SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
The NSA doesn't really care about hardening your system, they care about their own, first and those of the other US government agencies after that. They produce these guidelines to be used by other agencies, and contractors for use on systems that the NSA will then purchase.
As for backdoors, I don't know that they've created any code to secure the system, just produced a set of rules and guidelines that help people know what to secure and how.
The NSA, and state entities in general, has an interest in increasing security, even though it sometimes makes its job less convenient. The reason is pretty simple: Insecure systems can be broken by anybody with sufficient knowledge and motivation, NSA, spammers, organized crime, foreign intelligence services, etc. Secure systems can be broken by a search warrant, only available to state entities.There are, I'm sure, a number of exceptions to this trend; but for something like computer security, the government's best interests are pretty clear.
The rest of your post is probably trolling; but what the hell, I'll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
As for the "handout" angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.
Hardening has been around for years SELinux RSBAC PaX Grsecurity Bastille apparmor
are not new, its just that they are finally getting into the mainstream distos, if you wanted a secure linux system you could of had one 5/10 years ago, its just you had to actually do it yourself.
System hardening is just another layer of a "defense in depth" security posture. The more layers, the better. So, if an adversary manages to get through your site firewall, access lists, IPS, vlan segregation, virus scanner, etc, they still have to contend with a hardened local system in order to compromise data.
System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.
I guess it depends on the type of system you are running, and how users interact with it. Most of what I do is building appliance based servers, so my focus is more on keeping users away from the shell, and limiting the number of services (http primarily) they can use. For me, adding SELinux to the mix on something like what I have would be allot more painful and time consuming to implement, and probably not worth the extra time...
If you have to allow actually users to use a shell on that box, however, I would agree that a SELinux approach is critical because you cannot really determine where you will get attacked from...
If you consider system hardening as more than just installing SELinux, you can see it helps secure more than just users with shell access.
Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.
If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.
You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.
On the other hand, denying logins because the security log is full is a great way to open up your box to DOS attacks, especially if you are judiciously logging everything.
Weigh it depending on your needs. Prioritize, without putting any two factors on equal footing. What is more important and least important out of these three: secure data, catching an intruder who may have accessed secure data, or having regular users log on during a DOS attack?
That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.
SELinux is great for hardening a box. Unfortunately most sysadmins don't take the time to learn how it works and turn it off because they can't get something to work. Yes; it is a pain in the ass to deal with most of the time, but it's saved me from some big mistakes before as well.
SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.
The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?
I'd go one step further, and state that SELinux *can* be the enemy of defense-in-depth. To begin with, SELinux has been sufficiently difficult to get running properly that a common response is to just shut it off. So if you want defense-in-depth, and the other forms of defense are those that haven't been pre-configured into SELinux, you're essentially discouraged from using them. (If you think it's hard picking SELinux up off the shelf and using it, then try some fairly deep modifications to existing pol
OS Hardening is exactly that, risk mitigation. If you know that you don't need to run certain processes or your can run them with reduced variables not only will your systems run with less risk, they can also be more stable. Less updates and patching, less dealing with new variables (because someone enabled some feature that was disabled), adding new functions only after approval and ensuring they meet your requirements.
So yes, I'd say OS hardening is an essential part of your good security practices.
Your analogy makes no sense. So, you should just buy a firewall, and that's it? Or should you only have antivirus software, and that's it? Should you keep your admin password blank, because of the previously mentioned firewall? What is the one-stop answer to keep my network secure?
There is no one-stop panacea for security. Anyone who says otherwise is either a snake-oil salesman, or a massive liability to any company that hires them.
I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful.
I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful.
I don't know, the Maffia found it very effective in dealing with "security leaks".
Am I the only one that is a bit skeptical of downloading.msi packages from nsa.gov?
I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.
Am I the only one that is a bit skeptical of downloading.msi packages from nsa.gov?
Probably. What risk does it introduce, which you didn't already have?
.msi packages are only used by one OS. If you're using that OS, then you have already made the decision to blindly and fully trust a party who is utterly unaccountable to you, whose work cannot be audited by you or anyone you designate, and who has already demonstrated that they create their software to serve interests that directly conflict with your
System and network hardening is very effective. By hardening, I mean doing things like removing unnecessary services and applications; configuring the remaining services to be as featureless as possible while still doing what you need; examining the remaining service and application configurations and making changes to improve reduce features and employ security measures like encryption, etc; utilizing what ever access controls are available in the most strictest sense.
That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.
Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.
The best kind of security is obscurity! So batten down the hatches by ditching your fancy *nix/BSD servers and get those old Amigas you have stashed in a loft somewhere up and running. Bonus points for using a C64.
I've used the network equipment guides to harden routers and switches before and they are very handy.
I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)
I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.
I've found the NSA Cisco hardening guides to be amazing. I could hand the guide to a help desk tech we were training to be a netadmin, show him how a console cable works, and he would have a functional and secure test network of a few devices running in no time.
First off the article talked about Snort, which I can't quite see my wife using it then moved on to talk about the development lifecycle not a major part of her internet and PC experience. The NSA files, while useful, are huge (the Mac OSX 10.3 one is 2.5MB) and I can't see the everyday user trawling through that. Its only for Vista that it is really viable as it says use the MS settings as these follow the NSA guidelines. So in summary the only everyday users who could do this are those using Vista.... an
The Windows XP guide is also available [nsa.gov], though they also point to the MS guides since they have become very good. If nothing else, a quick glance through the services to disable can be helpful.
I read through the NSA guide for OSX 10.3 and it's surprisingly basic. Most of it just repeats common advice on Mac security that you can get from a number of places. Some of it covers things that the average user wouldn't do like disconnect the microphone so that a spy can't hack in, activate it and listen in on your conversations. The one part which I thought was good was the section on when and how to use the Keychain.
There is an often-repeated old story that is pertinent here:
Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy
starts running away. The second yells after him, "You damned fool, you
can't outrun a grizzly bear!" The first says, over his shoulder,
"I know -- but I can outrun you."
Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.
The problem is when your site is "email.whitehouse.gov" and the other guy is "conglomerated-ironworks.com". One of which is going to be a much bigger target no matter how much extra security you have.
Yeah, who'd hack the whitehouse? They've deleted all their own email and sensitive documents years ago. Now that ironworking company, that sounds interesting...
Basic hardening of a windows system has stood us in good stead here. IE's locked down so sites can't run scripts. CD-ROM drives are disabled, users can't install USB thumb drives. All e-mails and internet access is filtered.
It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.
How many cases have you had of users not being able to do work, or being greatly inconvenienced and slowed thanks to those security measures?
How about incidents where users bypassed security? Like, how have you disabled the CD? Went into the BIOS setup and simply disabled the IDE interface it's connected to? And why are you even using IE?
You're a good way down the path of just not allowing the use of computers at all.
system hardening is effective at defeating certain classes of attacks. that said, most security breaches are NOT due to fancy footwork with memcpy or other low-level wizardry. They're due to either:
1) improperly designed trusts between systems (e.g. the Internet can't talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.
2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem - education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help... but in the end, users just want to do whatever it is they're using the computer for. If an attacker can convincingly pretend to be legitimate, or present a convincing enough temptation, users will bypass, override or disregard any level of protection. Vista's UAC is the canonical example here - great idea foiled by end users (granted, the implementation was almost guaranteed to train users to eventually ignore the constant repeated warnings).
The DISA gold disk breaks Windows just as bad, believe me. The 100% Gold Disk Standard(tm) is only necessary for the highest security systems, which usually run software designed with gold disk hardening in mind in the first place.
Where did you find a Windows Gold Disk that doesn't make a complete mess of the OS? I'd really like to get that because I've never gone through that process and still have the application the box is designed for work. In fact it's typically worse with Windows because when something gets a permission denied (especially on something like a Registry key), it won't be like Unix and spit out a message like "Error: File/foo/bar: Permission denied", instead your application will crash and spit out a message like "Error: failure" to the system log (and only if you're lucky will it put something in the system error log)". Since locking down windows means changing the ACL on just about everything on the system, it's almost impossible to track down what broke your application.
You might try (on a test box) the security information/tools CIS [cisecurity.org] (Center for Internet Security) has to offer. I have had good experience with the information for AIX (of all things). They provide automated tools for Windows and a few other OSs.
Well, the SRR for UNIX released last month is only supported on specific flavors:
Solaris 2.5.1 through Solaris 10; HP-UX 11.0,HP-UX 11.11; Red Hat Enterprsie Linux 3 and 4; and AIX 4.3. FSO cannot guarantee the accuracy of these scripts if they are used on other UNIX versions.
That means if you are running any other version/flavor, you're going to need to review the script and modify it as necessary.
doesn't mean that an IT professional is inept at locking down systems without impacting a firm's ability to do business.
How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?
So kindly go fuck yourself with your condescending attitude.
If your IT admins locked the system down to the point that you can't get work done, they have failed and you, or your boss, have the obligation to raise the issue.
Responsible IT departments will can configure your systems while still allowing you to work.
mike
You can do that with group policy, but its very time-intensive. Basically, you whitelist your approved binaries by filename with a hash to ensure people don't just rename their game "explorer.exe"
Ahh yes, (Score:5, Funny)
Re:Ahh yes, (Score:5, Funny)
Oh, you're talking about computer security? Never mind, then.
Parent
Re:Ahh yes, (Score:4, Funny)
"The system is down."
Am I gay?
Parent
Re:Lunix bailout by big daddy gubment (Score:5, Informative)
As for backdoors, I don't know that they've created any code to secure the system, just produced a set of rules and guidelines that help people know what to secure and how.
Parent
Re:Lunix bailout by big daddy gubment (Score:5, Informative)
The rest of your post is probably trolling; but what the hell, I'll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
As for the "handout" angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.
Parent
Re: (Score:3, Informative)
SELinux
RSBAC
PaX
Grsecurity
Bastille
apparmor
are not new, its just that they are finally getting into the mainstream distos, if you wanted a secure linux system you could of had one 5/10 years ago, its just you had to actually do it yourself.
Defense in Depth (Score:5, Insightful)
System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.
Re:Defense in Depth (Score:5, Interesting)
If you have to allow actually users to use a shell on that box, however, I would agree that a SELinux approach is critical because you cannot really determine where you will get attacked from...
Parent
Re:Defense in Depth (Score:5, Insightful)
Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.
If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.
You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.
Parent
Re:Defense in Depth (Score:5, Insightful)
Parent
Re:Defense in Depth (Score:5, Insightful)
That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.
Parent
Re:Defense in Depth (Score:5, Insightful)
SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.
The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?
Parent
Re: (Score:3, Interesting)
Re:Defense in Depth (Score:5, Insightful)
Parent
Re: (Score:3, Insightful)
There is no one-stop panacea for security. Anyone who says otherwise is either a snake-oil salesman, or a massive liability to any company that hires them.
Concrete (Score:5, Funny)
Re:Concrete (Score:4, Insightful)
Parent
Re:Concrete (Score:5, Funny)
Parent
Re: (Score:3, Insightful)
Easy (Score:5, Funny)
Is it just me? (Score:4, Insightful)
Re:Is it just me? (Score:5, Insightful)
I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.
Parent
Yes, it's just you (Score:3, Insightful)
Probably. What risk does it introduce, which you didn't already have?
Very effective (Score:5, Informative)
That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.
Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.
Everyone knows... (Score:5, Funny)
Re:Everyone knows... (Score:4, Interesting)
Parent
Re:Everyone knows... (Score:5, Funny)
Parent
The Network guides are nice (Score:5, Interesting)
I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)
I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.
Re:The Network guides are nice (Score:4, Interesting)
Parent
Re:The Network guides are nice (Score:5, Informative)
Cisco Routers [nsa.gov]
Cisco Switches [nsa.gov]
Parent
Everyday user? (Score:2, Interesting)
So in summary the only everyday users who could do this are those using Vista.... an
Re: (Score:3, Informative)
Re: (Score:3, Informative)
There's no perfect safety ... (Score:5, Insightful)
Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."
Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
works ok for me (Score:4, Interesting)
It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.
Re: (Score:3, Insightful)
How many cases have you had of users not being able to do work, or being greatly inconvenienced and slowed thanks to those security measures?
How about incidents where users bypassed security? Like, how have you disabled the CD? Went into the BIOS setup and simply disabled the IDE interface it's connected to? And why are you even using IE?
You're a good way down the path of just not allowing the use of computers at all.
define "effective" (Score:4, Insightful)
1) improperly designed trusts between systems (e.g. the Internet can't talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.
2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem - education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help
Re:Would be really handy (Score:4, Insightful)
Parent
Re:Would be really handy (Score:5, Interesting)
Parent
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
Re:How hard is it to get any real work done on loc (Score:5, Insightful)
Parent
Re: (Score:3, Interesting)
You could always bring in a lappy and do like this guy [shandyking.com] did ...
Just because you're inept at systems management (Score:3, Insightful)
How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?
So kindly go fuck yourself with your condescending attitude.
Re:How hard is it to get any real work done on loc (Score:3, Informative)
Responsible IT departments will can configure your systems while still allowing you to work. mike
Re:allow execution of only known good binaries (Score:4, Interesting)
Parent
Re: (Score:3, Insightful)