securing a host - start [apnic training wiki] · hardening a host •differs per operating system...
Post on 07-Jun-2020
8 Views
Preview:
TRANSCRIPT
securingahostMatsuzaki ‘maz’Yoshinobu
<maz@iij.ad.jp>
Hardeningahost
• Differsperoperatingsystem• Windows:userscannotbetrustedtomakesecurityrelateddecisionsinalmostallcases
• OSX:makethingsworkmagicallyforusers.Trytohandlesecurityissuesinthebackground
• Linux:variesbydistribution:• Ubuntu:trylikeOSXtomakethingsjustwork.• RedHat:includeveryusefultoolsbutturnedoffbydefault
• BSD:userswillfigureitout
• Changeswithtime
Generalconsideration
• Defineapersonalusageprofileandpolicy.• Whathardwaredoyouuse?• Whatsoftwaretasksdoyoudoonyourcomputer?• Dothefirsttwochangewhenyoutravel?• Whathabitsfromtheabovetwodoyouneedtochangetobemoresecure?
• Decideifyoureally needVPNaccesstoyournetworkwhiletravelling.
Generalpractices
• Installonlytheservicesandsoftwareyouactuallyneed.
• Uninstallordisableallsoftwareandservicesyoudonotuseorneed.
• Periodicallyactivelyscanyourmachineforvulnerabilities.
• Haveasfewuseraccountsonyoursystemsaspossible• Protectyouradministrativeaccount.Haveastrongpassword,donotpermitremotepasswordbasedloginsanddonotloginasanadministratorunlessyouneedtodoanadministrativetask.
SecuringMacOS X
• disableunused“sharing”services• setting->sharing
• updatesoftware• AppStore ->update
• checkservices• $netstat -an|grepLISTEN
• enablefirewall• setting->security&privacy ->firewall
SecuringLinux:minimalizepkg
• CentOS#yumlistinstalled#yumremove<PackageName>
• Ubuntu>16#aptlist--installed#aptremove<PackageName>
SecuringLinux:updatepkg
• CentOS#yumupgrade
• Ubuntu>16#aptupdate#aptupgrade
SecuringLinux:checkingservices
• CentOS• ss -nl
• Ubuntu>16• netstat -nl
SecuringLinux:firewall
• CentOS• iptables• firewalld (frontendforiptables)
• Ubuntu>16• iptables• ufw (frontendforiptables)
SecuringWindows:minimalizeservices• services.msc
SecuringWindows:updating
• >startms-settings:windowsupdate
Securingwindows:checkingservices• >netstat -na
Securingwindows:fiwewall
• wf.msc
Securingwindows:firewall
• TheWindowsfirewalloffersfourtypesofrules:• Program– Blockorallowaprogram.• Port– Blockoraallowaport,portrange,orprotocol.
WindowsNetworkCategory
• executepowershell asadministrator• toconfirm
• >Get-NetConnectionProfile
• tochangeittoPublic>Set-NetConnectionProfile -Network”<NetworkName>”-NetworkCategory public
• tochangeittoPrivate>Set-NetConnectionProfile -Network”<NetworkName>”-NetworkCategory private
Hardware
• Rule1:allbetsareoffwithphysicalaccesstoyourdevices.
• Considerremovinghardwareyouneveruse– saybluetooth.
• DisableinBIOSorEFIoryouroperatingsystemthehardwareorfeaturesyoucannotremovephysically.
• wakeonlan• Bluetoothdiscoverability• USBports?
• BIOSpasswordsnotthatuseful• BIOSlevelencryp8on/lockingofharddisksmaynotbeportable
Compromisedsystem
• Anyfileonthesystemisalreadysuspicious• Youmaybeabletoremoveamalware• therecouldbeanotheronethatyoucannotdetect
Wipe
• Don’tusefilesinthecompromisedsystem• programs• documents• images
• Cleanupthestoragesthatwasconnectedtothesystem
• HDD• SSD• flashmemory
Howcanwerescueinformationfromsuspiciousdatafiles•convertitintoanotherformat
• png ->jpg,jpg ->png• doc->txt• excel->csv• pdf->png/jpg
• infectedcodecannotsurvivesuchadrasticmodification
Wipetogiveaway
• dataisstillthereevenifit’sformatted• expertscanreadthedatabyusingspecialtools• anelectricmicroscopecanreadmore• leakageofsecretdata
• youneedtomakesurethedataiserased• #dd if=/dev/urandom of=/dev/<disk>bs=16M
Recover
• ‘cleaninstall’fromascratch• formatthedisk,useaproperOSimage
• applylatestOSpatchestobeup-to-date• itcouldbevulnerablebeforepatched• doupdateinasecurenetwork
• installneededapplications• checkupgrades,ofcourse
Recover(cont.)
• disableunnecessaryservices• thesameashardeningprocedure
• checkconfigurations• ifanyweakness
• changeallpasswordonthesystem• anypasswordmightbestolen
Replacingmightbeyourchoice
• securingthecompromisedsystemasis• forfurtherinvestigation• malwarethatstaysinthememoryonly
• justreplacethecompromisedsystem• sparehardware
Backups
• Encryption• Automation• Generations
Encryption
• Assumetheftandlost• Yourbackupsmusthaveatminimumthesameencryptionlevelasthesourcedata
Automation
• Wearelazy!• easytoforget
• automatedbackupwillhelpyou• mostsystemshavescheduledbackup
Generations
• youshoud havea‘good’versionofbackupthere• ifasystemiscompromised,malwaremightbealsobackupinthearchive,youwon’twanttorestorethatthough
• ifsomethinggoeswrongbychange,youmayrestorethepreviousversion
• finda‘good’versionfromyourarchives
Off-sitearchives
• 2011Tohokuearthquakeandtsunami• flushedbuildings,datacenters• 4localgovernmentslostwholedataonthefamilyregistrationsystem
• Theyhaveoff-sitebackupsJ• tookabout1monthtorecoverthough• wantedtomakesurenothingismissed
HTTPandSecureChannel
BhutanNOG4 29
IP IP
TCPTCP
HTTP TLS
HTTP
SSL/TLS• SSL and TLS
• SSL v3.0 specified in an I-D in 1996 (draft-freier-ssl-version3-02.txt) and now in RFC6101
• TLS v1.0 specified in RFC2246• TLS v1.0 = SSL v3.1 ≈ SSL v3.0
• TLS v1.1 specified in RFC4346• TLS v1.2 specified in RFC5246
• Goals of protocol• Secure communication between applications• Data encryption• Server authentication• Message integrity• Client authentication (optional)
BhutanNOG4 30
SSLisnotsecureanymore
• SSL2.0andSSL3.0haveknownvulnerabilitiesinprotocolspecifications
• downgradeattack• POODLEattack• RFC6176- ProhibitingSecureSocketsLayer(SSL)Version2.0
• RFC7568- DeprecatingSecureSocketsLayerVersion3.0
• UseTLSinstead
BhutanNOG4 31
TLSProperties• Connection is private
• Encryption is used after an initial handshake to define a secret key.
• Symmetric cryptography used for data encryption
• Peer’s identity can be authenticated • Asymmetric cryptography is used (RSA or ECDSA)
• Connection is reliable • Message transport includes a message integrity
check using a keyed MAC. • Secure hash functions (such as SHA384, SHA256)
are used for MAC computations.
BhutanNOG4 32
33
TheTLSHandshakeProcess
Internet
TLS Client TLS Server
Client initiates TLS connection / sends supported cipher suites
Server returns digital certificate to client and selected cipher suite
Client sends shared secret encrypted with server’s public key
Message encryption and integrity algorithms are negotiated
Secure session tunnel is established
Session keys are generated
1
6
5
4
3
2
BhutanNOG4
34
TLSClientAuthentication
- Clientauthentication(certificatebased)isoptionalandnotoftenused
-Manyapplicationprotocolsincorporatetheirownclientauthenticationmechanismsuchasusername/passwordorS/Key
- TheseauthenticationmechanismsaremoresecurewhenrunoverTLS
BhutanNOG4
35
TLSIANAAssignedPort#s
Protocol Defined Port Number
TLS Port Number
HTTP 80 443NNTP 119 563POP 110 995FTP-Data 20 989FTP-Control 21 990Telnet 23 992
CertificateAuthority
• issuesadigitalcertificatewhichissignedbytheCA’sprivatekey
• Youcanverifythecertificateusingthecorrespondingpublickey
• ifyoutrustthepublickey
• …andCAcanhavehierarchicaltrustmodel
BhutanNOG4 36
Trustchain
BhutanNOG4 37
rootCA
intermidiateCA
endentitycert
sign
sign
endentitycert
sign
https://www.apricot.net
BhutanNOG4 38
trustedCA
BhutanNOG4 39
CAandcertificates
• CAcanissueacertificateforanydomainname• ifyoutrusttheCA,thecertificatelookslegitimate
• ifyouhaveamaliciousCAinyourtrustedkeychain,anattackercanmonitor/modifyyourTLSsessiondata
• Yes,wehavecases• https://support.lenovo.com/nz/en/product_security/superfish
• https://www.dell.com/support/article/us/en/19/SLN300321
BhutanNOG4 40
CheckyourtrustedCA
• Windows• certlm.msc
• MacOSX• KeychainAccess.app
• Firefox• Setting->Advanced->Certificates->
ViewCertificates
BhutanNOG4 41
top related