Python networking expert needed

sajhal-1
Session6.pptx
Home>Computer Science homework help>Python networking expert needed

IT 369: Session 6

Securing Hosts

Housekeeping

Lab support must be through Discussion Board, GTA Office hours by appointment, or at my Office Hours.

Labs 3 & 4 due Tuesday evening at midnight.

Critical Analysis Journal due tonight (end of the month!)

Today’s class is session #6, and will focus on Host Defense.

Midterm questions on next slide

The Midterm

Midterm is next week: 4 Labs, Readings, and Lectures

Multiple Choice and Short Answer

Completion & understanding of all labs will be a direct benefit.

Midterm will be Take Home, Open Book, Open Note, Open Internet. Released on Monday by 9am. Due Tuesday by midnight.

NO COLLUSION or ANY help from any human. Use your notes, your book, the Internet, but any person found to receive or give help will be failed.

2 hour time limit enforced. Due by Tuesday midnight.

How to protect our environment?

If the Network is secure, and Firewall protects all traffic, why aren’t we fully secure?

What defines “perimeter defense”?

Name the adversaries…

Identify our vulnerabilities…

Application and Data Visualization

Keeping in mind the LAMP drawing, how can we harden our application?

This drawing is about a transactional conversation and mostly addresses traffic and data.

What else is vulnerable?

Identifying vulnerabilities

Think about Lab 3 & 4: where can trouble occur?

As stated, traffic to/from DB likely restricted to data, unless the system allows writing to a local file (is this common?)

We installed Apache, MySQL, and OpenSSH - concerns? mitigations?

We created and used user accounts. concerns? mitigations?

We created a directory. concerns? mitigations?

We created a database. concerns? mitigations?

How will we know if a file has been altered?

What is a rootkit, and why do I care? How would I know?

Separation of Duties? Defense in Depth? Least Privilege (O/S, DB, Apache, MySQL, YogaApp)?

Threats Beyond the Firewall

What “threat agents” does your book identify?

Files come into the system from multiple means (downloads, patches, email attachments, ftp, etc.)

Valid users with more than “Least Privilege”

Administrators being a little careless

Downloads (where do they go? How are we protected?)

Uploads (do we allow users to submit harmless uploads? Who determines their safety?)

What tools can we employ to help protect?

Virus Protection

Well-meaning admins and users risk viruses

Examples include Norton, McAfee, clamAV

Signature-based

Anomaly-based & heuristics

What is a zero-day malware?

Can a virus mask itself to avoid signature?

Signature Updates

How long does it take to patch?

Application and Data security depend on a virus-free environment.

Privilege Control

Privilege Control on an O/S typically made up of White Lists and Black Lists (e.g. work phones, work computers)

Firewalls predicated on Allow vs. Deny by source

Network firewalls can block worst traffic; Host firewalls should employ stricter Least Privilege (e.g. DB Server ←→ Apache Server)

Email servers implement Black Lists and often White Lists

Can I have both Black list and a White list?

Do all my servers share root passwords?

Am I using Service Accounts? (e.g. can I run the database as something less than root?)

Privilege Control

Have I disabled unnecessary services?

Have I uninstalled unneeded software?

Have I disabled unnecessary accounts?

Are all passwords strong enough?

Are there ANY default passwords in place? Dev passwords? Duplicate passwords?

Network Intrusion Detection & Prevention

NIDS/NIPS, IDS, IPS, HIDS/HIPS

Intrusion Detection vs. Prevention - Network-focused or Host-focused.

Network IDS traffic monitoring, machines, ports, and protocols. IP Addresses can be included. (e.g. Snort, Bro, Zeek)

IPS inspects traffic. Can block, quarantine, or redirect.

Application-aware for finer-grained control

e.g. Snort, Checkpoint

Adaptive response vs. static firewall

IDS vs. IPS

Integrity Checks

File baselining (do you know that the files in place have not been altered?)

File integrity scanning (e.g. aide, samhain, SolarWinds, TripWire, etc.) using hashes

https://help.ubuntu.com/community/FileIntegrityAIDE

https://www.la-samhna.de/samhain/index.html

Search for anomalies in a running system is notoriously challenging, so best to have as many controls in place so that an attacker has to clear many hurdles.

How can I KNOW that the files have not been compromised?

Rootkit detection in several tools (OSSEC, Samhain, others). Provides known signature for the host O/S to ensure kernel integrity (e.g. “what if root & kernel is not what I installed?”)

Surveillance

High need to watch and alert on problems

Log review is very difficult

Automated checks tend to have high numbers of false positives

NMap allows us to know what is on a network (more below)

Kali has several surveillance tools built in (Legend, WireShark, etc.)

This and other tools provide network topology and can be part of surveillance of any changes to that status

Integrity checkers looking for changes

Sniffers like wireshark allow for network traffic observation

Both approaches provide the means to set up “tripwires”, or the ability to alert when something anomalous is detected

SIEM

SIEM (Security Information & Event Management)

Multiple SIEM tools also provide a variety of capabilities that can include surveillance, File Integrity, Network traffic monitoring, privilege monitoring, log evaluation

Centralized hub for multiple hosts, servers, clients, switches, etc.

Examples include Splunk, Snort, SolarWinds, ArcSight, LogRhythm, ELK Stack (ElasticSearch, LogStash, Kibana), AlienVault/OSSIM, McAfee. (Images on next slides)

Top challenges: manual labor, false positives, only as smart as the operator

Splunk

Splunk

Splunk

ELK ElasticSearch + Logstash + Kibana

ELK ElasticSearch + Logstash + Kibana

Solar Winds

Additional Protections

TPM (Trusted Processing Module) - Check at the Chip Level that boot sequence can be trusted. “Secure boot” checks stored signatures and hashes.

Trusted Operating System (e.g. SELinux, Oracle Label Security) uses fine-grained controls and labels on every object with strict enforcement of authentication, authorization, least privilege, change management, etc.

Use of Master Images (known good build)

Patch, patch, patch - automated/scheduled with commitment to keeping it up. See examples from chapter 5, such as WannaCry

What is the downside to frequent patching?

Look-ahead

Midterm released Monday. Time limit will be 2 hours.

All testing will complete by Tuesday at midnight.

When you start it, your time has begun, and you must complete it.

Contact Professor immediately if you have any conflict affecting the midterm! Do not send me an urgent email the day before or the day of the midterm.