Archive for November, 2008

 

CISSP notes – Ch. 1 – Access Control..

Nov 27, 2008 in CISSP, Security, Uncategorized

From: CISSP Training Guide by Roberta Bragg

CISSP Training Guide


Confidentiality – Disclosure
Integrity – Alteration
Availability – Destruction


CIA: Confidentiality, Integrity, Availability
DAD: Disclosure, Alteration, Destruction (Denial)

Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system.

In most cases, you want to give the user the least amount of access he needs to do his job and nothing else. This concept is often referred to as the principle of least privilege. It gives you the power of combining authentication with access control.

The biggest problem with accountability is shared accounts.

Common access control techniques (types of access control)

  • Discretionary access control
  • Mandatory access control
  • Lattice-Based access control
  • Rule-Based access control
  • Role-Based access control
  • The use of access control lists

Discretionary access control
 Essentially based on human decisions.

Mandatory access control
 Based on using subject classification levels

Lattice-Based access control
 Based on graphs, partial order: reflexive, anti-symetric and transitive.

Rule-Based access control
 ACLs – a formalized rule-based control mechanism.

Role-Based access control
 Bell-LaPadula (BLP).
 .. confidentiality: is to prevent, detect, and deter unauthorized access to information..
 Simple security rule: Read Up No, Read Down Yes or RUN-RDY
 Star (or *) property: Write Up Yes, Write Down No or WUY-WDN
 Biba Model
 Deals with integrity ; opposite to BLP:
 Simple security: Read UP Yes, Read DOWN NO
 Star property: Write DOWN YES, Write UP Yes

The use of access control lists

Access Control Methodologies

 Centralized, Decentralized

Intrusion Detection (IDS)

 Methods and tools for monitoring networks and hosts and looking for attacks.

 IDS method types:

  • Host/Network
  • Passive/Active (listening, observing/collecting, scanning)
  • Known/Unknown (types of attacks)

Types of attacks

  • Monitoring
  • Spamming
  • Active
  • Passive

A key motto of security (again) is: “prevention is ideal, but detection is a must.”

IDS technique types

  • Signature matching
  • Anomaly Detection

Most systems are based on signature detection with some anomaly detection.

Common tools: Nessus and nmap.

CISSP Notes – Ch. 2 – Telecommunications and Network Security

Nov 25, 2008 in CISSP, Security

From: CISSP Training Guide by Roberta Bragg

CISSP Training Guide

Telecommunications and Network Security domain encompasses the structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communications networks and media.

OSI layers

Application layer (Layer 7) — Primarily responsible for interfacing with the user. This is the application interface that the user experiences.
 Email, chat, database apps, www apps.

Presentation layer (Layer 6) — Primarily responsible for translating the data from something the user expects to something the network expects.
 Encryption, data conversion: graphics, media, redirectors: SMB, NCP .

Session layer (Layer 5) — Primarily responsible for dialog control between systems and applications.
 NFS, RPC, SQL

Transport layer (Layer 4) — Primarily responsible for handling end-to-end data transport services.
 End-to-end comm., segmentation, re-assembly, TCP & UDP .

Network layer (Layer 3) — Primarily responsible for logical addressing.
 Logical addressing of packets.

Data Link layer (Layer 2) — Primarily responsible for physical addressing.
 Physical addressing of frames and translation of packets to/from network layer into bits for the physical layer.
 Does error checking and correction.
 Switches and bridges are datalink-layer devices.
 Broadcast and unicast.
 Media Access Control (MAC)

Physical layer (Layer 1) — Primarily responsible for physical delivery and specifications.
 Send and receive data over electrical signals.
 DTE (Data Terminal Equipment) and the DCE (Data Circuit-Terminating Equipment)
 Hubs and repeaters are considered physical-layer devices.

PDNTSPA

Cabling/Transport Media

 Ethernet Local Area Networks (LANs) typically utilize three types of cabling—coax, unshielded twisted pair (UTP), and fiber optic as well as wireless transmissions.

Network topologies:

  • Linear bus – devices in a row on a segment ; 1 signal at a time-contention; coax ; termination.
  • Star – devices connected to a hub.
  • Ring – loop of cable to interconnect the devices.
  • Tree – is based in part on the bus and the star topology.
  • Mesh – that every node on a network is connected to every other node.

LANs Transmission Techniques

  • Unicast – The packet is addressed to a specific destination host, both physically and logically.
  • Broadcast – The packet is destined to all hosts on a subnet or network. .. ARP is sometimes referred to as a directed broadcast.
  • Multicast— The packet is addressed to multiple hosts via the use of group membership addresses. Multicasts play the middle ground between needing to repeatedly send unicasts to multiple destinations and broadcasting to all destinations.

Ethernet is the single most predominant technology in use today.

Ethernet is specified in the IEEE 802.3 specification as a Carrier Sense, Multiple Access/Collision Detection (CSMA/CD) methodology.

Today’s networks are primarily made up of five categories or types of devices:

Hubs and repeaters are physical-layer devices.
Switches and bridges are datalink-layer devices.
Routers are network-layer devices.

Firewalls

  • Packet filtering
  • – .. layer-3 or layer-4 information in a packet before making a filtering decision.
    – first-generation firewalls.

  • Application proxy
  • – Application-filtering firewalls function by reading the entire packet up to the Application layer before making a filtering decision.
    – sometimes referred to as an ALG (Application Level Gateway) and is considered a second-generation firewall.

  • Circuit proxy
  • – Circuit proxy firewalls are a bit of a hybrid between application proxies and packet-filtering firewalls.

  • Stateful inspection
  • – network connection state is tracked by the firewall and then used in determining what traffic should be allowed to pass back through the firewall.
    – “connectionless,” such as UDP or certain types of remote procedure call traffic.
    – third-generation firewalls.

  • Dynamic packet filtering
  • – limited support of connectionless protocols like UDP.

  • Kernel proxy
  • – .. are typically highly customized and specialized firewalls that are designed to function in kernel mode of the operating system.

  • Pf Ap Cp Si Dp Kp

VPN Protocols

Three primary technologies are used for providing remote access VPN capabilities:

PPTP (Point to Point Tunneling Protocol) – PPTP is a Microsoft-developed technology that provides remote access by encapsulating PPP inside a PPTP packet. PPTP uses the PPP authentication mechanisms of PAP, CHAP, or MS-CHAP for authentication and RSA RC4 and 40-bit or 128-bit session keys and encryption. PPTP supports multi-protocol tunneling.

L2TP (Layer 2 Tunneling Protocol) – L2TP is similar in function to PPTP, but it does not use any vendor-specific encryption technologies. In addition, L2TP supports the use of RADIUS and TACACS for authentication, and IPSec (Internet Protocol Security) and IKE (Internet Key Exchange) for encryption and key exchange respectively. L2TP supports multi-protocol tunneling.

IPSec – IPSec is a network-layer encryption and security mechanism that can be used as a standalone VPN solution, or as a component of an L2TP VPN solution. IPSec supports the use of DES (Data Encryption Standard) and 3DES (Triple DES), (DES scheme was hacked in 1999, use 3DES). Use 128-bit MD5-HMAC (Message Digest 5—Hash Message Authentication Code) or 160-bit SHA-HMAC (Secure Hash Algorithm—Hash Message Authentication Code). IPSec supports the use of AH (Authentication Header) security, in which the IP header is secured but the data is not, or ESP (Encapsulation Security Payload) in which the entire packet is encrypted and secured.

Remote Access Authentication

RADIUS (Remote Authentication Dial In User Service) is a UDP-based de facto industry standard for providing remote access authentication via a client/server model. .. uses a combined authentication and authorization profile, which means that RADIUS access is typically “all or none.” You are either allowed to connect, or you are not.

TACACS (Terminal Access Controller Access Control System) is an older authentication technology that has been largely marked “end-of-life,”.

TACACS+, which sounds similar, is actually an entirely new protocol. Similar in function to RADIUS, .. separating the authentication and authorization capabilities, as well as using TCP for connectivity. As a result, TACACS+ is generally regarded as being more reliable than RADIUS.

Networking Protocols

DOD protocol: Network, Internet, Transport (Host to Host), Application.

  • Application Layer Protocols
  • BootP, FTP, LPD, NFS, POP3, SMTP, SNMP, Telnet, TFTP, X-Windows

  • Transport Layer Protocols
  • TCP: Connection oriented, end-to-end. Reliable. SYNs and ACKs. Acknowledged transfer. Re-assembled packets.
    UDP: Connectionless, faster than TCP. Unreliable. Un-acknowledged transfer.

  • Internet Layer Protocols
  • IP, ICMP, ARP, RARP

Protecting CIA of Network Data

  • Confidentiality
  • – data transmitted is to be read only by the intended recipient. (security, encryption)

  • Integrity
  • – assurance that the data that was received is the data that was transmitted. (non-repudiation, firewalls, IDS)

  • Availability
  • – reliability and stability of network systems and applications. (DoS prevention measures, fault tolerance, usable performance)

Trusted Network Interpretation

DOD, The Rainbow books, the “Orange” book defines Trusted Computer Security Evaluation Criteria – TCSEC .

Criteria entries:

Division D – Specifies the minimal protection is available.

Division C – Specifies that, through the use of auditing, discretionary protection and accountability of subjects and the actions they initiate are covered.

Division B – Specifies that mandatory access control rules are required. Systems in this division are required to carry sensitivity labels with major data structures in the system.

Division A – These systems use formal security verification to assure that all of the security controls employed can effectively protect classified or other sensitive information via a stringent design verification.

Intrusion Detection Systems (IDSs)

IDS is detective (after the fact).

Network- vs host-based IDSs

Knowledge- vs Behavior-based IDSs.

Network-based IDSs are essentially raw packet–parsing engines, basically a network sniffer on steroids. They capture traffic in promiscuous mode, allowing it to capture all traffic on the segment, and will generally analyze the packets in what is considered real time.

VS

Most Host-based IDS are designed to monitor logins and processes, typically through the use of auditing system logs.

Knowledge-based IDS

  • Can be network- or host-based.
  • .. maintains a database of known attacks and vulnerabilities (in other words, knowledge) and detects whether attempts to exploit these vulnerabilities are occurring.
  • .. sometimes referred to as signature based.
  • Benefits: Low degree of false positives ; Alarms are standard and easy to understand.
  • Drawbacks: Resource intensive.. IDS must be constantly updated ; New attacks can go unnoticed – if signatures not available or updated.

Behavior-based IDS

  • is more complex than knowledge-based IDS
  • functions by attempting to “learn” normal user behavior patterns and then alarm when activity occurs that is outside of the normal use.
  • Behavior-based IDS is sometimes referred to as anomaly-based IDS.
  • Benefits: Systems can dynamically respond to new, original, or unique exploits and attacks ; Not dependent on specific operating systems.
  • Drawbacks: High false alarm rates are very common.. too many false alarms mask real attacks. ; In environments with frequently changing patterns, the IDS has difficulty establishing a baseline.

Intrusion Response

Intrusion response is the principle of defining how to respond when an intrusion is detected.

Intrusion response is often defined as part of the responsibilities of a Computer Incident Response Team (CIRT).

The primary responsibility of the CIRT is to define and execute the company’s response to an incident via a process known as Incident

Response Management.

  • Coordinate how the notification and distribution of incidents should occur.
  • Mitigate the risk of an incident by minimizing disruptions and the costs involved in remediating the incident.
  • Assemble teams of people to investigate and resolve potential incidents.
  • Provide active input in the design and development of the company security policy.
  • Manage and monitor logs.
  • Manage the resolution of incidents, including post mortems of incidents.

Common Attacks and Countermeasures

Class A Unauthorized access Social engineering, Brute force
Class B Non-business use PBX fraud and abuse, Email and Internet abuse
Class C Eavesdropping Network sniffing, Dumpster diving, Keystroke recording
Class D Denial of service SYN flooding, Buffer overflows, Teardrop attacks, LAND attacks, SMURF attacks, Distributed denial-of-service (DDoS) attacks
Class E Network intrusion and prevention Spoof attacks, Trojans, Viruses and worms, Back doors, TCP hijacking, Piggy-backing
Class F Probing Port scans, Banner abuse, sniffing

Hudson continous integration server notes ..

Nov 20, 2008 in Apache, Config Manage

Fastest way to plug tomcat into apache httpd..

Change apache2.conf, add:

<Location /your_tomcat_app>
  ProxyPass ajp://your_host:8009/your_tomcat_app
  Order allow,deny
  allow from all
</Location>

More notes on Hudson here:

http://suereth.blogspot.com/2008/08/ubuntu-dev-server-hudson.html

Hudson is here:

https://hudson.dev.java.net

Identify bash interactive shell..

Nov 11, 2008 in Linux


export __BASHIAS=0
if [ "$(echo $- | grep -c i)" == 1 ]
then
	export __BASHIAS=1
fi

...

if [[ ${__BASHIAS} = 1 && ... ]]
then
	...
fi