Slashdot Mirror
Just How Effective is System Hardening?
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
/. is just the place to come for advice on "system hardening."
System hardening is just another layer of a "defense in depth" security posture. The more layers, the better. So, if an adversary manages to get through your site firewall, access lists, IPS, vlan segregation, virus scanner, etc, they still have to contend with a hardened local system in order to compromise data.
System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.
if DISA put out a lockdown script for the various Unix flavors. The Gold Disk they have for Unix breaks shit. But dang if the Windows one works. What's up with that? It's a real pain manually doing this.
I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful.
Ubiquitously - A Ubiquity Developer Community
And I don't care.
I use Ubuntu 8.04. It's hardy out of the box.
Aych tea tea pea colon slash slash slash dot dot org slash
Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?
Power corrupts. Absolute power...is even more fun.
System and network hardening is very effective. By hardening, I mean doing things like removing unnecessary services and applications; configuring the remaining services to be as featureless as possible while still doing what you need; examining the remaining service and application configurations and making changes to improve reduce features and employ security measures like encryption, etc; utilizing what ever access controls are available in the most strictest sense.
That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.
Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.
The best kind of security is obscurity! So batten down the hatches by ditching your fancy *nix/BSD servers and get those old Amigas you have stashed in a loft somewhere up and running. Bonus points for using a C64.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I've used the network equipment guides to harden routers and switches before and they are very handy.
I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)
I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.
First off the article talked about Snort, which I can't quite see my wife using it then moved on to talk about the development lifecycle not a major part of her internet and PC experience. The NSA files, while useful, are huge (the Mac OSX 10.3 one is 2.5MB) and I can't see the everyday user trawling through that. Its only for Vista that it is really viable as it says use the MS settings as these follow the NSA guidelines.
So in summary the only everyday users who could do this are those using Vista.... an unusual plug for Redmond from Slashdot.
An Eye for an Eye will make the whole world blind - Gandhi
The days of "Security through Obscurity?" I just wonder if it's more or less prevalent today then in years past.
There are no loopholes. It's either legal or it's not.
Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."
Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.
How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?
allow execution of only known good binaries
one good tool out there is from solidcore.. it is being used in Point of Sale devices, ATMs and production servers in some big enterprises..
works on windows* and unices..
-Yv
A lot more work and a lot less dead time than waiting for IT to resurrect a completely fsck'd system, maybe?
You could always bring in a lappy and do like this guy did ...
Kevin Smith on Prince
The NSA doesn't really care about hardening your system, they care about their own, first and those of the other US government agencies after that. They produce these guidelines to be used by other agencies, and contractors for use on systems that the NSA will then purchase.
As for backdoors, I don't know that they've created any code to secure the system, just produced a set of rules and guidelines that help people know what to secure and how.
"Growing old is inevitable; growing up is optional."
How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?
So kindly go fuck yourself with your condescending attitude.
its really easy. What's difficult is to get "real" work done on a locked down system.
Security hardening is all about removing unnecessary facilities. So obviously whatever is left is necessary for you to do your job, if not then the security guys/procedures didn't do their analysis well enough.
Of course, what they think is necessary and what you think is "necessary" may not be quite the same thing....
Am I the only one who is surprised that the nsa uses coldfusion?
Do you have ESP?
I have found one sure-fire method to secure a system and prevent ANY known or unknown attacks.
Remove the black cable in the back with the prongy thingies. There, problem solved.
If you look at the browser guides, they are from 2003. Not very relevant today I would say.
Basic hardening of a windows system has stood us in good stead here. IE's locked down so sites can't run scripts. CD-ROM drives are disabled, users can't install USB thumb drives. All e-mails and internet access is filtered.
It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.
system hardening is effective at defeating certain classes of attacks. that said, most security breaches are NOT due to fancy footwork with memcpy or other low-level wizardry. They're due to either:
... but in the end, users just want to do whatever it is they're using the computer for. If an attacker can convincingly pretend to be legitimate, or present a convincing enough temptation, users will bypass, override or disregard any level of protection. Vista's UAC is the canonical example here - great idea foiled by end users (granted, the implementation was almost guaranteed to train users to eventually ignore the constant repeated warnings).
1) improperly designed trusts between systems (e.g. the Internet can't talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.
2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem - education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help
illum oportet crescere me autem minui
The NSA's a bunch of perverts!
Am I the only one who first thought the article was referring to hardening systems against EMP effects from a nuclear event?
The meek may inherit the earth, but the strong shall take the stars.
You can completely prevent unauthorized access with Marcus Ranum's ultimate firewall!
It is, & even for Windows NT-based OS of modern variety (although there is a HUGE "Pro-*NIX" slant to this website)!
See here:
----
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, & make it "fun to do", via CIS Tool Guidance:
http://www.security-forums.com/viewtopic.php?t=50567&sid=844e3c38a7f319ce1d05fd2ffd671294
----
It just works... & CIS Tool is NOT JUST RESTRICTED TO Windows either (though that post url/thread above goes into way, WAY more you can do for Windows (or really *NIX too in some regards also), but also has models for Sun Solaris, various Linux distro variants, & BSD variants as well!
Enjoy!
APK
The NSA, and state entities in general, has an interest in increasing security, even though it sometimes makes its job less convenient. The reason is pretty simple: Insecure systems can be broken by anybody with sufficient knowledge and motivation, NSA, spammers, organized crime, foreign intelligence services, etc. Secure systems can be broken by a search warrant, only available to state entities.There are, I'm sure, a number of exceptions to this trend; but for something like computer security, the government's best interests are pretty clear.
The rest of your post is probably trolling; but what the hell, I'll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
As for the "handout" angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.
Just How Effective is System Hardening? It can be very, very effective. But the problem is the average end user completely lacks the skills and time to do this and I'd say the average sysadmin is not much better off. But if you do take the take to read up and set up services runing inside (say) Solaris "containers" or on xen under link and get all you access lists set up and fire wall rules do at the IP address level you can build a very secure server. I've seen server farms run for years without a problem
But the unsolvable problem is social enginerring and Trojans. When so guy is told that if he runs this program he will get access to free goatporn, he runs it and it seems to work but in doing so maybe he has in effect openned up his machine to remote access. No good way to fix this if thr attacker is good and uses ports that need to be left open, like https.
Linux kernel has no integrated security it has some security layer that gives all security systems access (or it can, its recommended to compile without it if you dont use it as otherwise a rootkit could use it).
SElinux sure it could have a NSA back-door, probably doesn't, but a lot of distros dont use SElinux instead they opt for apparmor, or nothing at all, or other security measures ( PAX, etc)
IranAir Flight 655 never forget!
If your IT admins locked the system down to the point that you can't get work done, they have failed and you, or your boss, have the obligation to raise the issue.
Responsible IT departments will can configure your systems while still allowing you to work. mike
Hardening has been around for years
SELinux
RSBAC
PaX
Grsecurity
Bastille
apparmor
are not new, its just that they are finally getting into the mainstream distos, if you wanted a secure linux system you could of had one 5/10 years ago, its just you had to actually do it yourself.
IranAir Flight 655 never forget!
It looks like the NSA site is taking a good slashdotting...it is mighty slow loading.
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
Probably. What risk does it introduce, which you didn't already have?
The situation simply cannot get any worse from the perspectives of security and trust, so what is the downside? You might as well let NSA patch things to oppose their competitors' access. A machine with one master that is potentially hostile to you, is better than a machine with multiple masters that are potentially hostile to you.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Using '&' everywhere doesn't make your posts easier to ready, FYI.
Not to troll, but MACs can and do break bad software in Linux, and prevent non-bad software from operating properly.
Bad sofware = not malware, there is none in linux and every F/OSS project that includes any gets posted on Slashot Front Page. Bad Software on linux is Oracle, for one. And each, every, all Big Commercial Program. They're coded like the OS is a platform they must code around, so they refuse to run on "hardened" systems.
Non-bad software operating non-properly : if it's not SELinux-aware, it WILL break at some point : "Resource refused, please crash." I'd happily try WINE on that.
Not to mention that the NSA are the only ones who can write a SELinux policy. Or even modify it. SELinux : use at your own risk. But if any software asks for a resource that SELinux denies it, then, rewrite the program. It's much, much easier than tweaking an SELinux policy. It's like they're written in Malbolge, but harder to modify. At least you can disassemble what the Malgolge interpreter does, but SELinux is about as painful as SQL in MS Access : it's written right, but refuses to run, or to do what it's supposed to.
SELinux is not "a hardened Linux". It's a different OS, one that is not 100% compatible with Linux software.
The one platform I'm accepting to believe to be secure, like in "Hey, we solved security", is Microsoft Singularity. It's provably secure. Design by contract, analyze everything, deny by default, totally self-contained programs, you name it, it's in there.
The other Secure Platform is OpenBSD. But there, it's secure "by default", not because it's designed around the concept of security. (Proof : it's a Unix, not an OS designed from scratch using secure languages, platform, toolchain, etc.)
Making laws based on opinions that stem up from false informations leads to witch hunts.
if you wanted a secure linux system you could of had one 5/10 years ago, its just you had to actually do it yourself.
isn't that the way linux should be. having a guide line is exactly what you want when your starting out to do just that.
as far as how effective it is, i'd have to say it is good stuff too bad few people are ready for it. it would be great if everyone was to the point hardening the system is their weak spot but it isn't. IMHO most Linux machines don't get owned because they are administrated by newbies that don't keep the system up to date. they are administrated by lazy admins that don't even try to use a good password. web based applications that have exploits in them can be thwarted with selinux et el but it don't do $h1t if the root password can be guessed after a two hour ssh brute force attack.
Having to work for a living is the root of all evil.
Back in 2000, some guy wrote a software patch to the Linux kernel called PaX that emulates an NX bit via marking data pages as "Supervisor" (requiring the kernel to approve TLB loads for them, basically). This quickly grew to include a policy about how a program can set memory protections (no write/execute memory), address space layout randomization, and a faster NX emulation mode; as well as support for multiple CPU architectures including those with hardware NX bits.
.text relocations and trampoline (nested function) emulation as well as stronger address space randomization. Still, it and all the others have an issue with Java and .NET platforms since they prevent runtime code execution-- and those JIT compilers generate code at runtime and execute it! They also link to native libraries (written in C...), which don't benefit from these protections (wow).
A bit before that, Crispin Cowen of Immunix wrote StackGuard, which evolved into IBM's ProPolice via Hiraoki Itoh and Kunikazi Yoda of the Tokyo Research Lab, and then later into the -fstack-protector option in gcc.
Years later, SELinux incorporated protections 'execmem', 'execstack', 'execheap', and 'execmod' to imitate the PaX policy. Linux also incorporated a lower entropy implementation of ASLR, and utilization of hardware NX on x86 in PAE mode where available. Microsoft, as part of the Glepnir project, incorporated a system to actually utilize a hardware NX bit, along with ASLR using a cryptographically weak random number generator.
PaX still does the job best, with detection of ELF
The strongest middle-ground you have is strong ASLR and that's it. You could NX protect the stack and prohibit making it and the heap executable, and keep program code loaded from files non-writable; but you still need a write-execute mapping or a multiple-mapping pair where one mapping is writable and the other is executable (backed by the same physical memory). In any of these cases, defeating the ASLR will allow the attacker to locate these unprotected areas. Of course, you do restrict it down to just those areas...
Once all this stuff comes into play, certain classes of attacks fail. These include anything requiring advanced knowledge of address space layout and/or the ability to inject your own executable payload (code) into the target. Buffer overflows and the like become a DoS, but nothing more.
Support my political activism on Patreon.
I'd just add, there may be an interest in securing home-user systems. There's the issue of course, of SPAM, botnets and viruses. SPAM causes a lot of corporations and governments millions of dollars to filter (so in someway, through indirectly it might help the economy). Botnets and viruses usually effect unsecured home system which are then used to attack somewhat surreptitiously the targets mentioned before.
Seems to have fixed the entire pesky security/virus vulnerability. That and removing the power cord from the back of the PC.
Unfortunately production seems to have slowed by about 10%.
Science advances one funeral at a time- Max Planck
only insofar as it's in the best interest of the nation that our "private US financial intersts" not hit rock bottom and die. There's no "keep wal-mart's servers up!" directives, I'm betting.
FreeBSD for the impatient.
Hardening is just one step. Alone it will do a little to increase your security stance. However it will not protect you from everything, especially the untrained user downloading bots onto your system. So yes, hardening can help secure your system against some attacks, but you are better off by far not stopping there. Use Defense in Depth, also known as a layered approach. Harden your system, use a firewall, use anti-virus/malware, intrusion detection, and educate all users about safe browsing habits.
Open Source: Eroding the Digital Divide
"Since they could not get their hands on the Windows code Linux was the obvious choice." - by AmaDaden (794446) on Tuesday May 13, @12:04PM (#23391860) Oh boy, another "slashdot sheep" following the crowd, & the F.U.D. dept. @ this website, spreading around yet MORE "propoganda", without knowing what the hell he's talking about!
NEWFLASH:
Windows already had ACL level control down to the lowest levels ( & easily implementable via group policies &/or GUI tools in MMC.exe via snapins, regedit.exe, & explorer.exe also ) as well, in the OS since day #1 in Windows NT-based OS!
(Whereas Linux did not ( just like Linux didn't have true threads @ kernel level, iirc, prior to kernel build 2.4x, into usermode initially & thus, it was NOT fully SMP ready ) & Linux had to have it later"bolted on" - all Linux had was chmod for example before SeLinux MAC was put in ).
Please - Get informed first, before shooting your mouth off with yet more Linux/Pro-Penguin F.U.D. & misinformation!
No, keeping Wal-Mart's servers safe from signals intelligence is exactly what I was talking about. This is part of the duel role that they serve: conduct signals intelligence, and protect US interests from signals intelligence work being done by the other guy.
That's all well and good but it has nothing to do what what I just said. I'm not going to, and was not trying to, pretend to know about what kind of security measures Windows has that Linux does not have and vica verca. The point I was making was 1)Linux has had and does have less KNOWN issues. This makes it statistically secure, as opposed to time tested secure as we would like. Even if this is not true it does not matter because...2)No matter who had less issues they only OS they could fix was Linux because it was open. Windows could be near perfect but if they were unable to fix issues that could come up they would have their hands tied. The govt HATES stuff like that. They want to be in control, so they went with Linux. Plus it's clear from what was done they were ready to spend the time and money to make what ever they were using rock solid.
Doesn't it suck having to apply your Windows Updates via punch cards?
"A witty saying proves nothing." -- Voltaire
Are you kidding? Punch cards are way too advanced a technology. You program your ENIAC by plugging and unplugging wires.
And Windows? If I was running Windows, even my ENIAC clone wouldn't be secure!
And als*7)87&*&(*&(*&)(*[no carrier]4$%^&^%[connect]ave to change a vaccuum tube once in a while.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest