network Address Translation• Requires connection tracking to keep states and expectations

• Packet Mangling• Strip all IP options• Change TOS values• Change TTL values• ...• Mark packets/connections within kernel


Good Bad Ugly

Kernel Packet Traversal Diagram: KPTD


Good Bad Ugly

IPtables: Example


Good Bad Ugly

IPtables: Example


Good Bad Ugly

Configuring the Firewall

Firewall + Router : Enable Forwarding and Flush currentrules[root@router ]# /sbin/sysctl -w net.ipv4.ip_forward=1[root@router ]# iptables -nvL[root@router ]# iptables -F -t filter[root@router ]# iptables -F -t nat


Good Bad Ugly


Firewall + Router : Set Policy[root@router ]# iptables -P INPUT ACCEPT[root@router ]# iptables -P OUTPUT ACCEPT[root@router ]# iptables -P FORWARD DROP


Good Bad Ugly


Firewall + Router : SNAT in POSTROUTING[root@router ]# iptables -t nat -A POSTROUTING -o eth0 -s192.168.0.0/16 -j SNAT - -to-source 10.105.11.XX


Good Bad Ugly


Firewall + Router : Allow all ESTABLISHED connections[root@router ]# iptables -A FORWARD -m state - -stateESTABLISHED,RELATED -j ACCEPT


Good Bad Ugly


Can your enable HTTP (dport 80), SSH (dport 22)packets?

Firewall + Router : Allow HTTP packets[root@router ]# iptables -A FORWARD -m state - -state NEW -s192.168.0.0/16 -p tcp - -dport 80 -j ACCEPT


Good Bad Ugly


Can your enable HTTP (dport 80), SSH (dport 22)packets?

Firewall + Router : Allow HTTP packets[root@router ]# iptables -A FORWARD -m state - -state NEW -s192.168.0.0/16 -p tcp - -dport 80 -j ACCEPT


Good Bad Ugly

Configuring the FirewallFirewall + Router : New but Not SYNiptables -A FORWARD -p tcp ! - -syn -m state - -state NEW -i eth0-j LOG - -log-prefix ”New not syn:”

iptables -A FORWARD -p tcp ! - -syn -m state - -state NEW -i eth0-j DROP

Firewall + Router : Firewall MARKiptables -A PREROUTING -t mangle -p tcp -s 192.168.0.0/16 --dport 22 -j MARK - -set-mark 2

Firewall + Router : Limiting DoS attacksiptables -A FORWARD -p tcp - -syn -s 192.168.0.0/16 - -dport 389-m limit - -limit 10/s -j ACCEPT


Good Bad Ugly

Recap

Did Achieve• Only a few selected services are allowed• New connection initiation only from Internal Network• Almost all IP layer and TCP layer attacks are defeated• Eg: port scans, subnet scans, spoof attacks, or SYN attacks

and many more

Didn’t Achieve• Trust in User• Protection against Application Layer attacks• Redundancy: Failure Protection


Good Bad Ugly

How DNS works?

First accept packetsThen DNAT them to internal server

FInally, allow responses to go out with SNAT

Connection tracking is important!


Good Bad Ugly

Incoming Email


Good Bad Ugly

Incoming Email

Open Relays: http://www.abuse.net/relay.html


Good Bad Ugly

Sender Policy Framework

http://spf.pobox.com/


Good Bad Ugly

Why Monitor?

िचनीया िह िवपदां आदाववे ितियान कूपखननं यंु दी े विना गहृेThe effect of disasters should be thought of beforehand. It is notappropriate to start digging a well when the house is ablaze withfire.Security cannot be an afterthought!There is a tide in the affairs of men, Which taken at the flood,leads on to fortune. Omitted, all the voyage of their life is boundin shallows and in miseries. Shakespeare


Good Bad Ugly

ानम प्रमम ्येम ् (Knowledge is Ultimate Goal)

न चोरहाय न च राजहाय न ातभृाम न च भारकारीये कृत े वध त एव िनं िवाधनं सव धनधान ंIt cannot be stolen by thieves, cannot be taken away by the king,cannot be divided among brothers and does not cause a load. Ifspent, it always multiplies. The wealth of knowledge is the greatestamong all wealths.கற்றது ைக மண்அளவுகல்லாதது உலகு அளவுWhat has been learned is like a fistful of sand,What remains is like the whole earth!If I have seen further [than others] it is by standing on theshoulders of giants... Issac Newton िवा ददाित िवनयमIIT Bombay’s motto is the title of this slide.Eternal vigilance is the price of liberty!Know what’s happening in your network!


Good Bad Ugly

Monitoring Network and Services

How to answer the following questions?1 How much traffic in/out? Anything abnormal?2 How many emails came from outside IIT?3 Who are the top 10 senders/receivers/domains?4 Is anyone trying to spam/relay/DoS/break mail servers?5 How much bandwidth is used for browsing? Top domains?6 What are the biggest size downloads?7 Is anyone attacking academic office from hostels?

Where is all this information? How to find out?Reactive, static reports, pro-active, alerts?


Good Bad Ugly

Network, Services and User ManagementEternal vigilance is the price of liberty!

• How is network doing?

• Are all services up?• How much email in/out? How many viruses?

• Who’s using Web proxy? For what?• Are User’s happy? www.gnu.org/software/gnats


Good Bad Ugly

IIT Bombay WAN Links


Good Bad Ugly



Good Bad Ugly



Good Bad Ugly

Nagios


Good Bad Ugly

Nagios (ctd.)


Good Bad Ugly

Mail Usage Statistics


Good Bad Ugly

Mail Usage Statistics


Good Bad Ugly

Mail Server Statistics


Good Bad Ugly

Mail Server Statistics


Good Bad Ugly

Web Proxy Usage


Good Bad Ugly

Web Server Hits


Good Bad Ugly

Web Server Hits


Good Bad Ugly

Goals of Centralize Logging

Static data/reports distributed over various servers not very useful.

1 Look in one place, using one set of tools.2 Archive Logs: Keep logs around for at least a year.3 Generate Alerts: when something goes wrong.4 Identify Trends: what “business as usual” looks like.5 Do this prerably with FLOSS (Open standards/source).

Achievable with rsyslog!


Good Bad Ugly

Configuring rsyslog

/etc/rsyslog.conf1 # Provides UDP syslog reception2 $ModLoad imudp.so3 $UDPServerRun 51445 # Provides TCP syslog reception6 $ModLoad imtcp.so7 $InputTCPServerRun 51489 $AllowedSender UDP, *.iitb.ac.in

10 $AllowedSender UDP, 10.5.0.0/1611 $AllowedSender TCP, *.iitb.ac.in12 $AllowedSender TCP, 10.99.32.251


Good Bad Ugly

Templates and Filtering PatternsStore by Date. Filter 407 (Denied) messages.

12 $template Dynsquid2,3 ”/logdisk/squid.logfiles/%$YEAR%%$MONTH%/4 squid_access_log_407.%$YEAR%%$MONTH%%$DAY%”5 $template Dynsquid3,6 ”/logdisk/squid.logfiles/%$YEAR%%$MONTH%/7 squid_access_log.%$YEAR%%$MONTH%%$DAY%”89 #:syslogtag, contains, ”squid” ?Dynsquid3

10 if \11 ($syslogtag contains ’squid’12 and ($msg contains ’TCP_DENIED/407’)) \13 then ?Dynsquid214 if \15 ($syslogtag contains ’squid’) \16 then ?Dynsquid3


Good Bad Ugly

Log Archival at IIT Bombay


Good Bad Ugly

Squid Logs


Good Bad Ugly

Focus of Lab Tomorrow1 AWStats(http://awstats.sourceforge.net/)

AWStats is an open source Web analytics reportingtool, suitable for analyzing data from Internetservices such as web, streaming media, mail andFTP servers. AWStats parses and analyzes server logfiles, producing HTML reports. Data is visuallypresented within reports by tables and bar graphs.Static reports can be created through a commandline interface, and on-demand reporting is supportedthrough a web browser CGI program.

2 OSSEC (http://www.ossec.net/)OSSEC is a free, open source host-based intrusiondetection system (HIDS). It performs log analysis,integrity checking, Windows registry monitoring,rootkit detection, time-based alerting, and activeresponse.


Documents

Security Assurance: A Sysad's Perspectivesiva/talks/secAss.pdf · Good Bad Ugly Security Assurance: A Sysad’s Perspective िशवकुमारG.Sivakumarசிவகுமார்