1 / 28

CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration. Access Control. Access Control. Limiting access to Files Networks Hosts Services Center of gravity of computer security Why do we authenticate users? What security features do OSes provide? What’s the purpose of cryptography?.

zada
Download Presentation

CIT 470: Advanced Network and System Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 470: Advanced Network and System Administration Access Control CIT 470: Advanced Network and System Administration

  2. Access Control Limiting access to Files Networks Hosts Services Center of gravity of computer security Why do we authenticate users? What security features do OSes provide? What’s the purpose of cryptography? CIT 470: Advanced Network and System Administration

  3. Access Control is Pervasive • Application Complex, custom security policy. Ex: Amazon account: wish list, reviews, CC • Middleware Database, system libraries, 3rd party software Ex: Credit card authorization center • Operating System File ACLs, IPC • Hardware Memory management, hardware device access. CIT 470: Advanced Network and System Administration

  4. Objects O = { o1,…,om } All protected entities. Files, hosts, ports, etc. Subjects S = { s1,…,sn } Active entities, S  O Users, processes, hosts. Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects o1 … oms1 … sn s1 s2 … sn subjects Access Control Matrix CIT 470: Advanced Network and System Administration

  5. UNIX Access Control Model OS checks EUID + EGID on object access. Usually: EUID=UID, EGID=GID. setuid/setgid programs run with different EUID/EGID, allowing you privileged access Setuid programs run with EUID of file owner. ex: crontab, login, lp, passwd, su Target for attackers wanting elevated privilege. CIT 470: Advanced Network and System Administration

  6. UNIX File Permissions Three sets of permissions: User owner Group owner Other (everyone else) Three permissions per group read write Execute UID 0 can access regardless of permissions. Files: directories, devices (disks, printers), IPC CIT 470: Advanced Network and System Administration

  7. UNIX File Permissions Best-match policy OS applies permission set that most closely matches. You can be denied access by best match even if you match another set. Directories read = listing of directory execute = traversal of directory write = add or remove files from directory CIT 470: Advanced Network and System Administration

  8. Special File Permissions Each object has set of special permission bits sticky On a directory, means users can only delete files that they own (ls shows sticky bit with a t instead of x). setuid Execute program with EUID = owner’s UID setgid Execute program with EGID = owner’s GID On directories, causes default group owner to be that of directory owner’s GID. CIT 470: Advanced Network and System Administration

  9. Permission set specifiers u = user g = group o = other Permissions r = read w = write x = execute # remove other access chmod o-rwx *.c # add group r/w access chmod g+rw *.c # allow only you access chmod u=rwx * Changing Permissions: chmod CIT 470: Advanced Network and System Administration

  10. Octal Permission Notation Each permissionset (u,g,o) is an octal digit. Each permission (r,w,x) is one bit of that digit. ex: chmod 0644 file u: rw, g: r, o: r ex: chmod 0711 bin u: rwx, g: x, o: x CIT 470: Advanced Network and System Administration

  11. Changing Ownership newgrp Group owner of files is your default group. Changes default group to another group to which you belong. chgrp Changes group owner of existing file. chmod Changes owner of existing file. Only root can use this command. CIT 470: Advanced Network and System Administration

  12. Default Permissions: umask Determines access permissions given to newly created files Three-digit octal number Programs default to 0666 Umask modifies to: 0666 & ~umask ex: umask=022 => file has mode 0644 ex: umask=066 => file has mode 0600 CIT 470: Advanced Network and System Administration

  13. Limitations of Classic ACLs ACL control list only contains 3 entries Limited to one user. Limited to one group. Root (UID 0) can do anything. CIT 470: Advanced Network and System Administration

  14. POSIX Extended ACLs Supported by most UNIX/Linux systems. Slight syntax differences may exist. getfacl setfacl chmod 600 file setfacl -m user:jsmit:r-- file File unreadable by other, but ACL allows jsmit CIT 470: Advanced Network and System Administration

  15. Host-based Access Control /etc/hosts.allow and /etc/hosts.deny used by tcpd, sshd, xinetd, other servers Identify subjects by hostname IP address network address/mask Allow before Deny use last rule in /etc/hosts.deny to deny all CIT 470: Advanced Network and System Administration

  16. Configure Firewall Defence in Depth Use host firewall + network firewall. Failsafe Defaults Disable all access by default on each host. Enable necessary services. Protects against Insider attacks. Running vulnerable services by mistake. CIT 470: Advanced Network and System Administration

  17. iptables iptables [-t table] cmd [matches] [target] Commands: -A chain rule-spec: Append rule to chain. -D chain rule-spec: Delete a rule from chain -L chain: List all rules in chain. -F chain: Flush all rules from chain. -P chain target: Set default policy for chain. -N chain: Create a new chain. -X chain: Remove a user-defined chain. CIT 470: Advanced Network and System Administration

  18. iptables Matches -p protocol: Specify protocol to match. tcp, udp, icmp, etc. -s address/mask: Source IP address to match. -d address/mask: Dest IP address to match. --sport: Source port (TCP/UDP) to match. --dport: Dest port (TCP/UDP) to match. CIT 470: Advanced Network and System Administration

  19. iptables Extended Matches -m match: Specify match module to use. Example: limit Only accept 3 ICMP packets per hour. -m limit --limit 3/hour -p icmp -j REJECT Example: state Useful stateful packet filtering. -m state --state NEW: match only new conns -m state --state ESTABLISHED: match only established connections. CIT 470: Advanced Network and System Administration

  20. iptables Targets -j ACCEPT Accept packet. -j DROP Drop packet w/o reply. -j REJECT Drop packet with reply. -j RETURN Return from this chain to calling chain. -j LOG Log packet; chain processing continues. CIT 470: Advanced Network and System Administration

  21. Chain Targets INPUT test -p ICMP -j DROP -s 192.168.1.1 -p TCP -j test -d 192.168.1.1 -p UDP -j DROP CIT 470: Advanced Network and System Administration

  22. Creating a Packet Filter • Create a security policy for a service. ex: allow only outgoing telnet service • Specify security policy in terms of which types of packets are allowed/forbidden • Write packet filter in terms of vendor’s filtering language CIT 470: Advanced Network and System Administration

  23. Example: outgoing telnet TCP-based service Outbound packets • Destination port is 23 • Source port is random port >1023 • Outgoing connection established by first packet with no ACK flag set • Following packets will have ACK flag set Incoming packets • Source port is 23, as server runs on port 23 • Destination port is high port used for outbound packets • All incoming packets will have ACK flag set CIT 470: Advanced Network and System Administration

  24. Example: outgoing telnet • First rule allows outgoing telnet packets • Second rule allows response packets back in • Third rule denies all else, following Principle of Fail-Safe Defaults CIT 470: Advanced Network and System Administration

  25. Implementing the Filter with iptables # iptables –A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED –m tcp –d tcp --sport 23 -j ACCEPT # iptables -A INPUT -j REJECT CIT 470: Advanced Network and System Administration

  26. Why is Access Control hard? • Objects are complex • Identifying objects of interest (subnet, host, port) • Hierarchical structure like filesystem. • Subjects are complex • Identifying subjects of interest. • What are the relationships between subjects? • Access Control states change. • Security objectives often unclear. CIT 470: Advanced Network and System Administration

  27. Key Points • Center of gravity of security; pervasive. • Access Control Matrix simplest abstraction mechanism for representing protection state. • UNIX Access Control • UIDs vs EUIDs, setuid • POSIX ACLs • Network Access Control • TCP Wrappers • iptables CIT 470: Advanced Network and System Administration

  28. References • Ross Anderson, Security Engineering, Wiley, 2001. • Michael D. Bauer, Linux Server Security, 2nd edition, O’Reilly, 2005. • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. • Aeleen Frisch, Essential System Administration, 3rd edition, O’Reilly, 2002. • Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. • Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition, Prentice Hall, 2001. • RedHat, Red Hat Enterprise Linux 4 Reference Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005. • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. CIT 470: Advanced Network and System Administration

More Related