Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Just How Effective is System Hardening?

Posted by timothy on Tue May 13, 2008 09:31 AM
from the how-large-is-your-facade dept.
Security
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
+ -
story

Related Stories

[+] Linux: Answers About Bastille Linux From Jon & Jay 66 comments
You asked, they answer. Jon Lasser and Jay Beale decided to kick their answers back and forth a few times in the style of Crossfire -- at least if Crossfire guests were security-obsessed, literate hackers with a knack for finding gaps in Linux and Unix security. And don't forget the book creds: Jon wrote the excellent Think Unix (want to buy it, huh?), and Jay is plugging away at (and just plain plugging) his upcoming tome from Addison-Wesley,Securing Linux the Bastille Way.
[+] Linux: How the NSA Took Linux To the Next Level 172 comments
An anonymous reader brings us IBM Developerworks' recent analysis of how the NSA built SELinux to withstand attacks. The article shows us some of the relevant kernel architecture and compares SELinux to a few other approaches. We've discussed SELinux in the past. Quoting: "If you have a program that responds to socket requests but doesn't need to access the file system, then that program should be able to listen on a given socket but not have access to the file system. That way, if the program is exploited in some way, its access is explicitly minimized. This type of control is called mandatory access control (MAC). Another approach to controlling access is role-based access control (RBAC). In RBAC, permissions are provided based on roles that are granted by the security system. The concept of a role differs from that of a traditional group in that a group represents one or more users. A role can represent multiple users, but it also represents the permissions that a set of users can perform. SELinux adds both MAC and RBAC to the GNU/Linux operating system."
Firehose:Just how Effective is System Hardening? by SkiifGeek (702936)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Just How Effective is System Hardening? 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Ahh yes, (Score:5, Funny)

    by abolitiontheory (1138999) on Tuesday May 13 2008, @09:37AM (#23390336)
    /. is just the place to come for advice on "system hardening."

    • Re:Ahh yes, (Score:5, Funny)

      by sm62704 (957197) on Tuesday May 13 2008, @10:13AM (#23390680) Journal
      "Trinity" from The Matrix hardened my system!

      Oh, you're talking about computer security? Never mind, then.

      • Re:Lunix bailout by big daddy gubment (Score:5, Informative)

        by bkr1_2k (237627) on Tuesday May 13 2008, @10:41AM (#23390974)
        The NSA doesn't really care about hardening your system, they care about their own, first and those of the other US government agencies after that. They produce these guidelines to be used by other agencies, and contractors for use on systems that the NSA will then purchase.

        As for backdoors, I don't know that they've created any code to secure the system, just produced a set of rules and guidelines that help people know what to secure and how.

      • Re:Lunix bailout by big daddy gubment (Score:5, Informative)

        by fuzzyfuzzyfungus (1223518) on Tuesday May 13 2008, @11:55AM (#23391776) Journal
        The NSA, and state entities in general, has an interest in increasing security, even though it sometimes makes its job less convenient. The reason is pretty simple: Insecure systems can be broken by anybody with sufficient knowledge and motivation, NSA, spammers, organized crime, foreign intelligence services, etc. Secure systems can be broken by a search warrant, only available to state entities.There are, I'm sure, a number of exceptions to this trend; but for something like computer security, the government's best interests are pretty clear.

        The rest of your post is probably trolling; but what the hell, I'll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
        As for the "handout" angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.

  • Defense in Depth (Score:5, Insightful)

    by Hyppy (74366) on Tuesday May 13 2008, @09:38AM (#23390342)
    System hardening is just another layer of a "defense in depth" security posture. The more layers, the better. So, if an adversary manages to get through your site firewall, access lists, IPS, vlan segregation, virus scanner, etc, they still have to contend with a hardened local system in order to compromise data.

    System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.

    • Re:Defense in Depth (Score:5, Interesting)

      by tgatliff (311583) on Tuesday May 13 2008, @09:46AM (#23390412)
      I guess it depends on the type of system you are running, and how users interact with it. Most of what I do is building appliance based servers, so my focus is more on keeping users away from the shell, and limiting the number of services (http primarily) they can use. For me, adding SELinux to the mix on something like what I have would be allot more painful and time consuming to implement, and probably not worth the extra time...

      If you have to allow actually users to use a shell on that box, however, I would agree that a SELinux approach is critical because you cannot really determine where you will get attacked from...

      • Re:Defense in Depth (Score:5, Insightful)

        by Hyppy (74366) on Tuesday May 13 2008, @10:12AM (#23390658)
        If you consider system hardening as more than just installing SELinux, you can see it helps secure more than just users with shell access.

        Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.

        If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.

        You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.

        • Re:Defense in Depth (Score:5, Insightful)

          by jandrese (485) <kensama@vt.edu> on Tuesday May 13 2008, @10:26AM (#23390830) Homepage Journal
          On the other hand, denying logins because the security log is full is a great way to open up your box to DOS attacks, especially if you are judiciously logging everything.

          • Re:Defense in Depth (Score:5, Insightful)

            by Hyppy (74366) on Tuesday May 13 2008, @10:31AM (#23390888)
            Weigh it depending on your needs. Prioritize, without putting any two factors on equal footing. What is more important and least important out of these three: secure data, catching an intruder who may have accessed secure data, or having regular users log on during a DOS attack?

            That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.

      • Re:Defense in Depth (Score:5, Insightful)

        by Ryan Amos (16972) on Tuesday May 13 2008, @12:11PM (#23391940)
        SELinux is great for hardening a box. Unfortunately most sysadmins don't take the time to learn how it works and turn it off because they can't get something to work. Yes; it is a pain in the ass to deal with most of the time, but it's saved me from some big mistakes before as well.

        SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.

        The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?

    • Re:Defense in Depth (Score:5, Insightful)

      by Jeruvy (1045694) * on Tuesday May 13 2008, @10:14AM (#23390688)
      OS Hardening is exactly that, risk mitigation. If you know that you don't need to run certain processes or your can run them with reduced variables not only will your systems run with less risk, they can also be more stable. Less updates and patching, less dealing with new variables (because someone enabled some feature that was disabled), adding new functions only after approval and ensuring they meet your requirements. So yes, I'd say OS hardening is an essential part of your good security practices.

  • Concrete (Score:5, Funny)

    by Urger (817972) on Tuesday May 13 2008, @09:41AM (#23390370) Homepage
    I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful.

  • Easy (Score:5, Funny)

    by J3M (546439) on Tuesday May 13 2008, @09:49AM (#23390446)
    I use Ubuntu 8.04. It's hardy out of the box.

  • Very effective (Score:5, Informative)

    by hal9000(jr) (316943) on Tuesday May 13 2008, @09:50AM (#23390452)
    System and network hardening is very effective. By hardening, I mean doing things like removing unnecessary services and applications; configuring the remaining services to be as featureless as possible while still doing what you need; examining the remaining service and application configurations and making changes to improve reduce features and employ security measures like encryption, etc; utilizing what ever access controls are available in the most strictest sense.

    That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.

    Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.

  • Everyone knows... (Score:5, Funny)

    by neokushan (932374) on Tuesday May 13 2008, @09:52AM (#23390472)
    The best kind of security is obscurity! So batten down the hatches by ditching your fancy *nix/BSD servers and get those old Amigas you have stashed in a loft somewhere up and running. Bonus points for using a C64.

  • The Network guides are nice (Score:5, Interesting)

    by Facekhan (445017) on Tuesday May 13 2008, @09:52AM (#23390474)
    I've used the network equipment guides to harden routers and switches before and they are very handy.

    I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)

    I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.

  • There's no perfect safety ... (Score:5, Insightful)

    by richg74 (650636) on Tuesday May 13 2008, @10:15AM (#23390692) Homepage
    There is an often-repeated old story that is pertinent here:

    Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."

    Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.

    • Re:Would be really handy (Score:4, Insightful)

      by Hyppy (74366) on Tuesday May 13 2008, @09:42AM (#23390378)
      The DISA gold disk breaks Windows just as bad, believe me. The 100% Gold Disk Standard(tm) is only necessary for the highest security systems, which usually run software designed with gold disk hardening in mind in the first place.

      • Re:Would be really handy (Score:5, Interesting)

        by jandrese (485) <kensama@vt.edu> on Tuesday May 13 2008, @10:30AM (#23390870) Homepage Journal
        Where did you find a Windows Gold Disk that doesn't make a complete mess of the OS? I'd really like to get that because I've never gone through that process and still have the application the box is designed for work. In fact it's typically worse with Windows because when something gets a permission denied (especially on something like a Registry key), it won't be like Unix and spit out a message like "Error: File /foo/bar: Permission denied", instead your application will crash and spit out a message like "Error: failure" to the system log (and only if you're lucky will it put something in the system error log)". Since locking down windows means changing the ACL on just about everything on the system, it's almost impossible to track down what broke your application.

    • Re:Is it just me? (Score:5, Insightful)

      by been42 (160065) on Tuesday May 13 2008, @10:40AM (#23390956) Homepage
      Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

      I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.