Slashdot Mirror

← Back to Stories (view on slashdot.org)

Just How Effective is System Hardening?

Posted by timothy on from the how-large-is-your-facade dept.

SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."

10 of 154 comments (clear)

  1. Defense in Depth by Hyppy · · Score: 5, Insightful

    System hardening is just another layer of a "defense in depth" security posture. The more layers, the better. So, if an adversary manages to get through your site firewall, access lists, IPS, vlan segregation, virus scanner, etc, they still have to contend with a hardened local system in order to compromise data.

    System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.

    1. Re:Defense in Depth by Hyppy · · Score: 5, Insightful

      If you consider system hardening as more than just installing SELinux, you can see it helps secure more than just users with shell access.

      Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.

      If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.

      You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.

    2. Re:Defense in Depth by Jeruvy · · Score: 5, Insightful

      OS Hardening is exactly that, risk mitigation. If you know that you don't need to run certain processes or your can run them with reduced variables not only will your systems run with less risk, they can also be more stable. Less updates and patching, less dealing with new variables (because someone enabled some feature that was disabled), adding new functions only after approval and ensuring they meet your requirements. So yes, I'd say OS hardening is an essential part of your good security practices.

      --
      Jeruvy
    3. Re:Defense in Depth by jandrese · · Score: 4, Insightful

      On the other hand, denying logins because the security log is full is a great way to open up your box to DOS attacks, especially if you are judiciously logging everything.

      --

      I read the internet for the articles.
    4. Re:Defense in Depth by Hyppy · · Score: 5, Insightful

      Weigh it depending on your needs. Prioritize, without putting any two factors on equal footing. What is more important and least important out of these three: secure data, catching an intruder who may have accessed secure data, or having regular users log on during a DOS attack?

      That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.

    5. Re:Defense in Depth by Ryan+Amos · · Score: 5, Insightful

      SELinux is great for hardening a box. Unfortunately most sysadmins don't take the time to learn how it works and turn it off because they can't get something to work. Yes; it is a pain in the ass to deal with most of the time, but it's saved me from some big mistakes before as well.

      SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.

      The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?

  2. Is it just me? by Layer+3+Ninja · · Score: 4, Insightful

    Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

    --
    Power corrupts. Absolute power...is even more fun.
    1. Re:Is it just me? by been42 · · Score: 5, Insightful
      Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

      I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.

  3. There's no perfect safety ... by richg74 · · Score: 4, Insightful
    There is an often-repeated old story that is pertinent here:

    Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."

    Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.

  4. Re:How hard is it to get any real work done on loc by abolitiontheory · · Score: 5, Insightful

    A lot more work and a lot less dead time than waiting for IT to resurrect a completely fsck'd system, maybe?