Just How Effective is System Hardening?

SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."

Re:Defense in Depth

[tgatliff]

I guess it depends on the type of system you are running, and how users interact with it. Most of what I do is building appliance based servers, so my focus is more on keeping users away from the shell, and limiting the number of services (http primarily) they can use. For me, adding SELinux to the mix on something like what I have would be allot more painful and time consuming to implement, and probably not worth the extra time...

If you have to allow actually users to use a shell on that box, however, I would agree that a SELinux approach is critical because you cannot really determine where you will get attacked from...

The Network guides are nice

[Facekhan]

I've used the network equipment guides to harden routers and switches before and they are very handy.

I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)

I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.

Re:The Network guides are nice

[Hyppy]

I've found the NSA Cisco hardening guides to be amazing. I could hand the guide to a help desk tech we were training to be a netadmin, show him how a console cable works, and he would have a functional and secure test network of a few devices running in no time.

Everyday user?

[MosesJones]

First off the article talked about Snort, which I can't quite see my wife using it then moved on to talk about the development lifecycle not a major part of her internet and PC experience. The NSA files, while useful, are huge (the Mac OSX 10.3 one is 2.5MB) and I can't see the everyday user trawling through that. Its only for Vista that it is really viable as it says use the MS settings as these follow the NSA guidelines.

So in summary the only everyday users who could do this are those using Vista.... an unusual plug for Redmond from Slashdot.

Re:Everyone knows...

[Bert64]

There were some security advisories for Amiga Unix a few years ago, Yes, Commodore made a unix variant of the Amiga which is extremely rare.

allow execution of only known good binaries

allow execution of only known good binaries

one good tool out there is from solidcore.. it is being used in Point of Sale devices, ATMs and production servers in some big enterprises..

works on windows* and unices..

-Yv

Re:allow execution of only known good binaries

[tepples]

Anonymous Coward wrote:

allow execution of only known good binaries But who declares a binary "known good"? And how well do you expect your method to scale down to home and small-office PCs?

Re:Would be really handy

[jandrese]

Where did you find a Windows Gold Disk that doesn't make a complete mess of the OS? I'd really like to get that because I've never gone through that process and still have the application the box is designed for work. In fact it's typically worse with Windows because when something gets a permission denied (especially on something like a Registry key), it won't be like Unix and spit out a message like "Error: File /foo/bar: Permission denied", instead your application will crash and spit out a message like "Error: failure" to the system log (and only if you're lucky will it put something in the system error log)". Since locking down windows means changing the ACL on just about everything on the system, it's almost impossible to track down what broke your application.

Re:How hard is it to get any real work done on loc

[trolltalk.com]

You could always bring in a lappy and do like this guy did ...

• 1. Find unsecured wireless router
  
• 2. Secure it with your own ssid/password
  
• 3. PROFIT - charge to "fix" the problem

works ok for me

[myxiplx]

Basic hardening of a windows system has stood us in good stead here. IE's locked down so sites can't run scripts. CD-ROM drives are disabled, users can't install USB thumb drives. All e-mails and internet access is filtered.

It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.

Re:Defense in Depth

[dpilot]

I'd go one step further, and state that SELinux *can* be the enemy of defense-in-depth. To begin with, SELinux has been sufficiently difficult to get running properly that a common response is to just shut it off. So if you want defense-in-depth, and the other forms of defense are those that haven't been pre-configured into SELinux, you're essentially discouraged from using them. (If you think it's hard picking SELinux up off the shelf and using it, then try some fairly deep modifications to existing policies, and adding new policies.)

Add the amount of general awe the people hold toward the NSA and SELinux, and there is a tendency for it to be not just A silver bullet, but THE silver bullet.

That's not even to say anything necessarily bad about SELinux or the job it does, but there can be difficult circumstances created around it.