Download Linux OS : Security Aspects

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
Document related concepts

Post-quantum cryptography wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Signals intelligence wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Third Andean Workshop on Electronic Communications,
20-24 November 2000, Lima, PERU
Introduction to Network/Linux
Security
Christian Benvenuti
International Center for Theoretical Physics (ICTP), Trieste, Italy
christian.benvenuti@libero.it
Overview
• What is computer security?
• Kind of security services one might desire
• What kind of attacks should we try to
protect a computer against?
• What are the available protection
strategies available?
• What can we expect for the future?
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
What is computer security?
• A computer is secure if you can depend
on it and its software to behave as you
expect.
• If you do not know what you are
protecting, why you are protecting it,
and what you are protecting it from,
your task will be rather difficult!
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Kind of security one might desire
•
•
•
•
•
•
christian.benvenuti@libero.it
Authentication
Confidentiality (Privacy)
Integrity
Availability
Non-Repudation
Auditing
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Authentication
• Authentication is the process of reliably verifying
the identity of someone (or something) by
means of:
•
•
•
•
A secret (password [one-time], ...)
An object (smart card, ...)
Physical characteristics (fingerprint, retina, ...)
Trust
• Do not mistake authentication for authorization!
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Integrity Vs Confidentiality
• Integrity
• Protecting information from being deleted or
altered in any way without the permission of the
owner of that information.
• Confidentiality
• Protecting information from being read or copied
by anyone who has not been explicitly authorized
by the owner of that information.
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Availability
If the system is unavailable when an
authorized user needs it, the result can
be as bad as having the information that
resides on the system deleted!
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Non repudation
The ability of the receiver of something to
prove to a third party that the sender
really did send the message.
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Auditing
The ability to record events that might
have some security relevance. In such
cases, you need to determine what was
affected. In some cases, the audit trail
may be extensive enough to allow “undo”
operations to help restore the system to a
correct state.
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
What kind of attacks should we try
to protect a computer against ?
• Physical Security
• Lockers, BIOS, weather, ...
• Personnel security
• Operating System security
• Network security
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Personnel security
• All the security violations have one
common characteristic:
• They are caused by people!
• Training, Auditing, Least Privilege, ...
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Operating System Security
(1/3)
• To fix bugs into applications/O.S. takes
longer than writing the
applications/O.S. themselves.
• What does it mean !?!?!?
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Operating System Security
(2/3)
• Users, Groups and Passwords
• Shadow suite
• The root account needs special care
• Securetty, wheel, “su” restrictions
• Variable delay on failures (denial, ...)
• Restricted shells
• Linux (UNIX) filesystem
•
•
•
•
•
Restricted filesystem
Access control lists (ACLs)
Append only / Immutable files
Permissions
SUID/GUID files (scripts)
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Operating System Security
(3/3)
Auditing & Logging
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Some of the most common
network services
•
•
•
•
•
•
•
•
•
christian.benvenuti@libero.it
DNS
Apache
NFS
NIS/NIS+
Samba
Telnet
FTP
Mail
... ... ...
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Network Security: common attacks
• Interception
• Modification
• Intrusion
• Modification, Fabrication
• Denial of service
• Interruption
• Information theft
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Security tools
• Cryptography
•
•
•
•
Symmetric Vs Asymmetric (Certificates ...)
Kerberous Vs Secure RPC
SSL (Secure Socket Layer) / SSH (Secure shell)
IP Sec
• Firewalls & Proxyes
• Ipchains/Iptable ...
• TCP Wrappers + UDP Relayers
• Pluggable Authentication Module
• It is a suite of shared libraries that enable the local system
administrator to choose how applications authenticate users
• Kernel Level Security
• Log files (/var/log/*)
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Cryptography:
the solution for privacy
The security is based on the secrecy of the key and sometimes of the alghoritms too.
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Cryptography
Symmetric Vs Asymmetric
• Symmetric
(Character based Vs Key based)
• The same password is used to both encrypt and
decrypt
• Faster algorithms
• PROBLEM: key management is not easy
• Asymmetric
(also called pubblic key algorithms)
• The password used to encrypt is different from the
one needed to decrypt
• More secure
• It allows to have non-repudiation
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Data Encryption Standard
(DES)
•
•
•
•
•
It is a symmetric algorithm
Designed by IBM for the U.S. Government in 1977
It is based ona 56 bit key (why only 56?)
Hardware Vs Software implementation
How secure is DES?
• How much would a Des-Breaking engine would cost?
• Is it possible to make DES harder to break in?
• How does it work?
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
RSA
(Rivest, Shamin, Adleman)
• It is an asymmetric algorithm
• Variable Key Lenght (512 default)
• It is based on the fact that it is VERY
hard (impossible?) to factor a big
number in a reasonable amount of time
• It has NOT been demonstrated to be
safe, but ...
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Secure Shell (ssh)
• It is a secure protocol for secure remote
login over an insecure network
• It can provide:
• Multiple strong authentication methods
• Authentication of both ends of connection
• Pubblic key – Password – Host
• Encryption and compression of data
• Tunnelling and encryption of arbitrary connections
• Negotiations
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Secure Socket Layer (SSL)
• It is a protocol developed by Netscape
for secure transactions across the Web
• It is based on a public encryption
algorithm
• There are free SSL implementations
• Many servers have not SSL built in, and
there is a reason for that!
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Security of cryptographic
algorithms
• Let us define the lifetime of an information as the amount of
time the information should be kept secret.
• An encryptioncan cab be considered secure if the time to
break it (for ex. with a brute force attack) is reasonably longer than the
lifetime of the information contained in the plain text.
Length of the key on bits
(estimated in 1995, Applied Cryptography)
Cost
40
56
64
80
112
128
$ 100K
2.00 s.
35 h.
1 y.
70,000 y.
1014 y.
1019 y.
$ 1M
0.20 s.
3.5 h
37 d.
7,000 y.
1013 y.
1018 y.
$ 10M
0.02 s.
21 min.
4 d.
700 y.
1012 y.
1017 y.
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Wrappers
• Main idea:
• Limit the amount of information reaching a
network-capable progam/application.
• Why should we use wrappers?
• Two common wrappers:
• TCP Wrapper
• Socks
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
What can you do with the
TCP-Wrapper?
•
•
•
•
•
•
•
•
Remote warning banner
Double reverse lookup of the IP address
Access Control List (/etc/hosts.allow + /etc/hosts.deny)
Identd protocol
Advanced use of the Syslog logger
Run a command
Additional wrappers
PROCESS OPTION
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
TCP-Wrapper: downside
• Poor UDP handling
• IP Spoofing
• The destination IP address is not used
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Socks
• It is a system that allows computers behind a
firewall to access services on the Internet
(Only TCP based services)
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Firewall
(1/3)
The goal is to reduce the risk of a
security attack from the outside.
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Firewall: Bastion Host
christian.benvenuti@libero.it
(2/3)
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Firewall: Packet filtering
christian.benvenuti@libero.it
(3/3)
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
References
The pictures have been taken from this book:
• Practical Unix & Internet Security,
2nd edition, O’Reilly & Associates (1996)
christian.benvenuti@libero.it
Third Andean Workshop on Electronic Communications, 20-24 November 2000, Lima, PERU
Related documents
SME (ECUADOR) S.A
SME (ECUADOR) S.A
Newsletter 11 - United Nations Mandate on Human Rights and the
Newsletter 11 - United Nations Mandate on Human Rights and the
Canihua - GFU for Underutilized Species
Canihua - GFU for Underutilized Species
biodiversity
biodiversity
introduction
introduction
Peru - mecps7a
Peru - mecps7a
“PAYMENT TO THE EARTH” RITUAL TRIBUTE TO THE ANDEAN
“PAYMENT TO THE EARTH” RITUAL TRIBUTE TO THE ANDEAN
Intelligent Business
Intelligent Business
Peru, Peruvian Chamber of the Construction Industry
Peru, Peruvian Chamber of the Construction Industry
Panflute
Panflute