RHS333: Red Hat Enterprise Security: Network Services
Objectives
Learn how to improve and maintain the security of typical network services provided on a Red Hat Enterprise Linux system
Focus on mechanisms at the Transport layer or higher in the OSI network model
Securing services
Cryptography
Intrusion Detection and prevention
Audience and Prerequisites
Audience: System administrators, consultants, and other IT professionals
Prerequisites: RH253, RH300, RHCE certification or comparable work experience; knowledge of basic configuration of the network services covered in the course
Notes on Internationalization
Unit 1
The Threat Model and Protection Methods
Objectives
Upon completion of this unit, you should be able to:
Basic attack on the system
Simple measures for attacks on host security
Protection methods
Define Virtualization
Work with Xen tools
TheAttacker'sPlan
Gather intelligence on the target system
Identify vulnerabilities of the target
Gain any access to the target required
Use a vulnerability to successfully compromise the system
Avoid retaliation for the attack
System Security
End system compromises include
Attacks on system availability
Unauthorized access
Inappropriate use by authorized users
These compromises may involve
Exploiting flawed or misconfigured software
Exploiting protocol weaknesses
Exploiting trust relationships
Service Availability
Applications must remain available
Denial of Service (DoS) attacks
May simply be used to disrupt service
May be used so attacker can spoof clients
Monitoring is critical
Service status and network activity
Information Leakage
Services leak information
Banner messages (software and version)
Hosts or accounts that may use the service
Resources that are available
This information may be used by an attacker to prepare an intrusion attempt
Authentication and Trust
Secure services need to authenticate client identities and authorize access
Weak authentication
Credential capture attacks
Leads to mis authentication, compromise
Inappropriate trust
Stolen data or authentication credentials
Compromise of one trusted host can lead to compromise of many hosts
Input Validation Attack
Responsible for many remote exploits
Program fails to properly check user input for validity
Buffer overflows
More data placed in buffer than expected
Crashes program or executes arbitrary code
Format string attacks
User data used in an insecure way
Protection Mechanism
Firewalls
Netfilter
Proxy
Local packet filters
TCP Wrappers
Xinetd
Pluggable Authentication Modules
Security Enhanced Linux
Service specific
Application hardening
Packet Filters
Low level security
Used as firewalls
Network Proxies
Often used in DMZ
Good at filtering content
Local Security
Why do local security?
Firewalls does not stop intruders from within
Firewalls cannot offer perfect protection
Firewalls cannot filter content like the application can
TCP Wrappers and xinetd
TCP Wrappers
Test services linked against libwrap.so
Powerful for logging and access control
xinetd
Access control for services under xinetd's control
PAM and SELinux
Pluggable Authentication Modules
Control access to individual services
Time
Usage limits
Location
Security Enhanced Linux
Mandatory Access Control
Service Security
Control mechanisms not available to the entire system
Specialized security
ExecShield
Segment Limits
NX/XD-Technology
sysctl kernel.exec-shield
Virtualization with Xen
Advantages of Virtualization
Effective resource usage
Manageability
Security
Key Concepts of Xen
Small Hypervisor
First “Domain” manages the system
Supports full and para virtualization
Xen Domains
Xen virtual hosts are called domains
First domain loaded is called Domain-0
Domain-0 is booted immediately after the hypervisor starts
Domain-0 provides the user interface at the console
Domain-0 is used to install and manage other domains
In a real-world setting Domain-0 should be used only to manage other domains.
Additional domains have specific names but are also generically referred to as Domain-U
Domain-U configuration files are stored in /etc/xen/domain
Xen Configuration
Network connectivity can be configured to "bridge" through the network interface of Domain-0
By default mapped to xenbr0
Each Domain-U has it's own independent network configuration
Xen domains use either special files or block devices for storage
Domains are started by a service called xendomains
xendomains determines what domains to start by which xen domain configuration file are linked in /etc/xen/auto