Académique Documents
Professionnel Documents
Culture Documents
Problem
Client / Server infrastructure very common among most organizations
Clients provide access to system Servers run the systems
Software vulnerabilities (e.g. buffer overflow) and malware need to be considered Follow a framework detailed by NIST (National Institute of Standards and Technology) to provide a secure environment, even when we know it is not there
OS Layered Model
User Space Services / Hypervisor
Overall Goal
Asses risks and plan the system development Secure the underlying OS and then key applications Ensure any critical content is secured Ensure appropriate network protection mechanisms are used Ensure appropriate process are used to maintain security (policies)
Hardening the OS
Default OS configurations are for ease of use Measures have to be done at all stages
Installing and patching Configuring
Remove unnecessary applications, services and protocols Users, groups, controls and privileges
Install additional software (anti-virus, firewall, intrusion detection system, etc.) Test Security
Install only required services and drivers (from trusted sources) Set up automatic updates (only if update time is not an issue)
Booting
Protect BIOS changes with password Disable some bootable media Cryptographic hard drives? Pros and Cons
Automatic Updates
Disabling can be done via msconfig command (Windows), yast or equivalent (Linux) or Control Panel (Windows / Linux)
Authentication
Force default password change Password definition Password lifespan
Run some test cases which attempt to break security (stress testing), good hackers make a lot of money here
Security Testing
Application Security
Configure applications properly Use encryption when possible as seen earlier
For storing For transmit (SSH connections)
Maintenance
Now that system is set, keep it secure This involves
Monitoring and analyzing logging information Performing regular backups Recovering from security compromises Regular testing of security Patch, update, and revise critical software
Logging
Keep a record of important events in the computer Problems
Need to make sure to have enough space Manual analysis is hard, so these logs should contain a format such that a program (e.g. in Perl) can parse messages
Data Backup
Backup is the act of creating copies of information such that it may be recovered Archive is to keep these backups for a long period of time in order to meet some legal aspects Should the backup be kept online or offline?
Online makes easier access, faster recover Offline is more secure, harder to recover Why not both?: Users should keep their own offline backups, in case online backup gets removed
Backups
Crontab usage
-e Edit or create crontab file -l Display your crontab file -r Remove your crontab file
Advantage
Can have a program (e.g. Perl) that calculates hashes for configuration files and verify its integrity later
Commands
getfacl/setfacl: get/set file access control list chown: changes file owner chgrp: changes file group groups <username>: shows a list of groups to which username or current belong to, equivalent to cat /etc/groups | grep <username> There are other commands which start with ch and help with other things, use auto-complete feature (tab) for a complete list setfacl -m u:lisa:r file
chroot jail: set temporary a new root directory such that services if they get hijacked do not give access to all the system (system call: chroot)
Windows Security
Use automatic updates specially for
Windows Adobe Acrobat Reader and Flash Plugin Java
Users are defined with a Security ID (SID) and information such as passwords may be stored at Security Account Manager (SAM) System restore User Account Control to treat users with admin only as admin when required, otherwise as normal (Vista and later)
Windows Registry
Hard to maintain Easy to access May use a specific application hiding complex information from administrator May use regedit to see everything
Useful to have an application that queues and monitors registry changes, such that they need to get approved before proceeding
BitLocker: full disk encryption with AES More on Control Panel System Security Microsoft Baseline Security Analyzer
Checks for minimal recommended requirements in a system Its free Shavlik NetChk Limited for legacy
Virtualization
Virtualization: defines an isomorphism that maps a virtual guest system to a physical host Adds another degree of freedom by enabling multiple resource managers and controlled sharing.
Adds a level of indirection
Virtual Machine: Add virtualization layer which transforms the physical machine into the desired virtual architecture.
History of Virtualization
1960s
1964 - Birth of virtualization with the IBM CP series which was a test bed for the IBM S/360 system. Provided full hardware virtualization with the ability to run 14 OS instances. 1965 IBM begins shipping S/360 systems, the first mass production multi-purpose mainframe. First machine to use virtual memory for infinite storage capacity.
History of Virtualization
1970s
IBM S/370, more of the same
1980s
1987 - Merge/386 becomes available allowing emulation of Intel 8086 instructions on Intel 80286 & 80386 CPUs. Could run any 8086 coded OS but was typical found running Microsoft MS-DOS.
History of Virtualization
1990s
1997 Virtual PC released for Macintosh 1998 VMware released for Windows 1999 Citrix Presentation Server released for Windows
2001
Virtual PC released for Windows VMware Server released (first x86 server VM)
History of Virtualization
2003
Xen Hypervisor released (Open Source x86) MS buys Virtual PC & releases MS Virtual PC 2004
2005
MS releases Virtual Server 2005 (guest machines limited to 32bit, 4GB of RAM, & 1 CPU) Intels VT and AMDs AMD-V hardware virtualization added to Server and Desktop CPUs
History of Virtualization
2006
VMware Server 1.0 released for free MS Virtual Server 2005 R2 released for free MS Virtual PC 2007 released for free MS buys and releases SoftGrid (now called MS AppV) Amazon begins developing the first true Cloud
2007
VMware Server 2.0 released VirtualBox Open Source released Citrix acquires Xen
History of Virtualization
2008
VMware buys Thinstall and releases ThinApp VMware 6.5 released, first DX9 hardware virtualization MS releases Hyper-V for Windows 2008 (guest machines gain 64bit support, 64 GB of RAM, & 4 CPUs) First public Cloud systems come online
38
History of Virtualization
2009
MS releases Hyper-V R2 for Windows 2008 R2 (guest machines gain CPU pooling)
2010
MS releases Hyper-V R2 SP1 (guest machines gain RAM pooling and DX9 hardware support) ARM announces A15 with hardware virtualization
Processor Performance
CPU Speeds
1965 - IBM S/360 0.1 MIPS (133,300 IPS) 1972 - IBM S/370 1.0 MIPS (1,000,000 IPS) 2000 - 1 GHz Intel P3 3,000 MIPS (3,000,000,000 IPS) 2009 - Qualcomm Snapdragon A8 2,000 MIPS 2010 - Intel Core i7 4 x 147,600 MIPS 2010 - Qualcomm Snapdragon MP 2 x 2,500 MIPS 2011 - Qualcomm/Samsung/nVidia A9 MP 2 x 5,000 MIPS 2012 ARM Cortex A15 MP 4 x 25,000 MIPS
Uses
Implement multiprogramming: multiple single-user virtual machine instances. IBM System/370 used this approach to provide time-sharing behavior with each VM running a simple single-user OS (Conversational Monitor System or CMS) Multiple single-application VMs: Dedicates a VM for each application program, uses a general purpose OS. Multiple secure environments: VM creates sandbox to isolate environments and security domains. Manage application environment: Install core applications in one VM then create per user VMs for them to load their own apps. Mixed-OS environments: Single hardware platform can support multiple Operating System environments. Legacy applications: Dedicate VMs for legacy applications. Multiplatform applications development: One hardware platform with VMs providing emulation of alternative hardware.
Uses
New system transition: Staged or gradual migration (opposite of legacy support). System software development: For testing or developing new system software in a protected environment. Operating system training: Run OS instance in a VM so parameter or configuration adjustments do not affect rest of system Help desk support: Use VM to replicate user environment Operating system instrumentation: Can monitor hardware access or low level software abstractions Event monitoring: execution traces, machine state dumps and replaying of traces System encapsulation: Check pointing system state and restarting on same or different machine.
Hypervisor Security
Like OS security
Install from private network, or clean media Configure for automatic updates Disable unused services and hardware Restrict access to hypervisor If there is remote access do it on a separate network (e.g. VLAN, VPN, etc.)