network security fundamentals
play

Network Security Fundamentals Security Training Course Dr. Charles - PowerPoint PPT Presentation

Apr 24, 2023 •325 likes •739 views

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 9 Linux Security & Logging Linux Security Real-World Linux Security RHEL

  1. Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013

  2. Network Security Fundamentals Module 9 Linux Security & Logging

  3. Linux Security • Real-World Linux Security • RHEL Security Guides • Logging 04/13 cja 13 3

  4. Real-World Linux Security

  5. Real-World Linux Security The seven deadly sins  Weak/default passwords  Open network ports  Old software versions  Insecure programs  Insufficient resources  Stale/unnecessary accounts  Procrastination Bob Toxen, “Real World Linux Security: intrusion detection, prevention, and recovery,” 2nd Ed., Prentice-Hall 2003. 04/13 cja 13 5

  6. Turn off insecure passwords • Use SHA-512 & passphrases  Password hashes in /etc/shadow should start with $6$ �  Maximum password length is 256 characters • Use /etc/shadow • Both defined by default 04/13 cja 13 6

  7. Prevent ARP Cache Poisoning • Prevent ARP entries from being spoofed by making them permanent  add known ARP entries to /etc/ethers  add following to /etc/rc.d/rc.local  arp -f /etc/ethers  entries read from file are marked permanent • Use network switch port configurations 04/13 cja 13 7

  8. arp • /sbin/arp command  w/o args, displays contents of ARP cache  -a show all cache entries  -d h delete entry for host h  -s h e set permanent entry for host h with layer 2 address e  -s h e temp set temporary entry for host h with layer 2 address e  -f f read (default permanent) entries from file f  -n don ’ t convert host addresses to names 04/13 cja 13 8

  9. arping • Similar to ping, but uses ARP requests and replies for probing  Doesn ’ t require sender to have a IP address  Limited to local subnet, unless proxy ARP 04/13 cja 13 9

  10. arping • /sbin/arping destination  w/o args, displays usage  -I i use interface i (required)  -b use only Layer 2 broadcasts  -s s use source address s  -U unsolicited ARP  -D detect duplicate IP addr (RFC 2131) 04/13 cja 13 10

  11. arpwatch • Monitors ARP traffic • Detects Layer 2 / Layer 3 address pairing changes  Records to syslog  Emails to administrator • Changes detected  New station – new pairing using previously unseen layer 2 address  New activity – new pairing using previously seen layer 2 address  Flip flop – layer 2 address changed in existing pairing  Changed ethernet address – layer 2 address changed on host 04/13 cja 13 11

  12. arpwatch lab • Look at man page  man arpwatch • Display syslog messages  Start another terminal window  sudo tail –f /var/log/messages • Edit config file  sudo vi /etc/sysconfig/arpwatch  Insert “ -i eth N ” into OPTIONS if needed, adjust others as necessary • (Optional) set arpwatch to start on boot  chkconfig –list arpwatch  chkconfig arpwatch on  chkconfig --list arpwatch • Start arpwatch  sudo service arpwatch start  You should see eth2 entering promiscuous mode in the syslog • Generate some ARP traffic  Empty, then list your ARP cache  You should see something like the following in the log (and in an email message, if you ’ ve set that up) Apr 21 16:10:58 localhost arpwatch: new station 172.16.234.2 0:50:56:e7:f7:34 • No output? Get arpwatch to forget:  sudo service arpwatch stop  sudo cp /dev/null /var/lib/arpwatch/arp.dat  sudo service arpwatch start 04/13 cja 13 12

  13. RHEL Security Guides • Canonical step-by-step guide  Security overview  Attackers and Vulnerabilities  Security Updates  Workstation Security  Server Security  Virtual Private Networks  Firewalls  Vulnerablity Assessment  Intrusion Detection  Incident Response 04/13 cja 13 13

  14. Security Guides • Three guides:  http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide- i731.pdf  http://people.redhat.com/sgrubb/files/hardening- rhel5.pdf  http://docs.redhat.com/docs/en-US/ Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/ Red_Hat_Enterprise_Linux-6-Security_Guide-en- US.pdf 04/13 cja 13 14

  15. Logging

  16. Roadmap • Motivation • Challenges • Syslog • Centralized Logging • Log reduction • Swatch, logwatch 04/13 cja 13 16

  17. Motivation • Administration & debugging • Detect & analyze security & performance incidents • Auditing • Regulatory requirements  HIPAA, SOX, PCI, GLBA, … 04/13 cja 13 17

  18. Example Jan 2 16:19:23 host.example.com snort [1260]: RPC Info Query: 10.2.3.4 -> host.example.com:111 Jan 2 16:19:31 host.example.com snort [1260]: spp_portscan: portscan status from 10.2.3.4: 2 connections across 1 hosts: TCP(2), UDP(0) 04/13 cja 13 18

  19. Example Jan 02 16:19:45 host.example.com rpc.statd[351]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8 0 4 9 7 1 0 9 0 9 0 9 0 9 0 6 8 7 4 6 5 6 7 6 2 7 4 7 3 6 f 6 d 6 1 6 e 7 9 7 2 6 5 2 0 6 5 2 0 7 2 6 f 7 2 2 0 7 2 6 f 6 6 b f f f f 7 1 8 bffff719 bffff71a b f f f f 7 1 b _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ! _ _ ! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 04/13 cja 13 19

  20. Example • Jan 02 16:20:25 host.example.com adduser[12152]: new user: name=cgi, uid=0, gid=0, home=/home/cgi, shell=/bin/ bash • Jan 02 16:22:02 host.example.com PAM_pwdb[12154]: password for (cgi/0) changed by ((null)/0) 04/13 cja 13 20

  21. Challenges • Log generation & storage • Log CIA • Log analysis 04/13 cja 13 21

  22. CEE - Coming soon? Common Event Expression • Standardizes the way computer events are described, logged, and exchanged  Create an event expression taxonomy for uniform and precise log definitions that lead to a common event representation.  Create logging syntax utilizing a single data dictionary to provide consistent event specific details.  Standardize flexible event transport mechanisms to support multiple environments.  Propose log recommendations for the events and attributes devices generate. • http://cee.mitre.org/language/1.0-beta1/overview.html • (August, 2012) 04/13 cja 13 22

  23. syslog • UNIX/Linux logging daemon  facility (origin) & priority (importance)  log entry accepted by daemon  logged according to config file • Windows third-party tools  Windows event log -> syslog  http://www.eventreporter.com/  http://www.winagents.com/  syslog -> Windows  http://www.winsyslog.com/en/ 04/13 cja 13 23

  24. syslog • LogAnalyzer (née phpLogCon)  Front end for searching, reviewing and analyzing event data  Data sources  syslog, rsyslog, WinSyslog log files  MySQL databases » Adiscon MonitorWare, php-syslog-ng schemas  Any LF-delimited file  Multiple instances  Data display  GUI controls: scroll, search, tooltip, …  http://loganalyzer.adiscon.com/ 04/13 cja 13 24

  25. syslog • Splunk  Indexes log file data, also config files, arbitrary script output  Data sources  syslog, rsyslog, WinSyslog log files  Config files  Arbitrary script outputs  Multiple instances  Indexes data  Free for indexing up to 500 MB/day  Data display  GUI controls: scroll, search, tooltip, …  http://www.splunk.com/ 04/13 cja 13 25

  26. rsyslog • The reliable & extended Linux logging daemon • Upward-compatible with syslogd  Provides reliable remote logging  TCP – ubiquitous, uses reliable connection  RELP- queues locally until loghost accessible • man rsyslogd • man 5 rsyslog.conf • /etc/rsyslog.conf 04/13 cja 13 26

  27. rsyslog basic lab • Edit log destination  sudo vi /etc/rsyslog.conf  Add line under RULES section *.debug,mark.debug /var/log/fulllog • Tell syslog to re-read config file  sudo service rsyslog restart • Test the syslog  logger ‘ Hello, world! ’ 04/13 cja 13 27

  28. centralized logging lab • Your instructor will provide the identity of a central logging host  pst.merit.edu • Edit local /etc/rsyslog.conf  Add forwarding rule with remote host *.* @pst.merit.edu • Tell local syslog to re-read config file  sudo service rsyslog restart • Test with logger 04/13 cja 13 28

  29. Relay Architecture 04/13 cja 13 29

  30. Log Reduction • Make three piles  ignore - don ’ t want to see these, ever  baseline - aren ’ t likely to contain time-critical security information  investigate - those that do 04/13 cja 13 30

  31. Log Reduction • A simple first step  cut -f5- -d\ /var/log/fulllog | sed -e ‘ s/[0-9] [0-9]*/###/g ’ | sort | uniq -c | sort -nr • Use script in /usr/local/lab/syslog/reduce 04/13 cja 13 31

  32. Baselining I • Construct a baseline  Measure set of known data to compute range of “ normal ” values  Examples  Network traffic by protocol  Logins/logouts  Accesses of admin accounts  DHCP address management  DNS requests  Amount of log data/day  Number of processes running 04/13 cja 13 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 7 Intrusion Detection Topics Fundamentals Network IDS Snort Host-based IDS

1.03k views • 72 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case study: Linux iptables

778 views • 46 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 8 Scanning Topics Scanning fundamentals Nessus installation & examination 04/13

235 views • 21 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication How Passwords are

512 views • 32 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 5 Viruses & Worms, Botnets, Todays Threats Viruses & Worms Viruses Program

693 views • 31 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

128 views • 8 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Installing the Lab Environment Virtual Lab Environment Student-supplied hosts IA32-compatible The more CPU(s) and

261 views • 8 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Introduction Introduction Welcome to the course! Instructor: Dr. Charles J. Antonelli

209 views • 10 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A

Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A

Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A Message From Our Sponsors Computer Security Fundamentals Fundamentals System/Network Security, crypto How do things work Why How to

824 views • 26 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used Describe the components of

569 views • 7 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case

881 views • 51 slides
Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security: Private Communication in a Public World [Chap. 2-8] Charles Kaufman, Mike Speciner, Radia

697 views • 59 slides
Local Network Attacks John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago,

Local Network Attacks John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago,

Local Network Attacks John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604 FIRST TC 2002 John Kristoff - DePaul University 1 Agenda Overview Theoretical and example attacks How to

450 views • 17 slides
TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview

TCP/IP: sniffing, ARP attacks, IP fragmentation Network Security Lecture 3 Recap and overview Last time Today TCP/IP Attacks IP Sniffing Ethernet Spoofing ARP Hijacking (ARP) Tools/libraries Libnet,

729 views • 37 slides
Or Routing is as Insecure as the Rest of the Flippin Internet, but its Scarier Steven M

Or Routing is as Insecure as the Rest of the Flippin Internet, but its Scarier Steven M

This Space Intentionally Left Blank to Hold Space Just in Case Routing Security Appears Or Routing is as Insecure as the Rest of the Flippin Internet, but its Scarier Steven M Bellovin <smb@cs.columbia.edu> Randy Bush

478 views • 14 slides
Dude, wheres that IP? Circumventing measurement-based IP geolocation Phillipa Gill Presented

Dude, wheres that IP? Circumventing measurement-based IP geolocation Phillipa Gill Presented

Dude, wheres that IP? Circumventing measurement-based IP geolocation Phillipa Gill Presented By: Yashar Ganjali Sanaa Taha Bernard Wong University of Waterloo David Lie Outline Introduction IP-to-Location Mapping Geolocation

559 views • 25 slides
Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman)

Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman)

Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman) horms@verge.net.au December 2001 For Presentation in Tokyo, Japan http://verge.net.au/linux/has/ http://ultramonkey.org/ Introduction This

533 views • 25 slides
ARP TOOLKIT WEBINAR January 22, 2020 Adventist Retirement Welcome! Were excited to be able to

ARP TOOLKIT WEBINAR January 22, 2020 Adventist Retirement Welcome! Were excited to be able to

Adventist Retirement ARP TOOLKIT WEBINAR January 22, 2020 Adventist Retirement Welcome! Were excited to be able to present this new tool to you! This is a tool it does not negate YOU submitting status code and date information

398 views • 16 slides
Summary of MAC protocols What do you do with a shared media? Channel Partitioning, by

Summary of MAC protocols What do you do with a shared media? Channel Partitioning, by

Summary of MAC protocols What do you do with a shared media? Channel Partitioning, by time, frequency or code Time Division,Code Division, Frequency Division Random partitioning (dynamic), Medium Access Protocols ALOHA,

199 views • 7 slides
Instruction Selection and Scheduling Machine code generation cs5363 1 Machine code generation

Instruction Selection and Scheduling Machine code generation cs5363 1 Machine code generation

Instruction Selection and Scheduling Machine code generation cs5363 1 Machine code generation machine Intermediate Code optimizer Code generator Code generator Input: intermediate code + symbol tables All variables have values that

579 views • 15 slides

More recommend