Security Baselines and Operating System, Network and Application Hardening
Previous | Table of Contents | Next |
Intrusion Detection Systems | Cryptography Basics |
In this chapter we will look in detail at the concept of security baselines in conjunction with the steps involved in hardening operating systems, networks and applications.
Security Baselines
The process of baselining involves both the configuration of the IT environment to confirm to consistent standard levels (such as password security and the disabling of non-essential standards) combined with the identification of what constitutes typical behavior on a network or computer system (such that malicious behavior can more easily be identified should it occur during the baselining process).
The baselining process involves the hardening the key components of the IT architecture to reduce the risks of attack. The thre main areas requiring hardening are operating system, network and applications, each of which will be covered in detail in the remainder of this chapter.
Operating System Hardening
<google>ADSDAQBOX_FLOW</google> The hardening of operating systems involves ensuring that the system to configured to limit the possibility of either internal or external attack. While the methods for hardening vary from one operating system to another the concepts involved are largely similar regardless of whether Windows, UNIX, Linux, MacOS X or any other system is being baselined. Some basic hardening techniques are as follows:
- Non-essential services - It is important that an operating system only be configured to run the services required to perform the tasks for which it is assigned. For example, unless a host is functioning as a web or mail server there is no need to have HTTP or SMTP services running on the system.
- Patches and Fixes - As an ongoing task, it is essential that all operating systems be updated with the latest vendor supplied patches and bug fixes (usually collectively referred to as security updates).
- Password Management - Most operating systems today provide options for the enforcement of strong passwords. Utilization of these options will ensure that users are prevented from configuring weak, easily guessed passwords. As an additional levels of security include enforcing the regular changing of passwords and the disabling of user accounts after repeated failed login attempts.
- Unnecessary accounts - All guest, unused and unnecessary user accounts must be disabled or removed from operating systems. It is also vital to keep track of employee turnover so that accounts can be disabled when employees leave an organization.
- File and Directory Protection - Access to files and directories must be strictly controlled through the use of Access Control Lists (ACLs) and file permissions.
- File and File System Encryption - Some filesystems provide support for encrypting files and folders. For additional protection of sensitive data it is important to ensure that all disk partitions are formatted with a file system type with encryption features (NTFS in the case of Windows).
- Enable Logging - It is important to ensure that the operating system is configured to log all activity, errors and warnings.
- File Sharing - Disable any unnecessary file sharing.
Network Hardening
Network hardening can be achieved using a number of different techniques:
- Updating Software and Hardware - An important part of network hardening involves an ongoing process of ensuring that all networking software together with the firmware in routers are updated with the latest vendor supplied patches and fixes.
- Password Protection - Most routers and wireless access points provide a remote management interface which can be accessed over the network. It is essential that such devices are protected with strong passwords.
- Unnecessary Protocols and Services - All unnecessary protocols and services must be disabled and, ideally, removed from any hosts on the network. For example, in a pure TCP/IP network environment it makes no sense to have AppleTalk protocols installed on any systems.
- Ports - A hardened network should have any unneeded ports blocked by a firewall and associated services disabled on any hosts within the network. For example, a network in which none of the hosts acts as a web server does not need to allow traffic for port 80 to pass through the firewall.
- Wireless Security - Wireless networks must be configured to highest available security level. For older access points WEP security should be configured with 128-bit keys. Newer routers should implement WPA security measures.
- Restricted Network Access - A variety of steps should be taken to prevent unauthorized access to internal networks. The first line of defense should involve a firewall between the network and the internet. Other options include the use of Network Address Translation (NAT) and access control lists (ACLs). Authorized remote access should be enabled through the use of secure tunnels and virtual private networks.
Application Hardening
All applications and services installed on network based host systems must be included in the security hardening process to ensure that they do not provide a weak link in the security defenses. A number of common operating system based services are installed installed by default and need to be reviewed.
Web Servers
Probably the most common service found on the internet today, web servers are responsible for serving web pages to web browsers.
For non-public sites, authentication methods should be put in place and for sites that are only to be accessible by internal users, an intranet approach should be used so that external access is prevented by a firewall. For the purposes of secure web based transactions Secure Sockets Layer (SSL) communication should be implemented.
Web server logs should be reviewed routinuly for suspicious activity. Any attempts to access unusual URLs on the web server typically indicate an attempt to exploit problems in outdated or unpatched web servers.
As with all software, steps should be taken to ensure that web servers are updated with the latest vendor supplied patches.
Email Servers
The primary steps involved in securing mail servers is to ensure that any unneeded configuration options of the mail server software are disabled and that all the latest vendor supplied updates are applied. Relay prevention options should be activated and authentication must be used to ensure that only authorized users are able to send and receive email messages.
FTP Servers
The purpose of the File Transfer Protocol (FTP) is to allow files to be download from and uploaded to remote servers. Access can be in the form of anonymous FTP and authenticated FTP. Anonymous FTP accounts should be used with caution and monitored regularly. In the case of authenticated FTP it is essential that Secure FTP be used so that logion and password credentials are encrypted, rather than transmitted in plain text.
DNS Servers
Domain Name Servers (DNS) provide the translation of human friendly names for network destination (such a a web site URL) to the IP addresses understood by routers and other network devices. Steps should be taken to ensure DNS software is updated regularly and that all access to servers is authenticated to prevent unauthorized zone transfers. Access to the server may be prevented by blocking port 53, or restricted by limiting access to the DNS server to one or more specified external systems.
Previous | Table of Contents | Next |
Intrusion Detection Systems | Cryptography Basics |