Security Design Principles

1 Nixu SNS Security White Paper October 2006 Version 1.1 Nixu Software Limited Nixu Group © Nixu Software Limited 2006. All Rights Reserved. 2 Contents 1 Security Design Principles.................................................................................................................... 3 1.1 Defense in Depth .......................................................................................................................... 4 1.2 Principle of Least Privilege............................................................................................................ 4 1.3 Principle of Default Deny .............................................................................................................. 4 Application Security .............................................................................................................................. 5 2.1 Software Components .................................................................................................................. 5 2.2 Authentication ............................................................................................................................... 5 2.3 Authorization and Access Controls............................................................................................... 6 2.4 Audit Trail ...................................................................................................................................... 6 2.5 Running Root-privileged Shell Commands .................................................................................. 7 O/S Security.......................................................................................................................................... 7 3.1 O/S Hardening .............................................................................................................................. 7 3.2 Firewall .......................................................................................................................................... 7 3.3 IPS................................................................................................................................................. 7 3.4 Patch Management....................................................................................................................... 7 2 3 © Nixu Software Limited 2006. All Rights Reserved. 3 1 Security Design Principles This chapter describes some general security design principles used in Nixu SNS. Nixu SNS has been built on CentOS 4.3 operating system that has been specifically hardened for DNS use. CentOS is a freely distributable operating system built from the RHEL source available at: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/4/en/os/i386/SRPMS. The system architecture of Nixu Secure Name Server (SNS) is depicted in Figure 1 below. Nixu SNS includes a web-based user-interface implemented using web server (Apache 2.0.52) and PHP-module (4.3.9). The environment has been hardened using Bastille hardening tool (version 3.0.9-1.0). For intrusion detection (IDS) and prevention (IPS), PSAD version1.4.6-1 has been used. The general functionality of the firewall and the IPS system is depicted in Figure 2 below. Figure 1 Nixu SNS Architecture Figure 2: IPS Architecture © Nixu Software Limited 2006. All Rights Reserved. 4 1.1 Defense in Depth Nixu SNS has been designed applying the Principle of Defense in Depth. Defense in Depth has been applied when more than one subsystem has to be compromised to compromise the security of the entire system. Defense in Depth is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to block an attack. In the case of Nixu SNS, the Principle of Defense in Depth involves the following: • • • • • • • • • Encrypted connections In-host firewall IPS system ACLs for enabled services Services are running with secure configurations Web-UI authenticates the users Web UI writes logs of the user actions O/S is hardened and backups are taken periodically If possible, Perimeter firewall for the network is used 1.2 Principle of Least Privilege Nixu SNS has been designed applying the Principle of Least Privilege. According to the Principle of Least Privilege, every user, process and program should be able to see only such information and resources that are necessary for them to perform a given operation or task. The idea behind the principle is to grant as minimal privileges as possible to permit a legitimate action, thereby enhancing the protection of data and functionality from faults and malicious behaviour. In the case of Nixu SNS, the Principle of Least Privileged involves the following: • • • • Services are not running as root There are multiple level user accounts for Web-UI and shell access User accounts have necessary permissions only, to do only the necessary actions Use sudo when privilege escalation is required 1.3 Principle of Default Deny Nixu SNS has been designed applying the Principle of Default Deny. When the Principle of Default Deny has been implemented, anything that is not explicitly allowed is denied regardless of whether the function is related to access, privileges, some security-related attribute or other similar function. In the case of Nixu SNS, the Principle of Default Deny involves the following: • • • • Firewall blocks all but explicitly allowed connections Shell access for users needs to be explicitly permitted All but necessary services are disabled All but necessary packages are removed © Nixu Software Limited 2006. All Rights Reserved. 5 2 Application Security 2.1 Software Components CentOS Linux 4.3 i386: - RPMs have been stripped to the bare minimum. Complete package list can be found at the end of this document - Updates included until May 9 2006 Apache Web Server 2.0.52-28 - Includes security fixes to 2.0.52 CAN-2004-0885, CVE CAN-2004-0942, CVE-2006-3918 - Apache runs as user apache by default Web server; PHP-module (php 4.3.9-3.12) - Includes security fixes to 4.3.9 CAN-2004-0958 and other fixes - As shell_exec() function is used in PHP scripts, the safemode can’t be enabled; the shell_exec() function is disabled in safemode. BIND 9.2.4-2 - Secure and stable release of ISC BIND Bastille 3.0.9-1.0 and PSAD 1.4.6-1 - These components form the basis for the IDS/IPS system. Both are the latest releases and have no known security issues Nixu SNS 1.0.1 (proprietary code by Nixu Software used to integrate software components and in the management utilities) is included in the software package. Both the software architecture and the entire Nixu SNS software package has been audited and tested by independent third-parties; updates will be released and delivered, if and when necessary, by Nixu Software. 2.2 Authentication An attempt to access any script in the WebUI causes system to authenticate the user. If the user is not authenticated or authentication cannot be performed, the user is redirected to login page. Login prompts user for username and password. Both successful and unsuccessful login attempts will be logged in the Nixu SNS system log. To defend against brute force attack, the logging system monitors for brute force attempts and slows the attacker down (using e.g. sleep() or similar). Also, Nixu SNS offers a possibility to temporarily block access from IP addresses which have made repeated failed login attempts. Shell users are authenticated using Unix Password or any other supported authentication module. By default, only Root user exists: additional users should be created by the administrator as needed. © Nixu Software Limited 2006. All Rights Reserved. 6 2.3 Authorization and Access Controls User account types are limited to 2 (admin & normal user) to keep access control simple and easy to maintain. Admin users have an access to all functions in the system, whereas normal users do not have an access to the System-area (including User Management). User account level is defined in user editing page as a drop-down menu. The following table describes the quality parameters for a password. Minimum password length Maximum password age Force password change on expiry Force password quality Contain at least one alphabetic and one nonalphabetic character Maximum consecutive identical character from any position in the previous password Maximum identical consecutive characters Contain UserID or user name as part of the password Passwords found in dictionary not allowed Force password change at first logon Minimum time between password changes Retries before account lockout Minimum delay between retries Number of previous passwords remembered and prevented to be reused Recommended value 8 characters 180 days, privileged accounts 90 days Yes Yes Yes 3 2 No Yes Yes 24 h 5 5 s, must increase exponentially with each failed attempt 8 2.4 Audit Trail In case Nixu SNS is compromised by a security breach, the system has an audit trail showing further information about the occurrence. Preferably, the audit trails should be stored remotely where they can only be appended to, as this approach keeps intruders from covering their tracks. Nixu SNS writes its logs into syslog with special user-facility with different severity levels (e.g. warning, notice, error). This log is separated from the system logs (/var/log/messages) can and should be kept in a separate place. Here are some examples of what kind of information is written to the audit trail log: • • • • • • Date and time Username and authorization information (UID, GID) The process number (PID). All Authentication and Authorization Events Login, logout, failed logins All admistrator activity © Nixu Software Limited 2006. All Rights Reserved. 7 2.5 Running Root-privileged Shell Commands Nixu SNS’s WebUI executes php scripts that execute root privileged scripts performing only one thing, and are not capable of doing anything else. The privilege escalation for running the privileged scripts is handled using sudo. Each script (or directory of scripts) is explicitly mentioned in /etc/sudoers, and Apache is not capable of running anything else as root. The risk of input validation has been eliminated by eliminating the use of arguments in the scripts. If arguments are required, escapeshellcmd and escapeshellarg are used. 3 O/S Security 3.1 O/S Hardening The CentOS 4.3 operating system environment is hardened using Bastille. Bastille is a system hardening/lockdown program enhancing the security level of a UNIX host. Bastille configures daemons, system settings and firewalls to be make them more secure. It switches off unnecessary services such as pwgrd and printing services, and configures client software such as rcp and rlogin for enhanced security. It also helps create "chroot jails" that help by limiting the vulnerability of common Internet services such as DNS and web servers. 3.2 Firewall In-host firewall allows only necessary ports inbound: • • • • TCP 80 TCP 443 TCP & UDP 53 TCP 22 Outbound traffic has currently not been restricted. Using system tools, administrators can configure the in-host firewall within the boundaries set by Bastille. By disabling Bastille, administrators can configure iptables without limitations. 3.3 IPS Nixu SNS uses PSAD as an IPS system to monitor attacks and to create temporary rules. PSAD is a collection of three daemons that analyze firewall logs to detect port scans and other suspicious traffic. Figure 2 on page 3 of this White Paper depicts the general IPS functionality in Nixu SNS. PSAD is lightweight and rather simple to configure. 3.4 Patch Management Nixu SNS uses RPM packaging in both O/S and on the application side. Nixu SNS can be configured to download all updates automatically, and to install the downloaded updates either semi-automatically or automatically. Yum is used for updates. © Nixu Software Limited 2006. All Rights Reserved. 8 CentOS updates are downloaded from repositories; CentOS uses an automatic GeoIP based repository management where Client IP is checked and 10 closest repository addresses are returned. Further information about this functionality can be found from: http://www.centos.org/modules/news/article.php?storyid=118 For updates to Nixu SNS, a separate repository is used. This repository is contacted via separate authentication module operating as a proxy for Yum. Nixu Software tests all software updates over previous versions prior to their release to the end-users. This process has been put into place in order to make sure that customers are offered a safe update path whenever they trigger the update process. Figure 3 YUM Updates in Nixu SNS © Nixu Software Limited 2006. All Rights Reserved.