Just How Effective is System Hardening?

SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."

Defense in Depth

[Hyppy]

System hardening is just another layer of a "defense in depth" security posture. The more layers, the better. So, if an adversary manages to get through your site firewall, access lists, IPS, vlan segregation, virus scanner, etc, they still have to contend with a hardened local system in order to compromise data.

System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.

Re:Defense in Depth

[Hyppy]

If you consider system hardening as more than just installing SELinux, you can see it helps secure more than just users with shell access.

Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.

If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.

You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.

Re:Defense in Depth

[Jeruvy]

OS Hardening is exactly that, risk mitigation. If you know that you don't need to run certain processes or your can run them with reduced variables not only will your systems run with less risk, they can also be more stable. Less updates and patching, less dealing with new variables (because someone enabled some feature that was disabled), adding new functions only after approval and ensuring they meet your requirements. So yes, I'd say OS hardening is an essential part of your good security practices.

Re:Defense in Depth

[jandrese]

On the other hand, denying logins because the security log is full is a great way to open up your box to DOS attacks, especially if you are judiciously logging everything.

Re:Defense in Depth

[Hyppy]

Weigh it depending on your needs. Prioritize, without putting any two factors on equal footing. What is more important and least important out of these three: secure data, catching an intruder who may have accessed secure data, or having regular users log on during a DOS attack?

That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.

Re:Defense in Depth

[Ryan+Amos]

SELinux is great for hardening a box. Unfortunately most sysadmins don't take the time to learn how it works and turn it off because they can't get something to work. Yes; it is a pain in the ass to deal with most of the time, but it's saved me from some big mistakes before as well.

SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.

The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?

Re:Defense in Depth

[Hyppy]

Your analogy makes no sense. So, you should just buy a firewall, and that's it? Or should you only have antivirus software, and that's it? Should you keep your admin password blank, because of the previously mentioned firewall? What is the one-stop answer to keep my network secure?

There is no one-stop panacea for security. Anyone who says otherwise is either a snake-oil salesman, or a massive liability to any company that hires them.

Re:Would be really handy

[Hyppy]

The DISA gold disk breaks Windows just as bad, believe me. The 100% Gold Disk Standard(tm) is only necessary for the highest security systems, which usually run software designed with gold disk hardening in mind in the first place.

Re:Concrete

[Hyppy]

If you reinforce the concrete properly to create a Faraday cage, you can protect against TEMPEST threats.

Is it just me?

[Layer+3+Ninja]

Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

Re:Is it just me?

[been42]

Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.

Re:Would be really handy

[morgan_greywolf]

Well, the SRR for UNIX released last month is only supported on specific flavors:

Solaris 2.5.1 through Solaris 10; HP-UX 11.0,HP-UX 11.11; Red Hat Enterprsie Linux 3 and 4; and AIX 4.3. FSO cannot guarantee the accuracy of these scripts if they are used on other UNIX versions.

That means if you are running any other version/flavor, you're going to need to review the script and modify it as necessary.

There's no perfect safety ...

[richg74]

There is an often-repeated old story that is pertinent here:

Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."

Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.

Re:There's no perfect safety ...

[jandrese]

The problem is when your site is "email.whitehouse.gov" and the other guy is "conglomerated-ironworks.com". One of which is going to be a much bigger target no matter how much extra security you have.

Re:How hard is it to get any real work done on loc

[abolitiontheory]

A lot more work and a lot less dead time than waiting for IT to resurrect a completely fsck'd system, maybe?

Just because you're inept at systems management

[apparently]

doesn't mean that an IT professional is inept at locking down systems without impacting a firm's ability to do business.

How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?

So kindly go fuck yourself with your condescending attitude.

Re:allow execution of only known good binaries

[Hyppy]

You can do that with group policy, but its very time-intensive. Basically, you whitelist your approved binaries by filename with a hash to ensure people don't just rename their game "explorer.exe"

define "effective"

[darkuncle]

system hardening is effective at defeating certain classes of attacks. that said, most security breaches are NOT due to fancy footwork with memcpy or other low-level wizardry. They're due to either:

1) improperly designed trusts between systems (e.g. the Internet can't talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.

2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem - education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help ... but in the end, users just want to do whatever it is they're using the computer for. If an attacker can convincingly pretend to be legitimate, or present a convincing enough temptation, users will bypass, override or disregard any level of protection. Vista's UAC is the canonical example here - great idea foiled by end users (granted, the implementation was almost guaranteed to train users to eventually ignore the constant repeated warnings).

Re:Concrete

[Chrisq]

I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful. I don't know, the Maffia found it very effective in dealing with "security leaks".

Yes, it's just you

[Sloppy]

Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

Probably. What risk does it introduce, which you didn't already have?

.msi packages are only used by one OS. If you're using that OS, then you have already made the decision to blindly and fully trust a party who is utterly unaccountable to you, whose work cannot be audited by you or anyone you designate, and who has already demonstrated that they create their software to serve interests that directly conflict with your own. (And do you really think the maker of your OS wasn't already subject to possible coercion by NSA, prior to the CDs getting pressed?)

The situation simply cannot get any worse from the perspectives of security and trust, so what is the downside? You might as well let NSA patch things to oppose their competitors' access. A machine with one master that is potentially hostile to you, is better than a machine with multiple masters that are potentially hostile to you.

Re:works ok for me

[bzipitidoo]

How many cases have you had of users not being able to do work, or being greatly inconvenienced and slowed thanks to those security measures?

How about incidents where users bypassed security? Like, how have you disabled the CD? Went into the BIOS setup and simply disabled the IDE interface it's connected to? And why are you even using IE?

You're a good way down the path of just not allowing the use of computers at all.