The Layered Approach to Security on Linux

The layered approach to security on Linux Ir. Tejinder Singh Asia Pacific Institute of Information Technology(APIIT) Technology Park Malaysia 57000 Kuala Lumpur Abstract Networking is an area of computing that is growing at a remarkable a rate ever since the World Wide Web was created in the mid 1990s. The decreasing cost of the needed hardware and software has made networking affordable and will excaberate the growth well into the next century. This growth translates into more users and the amount of data being transmitted across the computer networks. As the number of trusted users increase, there will also be an increase in the number of attackers or rogue users. Due to the business and financial concerns, it is becoming increasingly important secure for network and /or systems administrators to protect their hosts from these rogue users. This paper is targeting the non-tech savvy audience and is aimed to increase awareness on the existence of such methods in securing their computer systems in a most cost effective way. The approach of this paper is to discuss linux security in a layered manner, and discuss the tools used at each layer for securing networks and systems. The paper will conclude by highlighting a open source security project that is being undertaken by a team lead by the author. Keywords: Open source Security, Computer security, Linux Security, Firewalls 1.0Introduction The increasing growth of the computer network brings with it an inherent element of risk. Everyday more hosts are being connected to the vast global network that we affectionately call the Internet. Companies, universities,colleges and schools as well as homes are going online in an increasing fashion. More and more people are remaining conected to the Internet 24 hours a day , seven days a week. It is no longer a question of whether they will be attacked ,but more of when. Albert Einstein once remarked “ We cannot solve the problems that we have created with the same thinking that created them.” We certainly have security problems today. The first line of defense to any computer network is the firewall and open source sofware such as Linux/*BSD offer a very cost efficient method of securing the computer network. The story of security does not end there. Securing a sytem or a network involves good knowledge of operating systems principles, TCP/IP networking fundamentals and server administration. This paper is not a step by step guide on how to secure or harden a Linux-based server. That is covered in greater detail elsewhere. This paper will provide an overview of the areas where Linux can and should be secured. This paper will not discuss the countermeasures employed by security professionals to detect attacks on systems or on methods of mitigating them. 2.0Layered Approach to Information Security There is no such thing as a perfectly secure system or a secure network server. Linux was designed to be a networking operating system and the development had a strong focus on security. The open source nature of the operating system is what allows network administrators, developers and user to constantly monitor and audit it for vulnerabilities. There is nothing mystical about information security. This concept traverses across many diciplines which can include network administration, systems administration, programming, even documentation, auditing and training. It is vital that the corporate resources are protected and protected well. Any compromise will negatively impact the operation of the organization. Security is not a product, it is not software. It is a way of thinking. Security can be started and stopped like a service. Security is training, documentation, design implementations. Security is about having a security policy . The security policy document is a document that tells the rest of the organization's members what is being protected and how. The onus of coming up with this policy document usually falls on to the network administrator. The Internet Engineering Task Force (IETF's ) Site Security Handbook (RFC 1244) is a good and comprehensive guide to security policy and procedural development. Another web resource for security policy information is www.sans.org/newlook/resources/policies/policies.htm The defense of the network is of paramount importance. The approach to security , i.e the security policy document should be from the kernel outwards, i.e at the core of the Linux server. The defense mechanism should include network configuration of the server, the network applications that run on the server, the perimeter of the organization's network and even remote access clients used by road warriors to access corporate resources through the public Internet. There are several layers that needs to be considered • Physical Security • System Security • Network Security • Application Security • Perimeter Security • Remote Access and Authentication 2.1Physical Security This happens to be the most fundamental and overlooked aspect of Linux security. Physical security starts with the surroundings, i.e is the server room locked? Is the data room under lock and key? Who is authorized to enter the data center? Proper care must be exercised when building a new installation or moving to a new location. 2.1System Security System Security spans the gamut from choosing a Linux distribution, building a kernel, to user account security, file directory permissions, syslog security and filesystem encryption. These tasks are accomplished even before the server is connected to the Internet. Choosing a distribution is dependent on the needs as outlined in the security policy. There is a criteria for choosing a distribution, but that is not the scope of the paper. Building a custom kernel has two advantages:- The security options of the kernel are specified by the network administrator and that the administrator knows what was compiled into the kernal and hence be able to identify, if any, vulnerabilities in the kernal. Applying patches to fix a vulnerability involves recompiling the kernel. This may scare off general users, but fret not. Open source software, in general and Linux, in particular have improved in their ease of use and have utilities to make it easier toapply patches. Just run up2date in Red Hat Linux and install whatever it tells you. You have full control of your install. User account security also plays a huge role. Areas to look into would be to disable inactive accounts, disable root access to NFS mounts, restrict root logins to the system console. Filesystem Encryption employs some cryptographic techniques which are often the last line of defense for a network. There are two common approaches:- The Cryptographic File System (CFS) and Practical Privacy Disk Driver (PPDD). The system can be monitored and in Linux, the system logging is logged by syslog utility. Monitoring tools include swatch and logcheck. Swatch has real -time log notification tool , whereas logcheck provides a tool that generates reports periodically. Pasword auditing also plays a vital role in securing the defenses of the system as the weakest link in Linux security is the users and their choice of passwords. 2.2Network Security This layer of security now focuses on the issues of connecting a Linux server to a network. Configuring network services with security in mind is becoming increasingly difficult for the network administrators. Thexinetd daemon needs to be configured to reflect the security policy of the organization. The netstat command is a powerful utility that enables an administrator to check on the status of the network configuration. Network auditing and monitoring are vital in the schema of security. Network auditing ensures that the security mechanism that have been implemented are effective in fulfilling the requirements of the security policy. This is achieved by staging break-ins to your network. The most effective approach to network auditing is to play the role of an intruder. There are network - based auditing and host -based auditing tools. SATAN(Security Administrator's Tool for Analysing Networks), SAINT( Security Administrator's Integrated Network Tool) , SARA (Security Auditor's Research Assistant) are good network-based auditing tools. SATAN was first released in 1995, it received an overwhelming response for the open source (read Linux) community. SAINT is more robust than SATAN , while SARA is a modular package,interfacing with Nmap and Samba. The latest evolution in this series of tools is Nessus, released in April 1998. Nessus is a free, open-source, fullfeatured, security-auditing tool that still sees active developer support today. Nessus comes in two components:the client (nessus) and the server(nessud) . The Nmap tool is for the experienced network administrator. Nmap , on the other hand, offers a powerful, versatile network -scanning tool for more experienced network administrator. It is good security practice to use both tools to make sure that there are no "naughty" systems running on your LAN. Check out www.insecure.org/nmap and www.nesus.org for further resources. TARA (Tiger Auditors Research Assistant) is an example of a host - based auditing tool. Network Monitoring assists in the reaction to an attack. The tools for monitoring are PortSentry and Ethereal. Port Sentry scans in stealth scan mode. Network security is a game of cat and mouse, of intelligence and counter intelligence. While network auditing is part of the regular network routine, network monitoring should be a higher priority. The security policy should include a statement mentioning the exact circumstance auditing and monitoring should take place. PortSentry is an example of a real -time monitoring tool designed to detect port scans that are targeting your systems, and gives you the ability to respond to it appropiately. TARA can be downloaded from www-arc.com/tara and PortSentry can be grabbed from www.psionic.com. Grab Ethereal from www.ethereal.org. Application Security Some of the deamons that come standard in current Linux distributions are actually full-fledged applications that have complex configuration files. Web, file,mail servers use complex protocols. Security can be implemented by enabling secure features of the popular mail transfer agents (MTA's) such as Sendmail, Qmail and Postfix. The Apache webserver can also be secured by enabling authenticatin modules in Apache i.e. mod_auth, mod_auth_dbm, mod_auth_db, etc. Enabling Open SSL support for Apache will also contribute to the hardening of the Apache web server. Samba can be made secure by tweaking the running parameters. The first step would be to protect the Samba Web Administration Tool (SAT) with SSL so that the administration commands to Samba is protected. 2.3Perimeter Security The natural progression of the layered approach to computer security would be away from the network layer to the application layer, and from there to the perimeter layer. This is an area of interest to the author. Firewalls are the main component of the perimeter security domain. Firewalls are software whose primary function is to enforce the organization's security policy by filtering, forwarding, or logging connection requests that traverse a Linux server connected to both the private network and the Internet. Firewalls can be implemented in various ways, based on any one of the three OSI layers: network , transport and application. There are advantages and disadvantages in deploying firewalls at each of the layers mentioned earlier. Network Layer Firewalls are also known as packet-filtering gateways, where they inspect every IP packet that comes into the firewall interface and appropiate action is taken. Actions include drop, allow and/or log. The disadvantage is that this type of firewalls are not smart. Transport Layer Firewalls work by examining TCP or UDP conversation. The downside of this type of firewall is that they require user intervention to modify procedures. Application Layer Firewall makes access decisions at the application layer. This allows for the administrator to tailor the firewalls to the needs of each type of application that will be offered. The disadvantage of this type of firewall is that the administrator needs to configure, deploy, monitor, and maintain a firewall process for each application whose access needs to be controlled. It is always good practise to implement the security policy by using a combination of firewalls at all three layers to avoid exposure to vulnerabilities. Firewalls not only prevent unauthorized intruders from entering the network, but it must also allow user to access outside resources, while accepting certain approved connections back to the user. This is conceptually easy but a challenge when implementing. 2.4.1Network Layer Firewall There are several advantages in using Linux as a firewall platform. Uniform administration, commodity hardware, robust kernel-based handling, tested platform, performance, cost are among the reasons why. Packet filtering is advantageous in the fact that it is efficient and a non-intrusive way of protecting the perimeter. Users do not need to be authenticated in order to use services outside the trusted area. Legacy solutions for packet filtering in Linux include ipfwadm and ipchains. These packet filtering utilities were used in kernels from version 1.2.1 onwards. The last version of ipfwadm was released in July 1996, after which ipchains replaced it, in kernel version 2.1.102 onwards. Ipchains addresses several several of ipfwadm's limitations such as lack of 32-bit counters, inability to deal with IP configuration,etc. Ipchains overcame those limitations by taking advantage of the fact that the kernel read three separate chains or sequence of rules to do the filtering. The three types of chains are INPUT chain, OUTPUT Chain and FORWARD chain. The ipchains utility has the folowing syntax: ipchains command chain rule-specification [options] -j action where the chain field can be one of INPUT, OUTPUT or FORWARD. As of kernel 2.4 onwards, the functionality once provided by ipchains has been replaced by Netfilter and the iptables rules space. The new 2.4 kernel offers significant improvement over the previous kernel versions in terms of number of features and stability enhancements. The Netfilter project (netfilter.kernelnotes.org) has been funded by Watchguard Technologies. Iptables is an evolution of the ipchains utility and it runs only on kernel versions later that 2.3 A sample iptables command would be: iptables -A INPUT -p tcp –-dport smtp -j ACCEPT. There are several firewall scenarios and/or designs that capture the most popular network architecture in place today, ranging from the simple dial-on demand connection to a very complex scenarios involving the demilitarized zone (DMZ). 2.4.1.1The Single Homed Dial Up Server This is the most simple set up, where the access to the Internet is not a dedicated one. Figure 1 illustrates this idea. In most homes that have DSL or any other broadband connections, user typically have more than one host on their network from which they need access to the Internet. FIGURE 1. Source :Linux Security by Ramon J. Hontanon The above example has two interfaces. i.e ppp0,a dial-on-demand PPP connection to the ISP and eth0, a fast Ethernet connection to the private LAN. 2.4.1.2Dual Homed Firewall This design is applicable where there is a dedicated router with a dedicated full-time connection to the Internet. In this case the firewall, (which has two Network Interface Cards or NIC's) is in series with the external connection to the Internet. Dual homed in this context means having two NIC's in the firewall. This configuration is also known as the Bastion host. Figure 2 illustrates this idea. FIGURE 2 Source :Linux Security by Ramon J. Hontanon 2.4.1.3Triple Homed Firewall with a Demilitarized Zone This is a more elaborate firewall architecture with an additional interface for the Demilitarized Zone (DMZ). The DMZ is typically a small network, comprising of about five to six bastion hosts, that is physically separate from your protected network. Figure 3 illustrates the triple-homed firewall with a new network 64.65.6.0/24 for the DMZ with two servers( Web and Mail). FIGURE 3 Source :Linux Security by Ramon J. Hontanon 2.4.2Transport Layer Firewall The Transport Layer Firewall controls Internet access by proxying outgoing connections on behalf of the user. There are two advantages to this approach: a) The Transport Layer Firewall controls access to the outside Internet at a user lavel. By having a single point of access to the untrusted public Internet, the administrator has control i.e via logging all user access. b) Proxy-based firewalls requires the administrator to use network client software that has beem modified to be “proxy aware”. Proxy firewalls are usually more difficult to set up than packer-filtering firewalls, since both the uers and the services are to be tracked and logged. With this type of firewall, any request for services behind the firewall will be served by a proxy server. The Internet Engineering Task Force (IETF) standard SOCKS protocol defines a common framework for the design, implementation and operation of proxy firewall systems. There are two versions of SOCKS protocol i.e SOCKS4 and SOCKS5. SOCKS4 was fully functional except for the lack of support for strong authentication. The IETF overcame this limitation by creating SOCKS5 via RFC 1928, which had additional features i.e. transparent proxying of DNS queries etc. The NEC SOCKS5 proxy server is the reference implementation that works very well for Linux. The source can be downloaded from www.socks.nec.com. A supported commercial version , e-Border, is available from www.socks5.nec.com. 2.4.3Application Layer Firewall This has virtually the same concept as the Transport Layer Firewall except that each application on the internal network has a specific proxy service on the firewall for forwarding connections for that specific type of application traffic. The Application Layer Firewall uses a deny -all stance, where all services are denied by default and specific services are allowed. A freely available application layer firewall called The Firewall Toolkit (FWTK) can be complied to run on Linux. First released to the public in 1993, it was developed by Trusted Informatin Services (TIS). FWTK would eventually be the genesis for the TIS Gauntlet, the first commercially available application layer proxy firewall product. The FWTK is available for download in source code form and is free, but the user is not permitted to distribute it or make it available to anyone else. The web resource for FWTK is at www.fwtk.org. 2.4.3FWTK Architectures Successful deployment of the application layer firewall begins by designing the overall architecture of your network and deciding where to place your firewall. There are two popular options for deploying FWTK on a Linux server: single-homed proxy firewalls and dual-homed proxy firewalls. Figure 4 illustrates the idea of using the FWTK proxy server as a bastion host on the DMZ segment of the network. FIGURE 4 Source :Linux Security by Ramon J. Hontanon If the application layer firewall is the single point of access and the only method of controlling access, then FWTK is to be used as the single point of entry to the internal network. This is possible by deploying a dualhomed proxy firewall. Figure 5 illustrates the idea. Here the hosts on the internal network do not have to use valid, legal IP addresses. The FWTK can be configured according to the security policy of the organization. FIGURE 5 Source :Linux Security by Ramon J. Hontanon 2.5Remote Access and Authentication Remote access is a cause of increasing security concern. In today's world, the number of roaming users are increasing and demand the type of network access that they are accustomed to while in the physical office. The workplace has been extended to the home office and now that has been replaced by the virtual office. The challenge is not to run away for these changes, but to embrace them (the roaming access model) without compromising the security of the corporate network. There are technologies, configurations and packages that can be deployed to provide such services while not compromising on the security , privacy and integriy of your data. The technology concerned is Virtual Private Networking (VPNs). A VPN uses the public Internet as it's transport mechanism, while maintaining the security of the data on the VPN. It works by creating a secure tunnel between two networks and route IP through it. VPN works by encapsulating VPN traffic inside normal IP traffic in order to protect the privacy of the data that is travelling aross the untrusted Internet. Two security protocols have emerged for the encapsulation and protection of VPN data. They are The IETF's IP Security (Ipsec) and Microsoft Corporation's Point to Point Tunneling Protocol (PPTP). IPsec is defined in detail in RFCs 2401 through 2412. Though it is only mandatory for IPV6 implementations, most network security vendors have embraced IPsec technology to a great extent. 2.5.1The IP security protocol (IPsec) IPsec is a framework that is used on both ends of the connections to ensure that the session is secured. There is a level of activity that need to transpire before IPsec-formatted packets can be exchanged, they include agreeing to a security association (SA) session which has several parameters:- cryptographic algorithm, key expiration time, encapsualtion type and compression. While the details of the above are beyond the scope of this paper, it is suffice to say that there is an open -source implementation of the IPsec protocol called FreeS/WAN. It is avaiable for download via www.freeswan.org. The project was initiated in 1996 by John Gilmore who stated that this endeavor is an attempt "to secure 5% of the Internet traffic against passive wiretrapping." The Free Secure Wide Area Network (Free S/WAN) project aims to make every Linux server a VPN-capable host using the standard IETF IP sec protocol to ensure the confidentiality, integrity, and authentication of IP communications. IPsec is the most widely implemented VPN technology to date. Other components of remote access include SSH, which until v.1.2.12 was freely available. Open SSH was birthed in 1999 to fulfill a need in this area. Today Open SSH is now in version 2. 3.0Current Open Source Project I have recently completed supervision of a student project on firewalls. The project is called Linux Firewall Box Set Solution for The Malaysia market. The project is based on the Linux From Scratch project . (www.linuxfromscratch.org). The premise behind this project is that to create a prtotype of a boxed set firewall solution for local comsumption. The project was given the name My Firewall. The basic implementation has been a success and further enhancements are to be made to increase the firewalls viability for release to the open source community. Other enhancements to be included are optimization of the iptable scripts, packet transaction rates, support for Ipv6, implemeting an older versin of diald, making the boxed bootable and to include antivirus servicing. All said, this is a project that has the potential to put Malaysia on the open source global map. 4.0Conclusion Security is an important issue facing CIO's, IT managers, and people who are decision makers. It is evident by the discussions in this paper that there are many ways to secure a computer system and computer networks. It is also evident that attention should be paid to the management of security. Computer security is not all about technology or processes, but also about a way of thinking. Perfect security is a fallacy. If you want a 100% secure network, shut off your servers and lock them up. Security is a poorly understood topic, to address this, an efficient network defense should have genesis in a comprehensive security policy that should and could serve as a foundation upon which a set of appropiate mechanisms can be built upon. There is tremendous potential in exploring thee usage of free and open source software in the implementation of global security standards such as the ISO/IEC 17799 and the BS7799 Part 2:2000. REFERENCES 1) Ramon J Hontanon, Linux Security, Sybex Publishing, 2001 2) Murthy, Bukhes, Winn, Vanderdez "Firewalls for Security in Wireless Networks." 1998. 3) Bryan, J. “Build a Firewall,” BYTE , April 1005 4) Dan Nessett and Pola Humenn. Multilayer Firewall. 1999 5) KM Leong , Jason, "Linux firewall Box set Solution for the Malaysian Market", Final Year Project Report, APIIT, 2003 6) K. Fenzi, D. Wreski "Linux Security HOWTOv2.0" 7) M.D. Wilson, "VPN HOWTOv2.0' About the Author: Tejinder Singh is the Project Manager and Lecturer at the Asia Pacific Institute of Information Technology (APIIT). He received his BS in Electrical Engineering in 1994 from Tri-State University, Angola, Indiana, USA and his MEng. in Embedded Systems Design in 2001 from the University of Lugano, Switzerland. He is a registered professional engineer (P.E.) with the Board of Engineers, Malaysia(BEM) and is a corporate member of the Institution of Engineers Malaysia (IEM). He is a member of IEEE and is the secretary of the Malaysian chapter of IEEE Computer Society. His research interests are in pervasive and mobile computing, wireless and embedded networking, security for mobile systems, designing embedded systems using OO methodologies. He can be contacted at tejinder@apiit.edu.my