Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Your Network NSA-style

Posted by timothy on from the good-idea dept.

farker haiku writes "The NSA has unclassified a pdf on how to secure your network in sixty minutes. All in all, it's an interesting and informative read if you are in the security biz. The article covers a variety of topics such as Buffer Overflows, Intrusion Detection Systems and using Tripwire ASR to ensure the integrity of your network server."

42 comments

  1. Classified information? by TripMaster+Monkey · · Score: 3, Insightful



    The NSA has unclassified a pdf on how to secure your network in sixty minutes.

    This was classified? All the information in this document has been freely available on the Web for quite some time now...

    I'm still gonna print this up and put it on my shelf...the NSA logo on the front looks pretty impressive. ^_^

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Classified information? by LennyDotCom · · Score: 1

      This was classified?

      I believe he should have said "The NSA has AN unclassified a pdf

      I doubt it was ever classified to beginwith.

      --
      http://Lenny.com
    2. Re:Classified information? by MBoffin · · Score: 1

      This was classified? All the information in this document has been freely available on the Web for quite some time now...

      UNclassified. Not DEclassified. Adjective, not verb.

    3. Re:Classified information? by ralphus · · Score: 3, Informative

      Yes it was classified. It was classified with the unclassified classification. It was not declassified.

      --
      Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
    4. Re:Classified information? by Flendon · · Score: 1

      Anyone who has been in the military or a related field can contest to this. I've had fun in the past confusing the hell out of people by telling them that something is classified unclassified, but to me this is just a really old joke. It is accurate though so I would have given it informative if I had mod points left.

      --
      chown -R us ./base
    5. Re:Classified information? by ralphus · · Score: 1

      Glad you saw my point. I really didn't intend it as a joke, but the whole thing does sound kind of funny.

      --
      Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
  2. Security Through Sudo by Goo.cc · · Score: 1

    I have been reading about Sudo, since both Apple and Ubuntu ship their operating systems with Root disabled and Sudo installed as a security measure. Taking this further, couldn't Sudo also be used as a method to reduce the number of setUID binaries on a Unix system, or does Sudo represent a problem when used this way?

    1. Re:Security Through Sudo by stoborrobots · · Score: 1
      couldn't Sudo also be used as a method to reduce the number of setUID binaries on a Unix system

      Hmm... not quite. They both have their purposes:

      • Sudo is used to allow a specific user to perform an administrative function (change network settings).
      • setUID is used when a user needs to perform a basic function, but need administrative priviledges to do so (change password; must update 'read-only' password files)
      There are other distinctions between them as well, but this should give you the idea of what each is good for.
      • Sudo is used when you trust a user to do the right thing.
      • setUID is used when you trust a program to ensure that the user is doing the right thing.
      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    2. Re:Security Through Sudo by Anonymous Coward · · Score: 1, Interesting

      sudo sh

      ownt!

    3. Re:Security Through Sudo by brunes69 · · Score: 1

      This is not really accurate... there is effectivly zero difference between setuid'ing a binary and adding sudo access to it with the NOPASSWD option.

      The benefit sudo gives you, however, is you can restrict the users and groups who have this sudo access on a more fine-grained basis, whereas a setuid binary can be accessed by anyone in that group.

      So really, the parent is right.

    4. Re:Security Through Sudo by dougmc · · Score: 2, Interesting
      ownt!
      ... only if your sudo rules allow invoking sh from sudo. This isn't so unreasonable if this user is permitted full root access anyways, but if the user is intended to only run a few things as root, then they should NOT have this access.

      Really, disabling the root account entirely and instead letting users (well, administrators) use sudo doesn't really increase security that much. If you have root access to the box, you have root access to the box, be it via su, login or sudo. If you have the root password of the box because 1) it's your box, or 2) you're supposed to have it, the box is not `ownt'. It's yours, and legitimately so. (`pwned' and similar words suggest that it was taken somehow.)

      What forcing people to use sudo does accomplish is 1) helping to remind them not to login as root and do things as root that don't have to be done as root, and 2) to log things better. (And I'm talking about the usefulness of logging what you do when you're not trying to hide it here. A cracker will just erase the logs if he can.)

    5. Re:Security Through Sudo by stoborrobots · · Score: 1

      there is effectivly zero difference between setuid'ing a binary and adding sudo access to it with the NOPASSWD option.

      Good point - you can implement setuid using sudo; I'd never thought of that, since it's easier to just chmod +s the requisite binary....

      I was more trying to describe how (fine-grained) sudo is different from setuid... but looking back, you're right: the parent asked if we can eliminate setuid using sudo, which we almost can.

      Except, remember: sudo *is* a setuid binary. :-)

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    6. Re:Security Through Sudo by erlenic · · Score: 1

      Also, if a user runs an untrusted binary, it can't do anything that their account can't do. If you setup sudo right, it will ask for their password, and they should know that something's wrong if the lima bean recipe program they downloaded is asking for root access.

    7. Re:Security Through Sudo by OneTwoThreeFourFive · · Score: 1
      The benefit sudo gives you, however, is you can restrict the users and groups who have this sudo access on a more fine-grained basis, whereas a setuid binary can be accessed by anyone in that group.

      With ACL (Access Control List) support in filesystems now, is sudo really more fine-grained at permissions than setting an ACL on the setuid file? or are they about equal?

    8. Re:Security Through Sudo by OneTwoThreeFourFive · · Score: 1

      "sudo -i" also works.

  3. Faster than 60 minutes.... by Mad_Rain · · Score: 3, Insightful

    What about the "Under 60 seconds method for securing your computer" ?

    Step 1. Unplug it.

    Ta-daaaa! Secure at last. ;)

    --
    "What do you think?" "I think 'What, do you think?!'"
    1. Re:Faster than 60 minutes.... by bushidocoder · · Score: 1
      http://www.neopoleon.com/blog/jetimages/no_2Dhax0r z.jpg

      You just reminded me of an old comic from Rory Blyth.

    2. Re:Faster than 60 minutes.... by Mad_Rain · · Score: 1

      hahaha... thanks for the laugh.

      --
      "What do you think?" "I think 'What, do you think?!'"
  4. Hmm... that document is dated from 2002... by stoborrobots · · Score: 1

    The threats on the internet these days are significantly different from what they were back then.

    Still, it makes an interesting read. Not so much "Secure your network in 60 minutes", but rather, "the first 60 minutes towards ensuring your network is secure".

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    1. Re:Hmm... that document is dated from 2002... by dougmc · · Score: 2, Insightful
      The threats on the internet these days are significantly different from what they were back then.
      Not that different. It's only three years ago, after all.

      Sure, there are certainly some differences, with certain types of threats becoming more common and other sorts of threats becoming less common, but I'm not really aware of any fundamentally new threats appearing during that period, at least not anything that the `old' defenses (as described by this paper) aren't effective against.

      Probably the biggest change would be the general switch to massive DDoS attacks using an army of compromised machines, rather than an attack from a few machines. The concept certainly existed before 2002, but it's really become a problem since then. And ultimately, the `NSA-style' response is likely to be the same -- the important systems aren't on the Internet, so they're not vulnerable. (And if their internal network did have such a problem, they'd have much bigger problems than just a DoS attack.)

      Ultimately, it's not a bad document, but you can find similar things without going to the NSA, and they've been available for a lot longer than three years.

  5. Secure your network Narg-Style by wot.narg · · Score: 0

    Unplug your ethernet cable!

    --
    Roses are red
    Violets are blue
    In Soviet Russia
    Poems write you!
  6. NSA: Purely Professional by ndansmith · · Score: 3, Funny
    From the document (page 3): These updates where to fixes grammar and syntax

    I don't think they finished the job.

  7. Lots of good stuff there... by (H)elix1 · · Score: 2, Informative

    A better link is here. Lots of good stuff from these guys. Worth a look.

    --
    +++ UGUCAUCGUAUUUCU
  8. I'm scared... by Anonymous Coward · · Score: 0

    From page 9 of the report:

    Always run Outlook...

    The NSA uses Outlook? Boy, do I feel safe now!

  9. confused by cryptoz · · Score: 1

    The pdf states that passwords should "Be 12 or more characters in length on Windows systems, 8 characters in length on UNIX"

    Anyone care to explain this? 'Cause the file certainly doesn't.

    1. Re:confused by CDarklock · · Score: 3, Informative

      The LAN Manager hash algorithm splits a password of up to 14 characters into two blocks of 7 characters, the second block null-padded to size. The LM hash values for single- and dual-character second blocks are well known, so an eight- or nine-character password on Windows using the LM hash is effectively a seven-character password.

      This assumes you have some systems which can ONLY use the LM hash. Systems with later capabilities can be forced NEVER to use LM hashing by simply using a 15-character password or longer, which won't fit in an LM hash even if it is enabled (which it shouldn't be these days, *unless* you have legacy systems that require it).

      --
      Microsoft cheerleader, blue flag waving, you got a problem with that?
    2. Re:confused by Marxist+Hacker+42 · · Score: 2, Informative

      Both Unix and Windows use slightly different one-way hashes for encrypting and storing passwords. These character length recommendations are based on those hash algorithims- and happen to be the number of bytes actually stored. IIRC- and I'm not at all sure that I do- these hash algorithims using one-way mathematics recurse down when they hit their stored character limit- using both the next character and the hash of the first character as input for the second time through the algorithim. Thus a longer password will be more secure- less likely to collide with an entirely different password.

      --
      SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
    3. Re:confused by stoborrobots · · Score: 1

      Windows traditionally stored the password in a weakened form, and could be induced to transmit it in said weakened form via the network as well. In the event that a Windows password is intercepted, it is possible to brute-force the weakened hash more easily than, say, an MD5 hash.

      Also, IIRC, "traditional" Unixes had issues with >8 character passwords, in the days before MD5/Twofish shadow passwords.

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  10. NSA-style? by dougmc · · Score: 2, Interesting
    This is securing your network NSA-style?

    Somehow I doubt it.

    In general, this is a pretty reasonable approach to securing your network. It's much more secure than it was when you started, but it's not locked down so tight that you can't get any work done on it.

    Like the rest of the world, the computers at the NSA are probably locked down to varying degrees depending on their function and the type of data they contain.

    This general sort of lockdown (as described in this document) might be appropriate for systems that don't contain confidential information and don't perform mission critical services, but I would imagine that `NSA-style' would really apply to the systems that contain confidential, top secret, etc. information, and the degree that these systems would be locked down would be much much more than is described in this document. And is probably still classified, though much of it could probably be figured out by anybody skilled in the area of computer security.

    For starters, the `top secret' computers at the NSA probably don't have any network access at all, or if they do have some, it's to a small, secure network of similarly secured systems (and NOT to the Internet) and physical security is taken to the extremes (think movies like Mission Impossible.) Code probably isn't run on these systems that hasn't been gone over, line by line, by the NSA itself. This sort of scrutiny requires lots of time and money, so any software being run is probably relatively old. The hardware itself is probably checked similarly, so it's likely to not be state of the art itself, except for the security components used to protect it.

    THAT would be `NSA-style'. And the only way you're likely to read the books on how that works are to 1) get the appropriate clearances from the government (Classified? Top Secret? I don't know), 2) get a job with the NSA, and 3) *need to know* what's in that book.

    1. Re:NSA-style? by Anonymous Coward · · Score: 0

      ...so any software being run is probably relatively old. The hardware itself is probably checked similarly, so it's likely to not be state of the art itselfso any software being run is probably relatively old. The hardware itself is probably checked similarly, so it's likely to not be state of the art itself...

      Do you know how right you are? I don't work for anyone in particular, and I only know this because a dirty old homeless guy made me listen, but at NSA's Unix workstations, the version of grep they have is so old it doesn't support the -A and -B flags, and tar doesn't know about gzip.

      -- Anonymous, yes. Coward, even more.

    2. Re:NSA-style? by dougmc · · Score: 1
      Do you know how right you are?
      Do I know quantitatively how right I am? No. I just know that in general, I'm usually right. (And if I don't know, I'll say `I don't know', which is also right (unless I do know, I guess.) So yes, the deck is indeed stacked.)

      Ok, enough of that sillyness :)

      but at NSA's Unix workstations, the version of grep they have is so old it doesn't support the -A and -B flags, and tar doesn't know about gzip.
      I believe that only the gnu versions of those utilities have those features/flags.

      Certainly, logging into a Solaris 8 box here, tar doesn't know about gzip and grep doesn't have -A or -B flags. Not that this is the newest, or even close, but it wouldn't surprise me if Solaris 10 wasn't any different.

      (Linux and to a lesser degree the *BSDs tends to give you the gnu versions of utilities like these, so you may have gotten used to that. I know I have ...)

    3. Re:NSA-style? by bhiestand · · Score: 1
      Code probably isn't run on these systems that hasn't been gone over, line by line, by the NSA itself.


      Are you trying to imply that the NSA only runs in-house software or FOSS programs? Do you REALLY think Microsoft would allow that? Somehow I doubt it. Why would they trust that insecure, terrorist-supporting software when they can use trusted, innovative software?
      --
      SWM seeks new sig for a brief fling
    4. Re:NSA-style? by dougmc · · Score: 1
      Are you trying to imply that the NSA only runs in-house software or FOSS programs? Do you REALLY think Microsoft would allow that?
      If the NSA asked Microsoft for their source code, they'd probably get it. And they probably have asked for it, and have probably had it for a long time now.

      Microsoft actually does give out their source code (or at least parts of it) to companies who have a serious need for it, and are willing to sign all sorts of NDAs to get access to it.

      I certainly do believe that on their most secure systems, the NSA does not run anything that they have not personally written or audited, line by line.

  11. Full Text Of Article by Anonymous Coward · · Score: 1, Funny

    1. Dig big hole
    2. Place large concrete box in hole
    3. Place computer in concrete box
    4. Fill box with molten lead
    5. Cover box with concrete lid
    6. Fill in hole


    1. Re:Full Text Of Article by The+Original+Yama · · Score: 1

      7. Profit!!!

      (sorry, but you were asking for it...)

      --
      OLPC Australia
  12. Not a dup by museumpeace · · Score: 1

    We have seen a doc like this on /. before...its been around long enough. NSA put out a report [ Report # C43-002R-2004 ] In June of 04. I downloaded it on Nov 5 because it was in a /. post The layered security doc adresses worms and viruses and is NEWER than the document mentioned in this post. Both are good stuff but the older one has lots of IP nuts and bolts that are interesting and useful. Many programmers would want to print out table 5 and tape in on their cube wall. [If they don't have default port assingments memorized by heart.]

    --
    SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
  13. Slashdotted? by redelm · · Score: 1
    Hit the link, and you will be deemed to be willfully attacking a government security computer. Don you tinfoil hats, the black helicopters will descend! :)

  14. OLD publication: Updated July 12, 2002 by Futurepower(R) · · Score: 1


    From the cover page of the NSA Guide:

    Updated July 12, 2002

    Version 1.2

    The Guide has been the same for almost exactly 3 years.

  15. Secure Your Network in Sixty *Seconds* by LightForce3 · · Score: 1

    Sixty minutes? Pfft. I can secure any network in sixty seconds. You can, too, with these instructions.

  16. Mystery step by Yeechang+Lee · · Score: 1
    Excellent! Just what I was looking for to help secure my network.

    But I don't quite understand some of the steps in the document. For example, what do these lines do?
    Router(config)# useradd -r -m nsa
    Router(config)# echo nsa | passwd --stdin
    Router(config)# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
    Oh well. To paraphrase Superman, If we can't trust the NSA, who can we trust?
    1. Re:Mystery step by OneTwoThreeFourFive · · Score: 1

      What does the "-r" part of useradd do? I can't find it anywhere in the man page (at least not in Ubuntu Linux's man page of "useradd"). (I know the parent post is a joke.)

    2. Re:Mystery step by kd5ujz · · Score: 1

      It creates a "system" account" with a UID lower than the one specified by UID_MIN in your login.defs config file. Basicly a super user account/root account/whatever. It will not however create a home directory without the -m flag. This will simplify the hackers life, as too many new linux guys try to stay as far away from manual config as possible, and wouldent be modifying the passwd file themselves, so they would only notice an extra home directory.

      --
      -William
      God is everything science has yet to explain.