Managing Security in a
Managing Security in a
Free/
Free/
Open Source Environment
Open Source Environment
Jay Beale Jay Beale Intelguardians
Intelguardians, LLC, LLC
Information Security Magazine Information Security Magazine
Bastille Linux Bastille Linux
Outline
Outline
1.
1. FOSS FOSS security tools success storiessecurity tools success stories 2.
Success Stories
Success Stories
n
n SnortSnort Intrusion Detection System Intrusion Detection System n
n NessusNessus Vulnerability Assessment Vulnerability Assessment n
n NmapNmap Host/application Enumeration Host/application Enumeration n
n BastilleBastille ConfigConfig lockdown / Firewall lockdown / Firewall n
n EtherealEthereal Network Analysis / Network Analysis / SnifferSniffer n
n IptablesIptables Firewall Firewall n
Snort
Snort
n
n Network-based Intrusion Detection SystemNetwork-based Intrusion Detection System
–
– Captures every packet on its network linkCaptures every packet on its network link –
– Checks packets against “Checks packets against “rulesrules”” that define that define attacks
attacks –
– Checks packets against protocol definitions, orChecks packets against protocol definitions, or at least norms
at least norms
n
Reason: Ability to create content
Reason: Ability to create content
n
n In signature-based IDS, speed to create newIn signature-based IDS, speed to create new
signatures rules is a major success factor. signatures rules is a major success factor.
n
n The community of IDS analysts creates andThe community of IDS analysts creates and
shares Snort signatures as they respond to a shares Snort signatures as they respond to a
new type of attack. new type of attack.
n
n Being able to create your own rules is aBeing able to create your own rules is a
powerful capability for organizations with powerful capability for organizations with
capable staff. capable staff.
Commercial products supporting
Commercial products supporting
Snort rules
Snort rules
nn ISSISS RealSecure RealSecure n
n SymantecSymantec’s Manhunt’s Manhunt n
n EnteraysEnterays’ Dragon’ Dragon n
Snort: a Standard?
Snort: a Standard?
n
n The SANS Institute, which probably trainsThe SANS Institute, which probably trains
more IDS
more IDS analysytsanalysyts than any other org, than any other org, teaches a day on Snort in their IDS
teaches a day on Snort in their IDS certification.
certification.
n
n Snort rules have become the standardSnort rules have become the standard
method for communicating an IDS rule. method for communicating an IDS rule.
Snort: Performance
Snort: Performance
n
n Snort almost always places in the Top 3 inSnort almost always places in the Top 3 in
tests of
tests of IDS IDS’’ss, placing above commercial, placing above commercial solutions.
Snort: Support
Snort: Support
n
n Author, MartinAuthor, Martin Roesch Roesch, started, started Sourcefire Sourcefire
Inc to support and productize Snort. Inc to support and productize Snort.
n
n Managed Security Service Providers haveManaged Security Service Providers have
used Snort to provide an outsourced IDS used Snort to provide an outsourced IDS
deployment and monitoring service. deployment and monitoring service.
Nessus
Nessus
n
n Vulnerability Assessment softwareVulnerability Assessment software n
n Extremely popularExtremely popular n
n Many organizations have built their internalMany organizations have built their internal
VA practice around
VA practice around Nessus Nessus..
n
n Author,Author, Renaud Deraisson Renaud Deraisson, helped to start, helped to start
Tenable Security, productizing
Tenable Security, productizing Nessus Nessus..
n
n Servers are hosted by financial-related USServers are hosted by financial-related US
Government departments. Government departments.
Support for
Support for
Nessus
Nessus
n
n Primary web and FTP servers hosted by:Primary web and FTP servers hosted by:
US Department of Commerce
US Department of Commerce
National Technical Information Service
National Technical Information Service
n
n CVS and Mail servers hosted by:CVS and Mail servers hosted by:
US Treasury Inspector General for Tax Administration:
US Treasury Inspector General for Tax Administration:
Strategic Enforcement Division
Nmap
Nmap
n
n Host and application enumerationHost and application enumeration n
n Industry-leading host and applicationIndustry-leading host and application
enumeration technology. enumeration technology.
n
n Author has licensed code to commercialAuthor has licensed code to commercial
companies. companies.
Bastille
Bastille
n
n ““LockdownLockdown”” tool and firewall. tool and firewall. n
n Dramatically reduces out-of-the-boxDramatically reduces out-of-the-box
vulnerabilities through Best Practices. vulnerabilities through Best Practices.
n
n Hewlett Packard contributes actively towardHewlett Packard contributes actively toward
both HP-UX support and software at large. both HP-UX support and software at large.
n
Ethereal
Ethereal
n
n NetworkNetwork sniffer sniffer and protocol parser. and protocol parser. n
n Gathers packets, reconstructs streams andGathers packets, reconstructs streams and
parses protocols to help in analysis. parses protocols to help in analysis.
n
n Comparable to the best commercialComparable to the best commercial
products in its space. products in its space.
iptables
iptables
n
n Linux built-in firewall codeLinux built-in firewall code n
n Comparable capabilities to CheckpointComparable capabilities to Checkpoint
Firewall-1, but no GUI Firewall-1, but no GUI
n
FreeS/WAN
FreeS/WAN
n
n Virtual private network capability for LinuxVirtual private network capability for Linux n
n Allows an administrator to quickly buildAllows an administrator to quickly build
point-to-point encryption tunnels or entire point-to-point encryption tunnels or entire
private networks. private networks.
n
n Ex: well-authenticated, private wirelessEx: well-authenticated, private wireless
networks networks
Part II
Part II
Free / Open Source Software
Free / Open Source Software
Issues to Consider
Code Integrity: Install-time
Code Integrity: Install-time
n
n How do I make sure I got the right programHow do I make sure I got the right program
code and prevent tampering? code and prevent tampering?
n
n Programs are generally PGP-signed.Programs are generally PGP-signed. n
n To do it yourself, check the PGP signaturesTo do it yourself, check the PGP signatures
against the key acquired from
against the key acquired from keyservers keyservers,, mailing lists, or program web site.
mailing lists, or program web site.
n
n We usually offload this task onto a vendorWe usually offload this task onto a vendor
like Red Hat or one specific to this code. like Red Hat or one specific to this code.
Code Audit: Advantage
Code Audit: Advantage
n
n Open Source code allows for code audit.Open Source code allows for code audit. n
n In reality, few organizations audit theirIn reality, few organizations audit their
code. It
code. It’’s too time-intensive.s too time-intensive.
n
n At the same time, the code is available.At the same time, the code is available. n
n Some organizations pay consultants to auditSome organizations pay consultants to audit
code they
code they’’re using or considering.re using or considering.
n
n This is especially true for commercialThis is especially true for commercial
companies building solutions on open companies building solutions on open
source programs. source programs.
Code Contributors
Code Contributors
n
n If a program is Open Source and anyone can workIf a program is Open Source and anyone can work
on it, how do I make sure a hostile party hasn on it, how do I make sure a hostile party hasn’t’t
inserted malicious code? inserted malicious code?
n
n Open Source programs are maintained by a projectOpen Source programs are maintained by a project
lead (PL), who vets code submissions. lead (PL), who vets code submissions.
n
n Once programmers show quality in their code andOnce programmers show quality in their code and
designs, the PL
designs, the PL maymay give them submission rights. give them submission rights.
n
n Is this same standard held in commercialIs this same standard held in commercial
companies? companies?
Patch Management
Patch Management
n
n How do I know when I need to patch?How do I know when I need to patch? n
n How do I acquire patches?How do I acquire patches? n
n What if the program maintainer decides notWhat if the program maintainer decides not
to issue a patch? to issue a patch?
n
n How do I confirm that a patch is authentic?How do I confirm that a patch is authentic?
Generally, we offload all three of these Generally, we offload all three of these
questions onto our vendor, like Red Hat. questions onto our vendor, like Red Hat.
When to Patch?
When to Patch?
n
n Each project maintains a web site listingEach project maintains a web site listing
vulnerabilities and patches. vulnerabilities and patches.
n
n If we use a distribution vendor (like Red Hat),If we use a distribution vendor (like Red Hat),
they maintain a central repository for patches and they maintain a central repository for patches and
announce both vulnerabilities and patches. announce both vulnerabilities and patches.
n
n Many vendors make patching easy: Red HatMany vendors make patching easy: Red Hat
includes a tool called up2date which downloads includes a tool called up2date which downloads
necessary patches and can, optionally, install them necessary patches and can, optionally, install them
automatically. automatically.
How do I acquire patches?
How do I acquire patches?
n
n The program maintainer releases patches.The program maintainer releases patches. n
n Occasionally, the community releases a patchOccasionally, the community releases a patch
before the maintainer, who still releases the before the maintainer, who still releases the
official patch. official patch.
n
n We can create our own patch if we have the staff,We can create our own patch if we have the staff,
as many vulnerabilities require only one to five as many vulnerabilities require only one to five
lines of code to correct. lines of code to correct.
n
n Normally, we offload packaging these patches andNormally, we offload packaging these patches and
alerting to our distribution vendor. alerting to our distribution vendor.
Patch Abandonment
Patch Abandonment
n
n What if the program maintainer abandons ourWhat if the program maintainer abandons our
version of the software or such? version of the software or such?
n
n Our distribution vendor often creates their ownOur distribution vendor often creates their own
independent patches. independent patches.
n
n If the community creates a patch, we can vet itIf the community creates a patch, we can vet it
ourselves, wait for our distribution vendor to do ourselves, wait for our distribution vendor to do
the same, or find a service that does the same for the same, or find a service that does the same for
us. us.
–
Patch Authenticity
Patch Authenticity
n
n Patches to a program are generally PGP-signed,Patches to a program are generally PGP-signed,
just like the software. just like the software.
n
n You can read the patch, if you have staff.You can read the patch, if you have staff.
n
n Generally, we offload checking both theGenerally, we offload checking both the
authenticity of the patch and reading the code to authenticity of the patch and reading the code to
our distribution or patch-services vendor. our distribution or patch-services vendor.
Expertise
Expertise
n
n Free / Open Source Software seems to requireFree / Open Source Software seems to require
greater expertise to configure and maintain. greater expertise to configure and maintain.
n
n Test new hires expertise by using existing skilledTest new hires expertise by using existing skilled
staff for interviewing. staff for interviewing.
n
n Consider looking into these certifications:Consider looking into these certifications: –
– Red HatRed Hat Certfied Certfied Engineer Engineer –
– SANS GIAC certification GCUXSANS GIAC certification GCUX
n
Small Organizations 1/2
Small Organizations 1/2
n
n Is FOSS possible in a small organization, like a tinyIs FOSS possible in a small organization, like a tiny community bank with little IT expertise?
community bank with little IT expertise?
n
n Increased expertise is almost always necessary with FOSS.Increased expertise is almost always necessary with FOSS.
–
– System administration requires a more solid understanding of theSystem administration requires a more solid understanding of the operating system and TCP/IP networking.
operating system and TCP/IP networking. –
– Programming experience is also very useful, especially in C.Programming experience is also very useful, especially in C.
n
n In a small organization with no IT staff, some FOSSIn a small organization with no IT staff, some FOSS solutions are difficult to maintain.
solutions are difficult to maintain.
–
– Vendors and/or consultants make this easier.Vendors and/or consultants make this easier. –
Small Organizations 2/2
Small Organizations 2/2
n
n On the other hand, small organizations with no IT staff rarely have theOn the other hand, small organizations with no IT staff rarely have the
money for security-enhancing solutions. money for security-enhancing solutions.
n
n In this case, FOSSIn this case, FOSS’s price may allow for better security, depending on’s price may allow for better security, depending on
how much maintenance is required after initial installation. how much maintenance is required after initial installation.
n
n Low maintenance solutions:Low maintenance solutions: –
– FirewallsFirewalls –
– Virtual Private NetworksVirtual Private Networks –
– Configuration LockdownConfiguration Lockdown
n
n High maintenance solutions:High maintenance solutions: –
– Intrusion Detection SystemsIntrusion Detection Systems –
Hardening
Hardening
n
n Taking hardening steps eliminates or mitigates 90Taking hardening steps eliminates or mitigates 90
percent or more vulnerabilities. percent or more vulnerabilities.
n
n The Center for Internet SecurityThe Center for Internet Security –
– Creates hardening procedures for operating system andCreates hardening procedures for operating system and applications.
applications.
–
– Software covered includes Open Source andSoftware covered includes Open Source and Commercial software.
Choosing a Vendor
Choosing a Vendor
n
n Much of what weMuch of what we’’re doing becomes easier orre doing becomes easier or
possible simply by tapping a vendor to help. possible simply by tapping a vendor to help.
–
– Distribution vendors: Red HatDistribution vendors: Red Hat –
– Consulting company: IBM PWCConsulting company: IBM PWC –
Questions / Discussion
Questions / Discussion
n
Bio
Bio
Jay Beale is a consultant with DC-based
Jay Beale is a consultant with DC-based IntelguardiansIntelguardians, LLC, LLC where he performs architecture reviews, penetration tests
where he performs architecture reviews, penetration tests
and generalized security consulting.
and generalized security consulting.
n
n Columnist: Information Security MagazineColumnist: Information Security Magazine
n
n Lead Developer: Bastille LinuxLead Developer: Bastille Linux
n
n LinixLinix Lead: Center for Internet Security Lead: Center for Internet Security
n
n Senior Research Scientist, GWU CSPRISenior Research Scientist, GWU CSPRI
n
n Member,Member, Honeynet Honeynet Project Project
n
