LINK DOWNLOAD MIỄN PHÍ TÀI LIỆU "Tài liệu The 60 Minute Network Security Guide (First Steps Towards a Secure Network Environment) ppt": http://123doc.vn/document/1035404-tai-lieu-the-60-minute-network-security-guide-first-steps-towards-a-secure-network-environment-ppt.htm
Introduction
During the last seven years the National Security Agency’s Systems and Network Attack
Center has released Security Guides for operating systems, applications, and network
components that operate in the larger IT network. These security guides can be found on our
web site at http://www.nsa.gov/snac. Many organizations across the Department of Defense
have used these documents in the development of new networks and in securing existing IT
infrastructures. This Security Guide addresses security a bit differently. Instead of focusing on
a single product or component it covers a wide range of network elements with the notion of
providing a terse presentation of those most critical steps that should be taken to secure a
network. While intentionally not as complete as the totality of our other guides, our goal is to
make system owners and operators aware of key actions that are especially useful as “force
multipliers” in the effort to secure their IT network.
Security of the IT infrastructure is a complicated subject, usually addressed by experienced
security professionals. However, as organizations increase their dependence on IT, a greater
number of people need to understand the fundamentals of security in a networked world. This
Security Guide was written with the less experienced System Administrator and Information
Systems Manager in mind, to help them understand and deal with the risks they face.
Opportunistic attackers routinely exploit the security vulnerabilities addressed in this
document. Information Systems Managers and System Administrators perform risk
management as a counter against the multitude of threats and vulnerabilities present across
the IT infrastructure. The task is daunting when considering all of their responsibilities.
Security scanners can help identify thousands of vulnerabilities, but their output can quickly
overwhelm the IT team’s ability to effectively use the information to protect the network. This
Security Guide was written to help with that problem by offering a focused presentation
reflecting the experience gained via our research and our operational understanding of the
DoD and other US Government IT infrastructures. It is intended that one can read this "60
Minute Network Security Guide" in around an hour.
This Security Guide should not be misconstrued as containing anything other than
recommended security “best practices” and as such must be considered in the context of an
organization's security policies. We hope that this document will equip the reader with a wider
perspective on security in general and a better understanding of how to reduce and manage
network security risk.
We welcome your comments and feedback. SNAC.Guides@nsa.gov
UNCLASSIFIED
5
UNCLASSIFIED
General Guidance
The following section discusses general security advice that can be applied to any network.
Security Policy
(This section is an abstract of the security policy section of RFC 2196, Site Security
Handbook. Refer to this RFC [10] for further details.)
A security policy is a formal statement of the rules that people who are given access to an
organization's technology and information assets must abide. The policy communicates the
security goals to all of the users, the administrators, and the managers. The goals will be
largely determined by the following key tradeoffs: services offered versus security provided,
ease of use versus security, and cost of security versus risk of loss.
The main purpose of a security policy is to inform the users, the administrators and the
managers of their obligatory requirements for protecting technology and information assets.
The policy should specify the mechanisms through which these requirements can be met.
Another purpose is to provide a baseline from which to acquire, configure and audit computer
systems and networks for compliance with the policy. In order for a security policy to be
appropriate and effective, it needs to have the acceptance and support of all levels of
employees within the organization.
A good security policy must:
• Be able to be implemented through system administration procedures, publishing of
acceptable use guidelines, or other appropriate methods
• Be able to be enforced with security tools, where appropriate, and with sanctions,
where actual prevention is not technically feasible
• Clearly define the areas of responsibility for the users, the administrators, and the
managers
• Be communicated to all once it is established
• Be flexible to the changing environment of a computer network since it is a living
document
Operating Systems and Applications: Versions and Updates
As much as possible, use the latest available and stable versions of the operating systems
and the applications on all of the following computers on the network: clients, servers,
switches, routers, firewalls and intrusion detection systems. Keep the operating systems and
the applications current by installing the latest updates (e.g., patches, service packs,
hotfixes), especially updates that correct vulnerabilities that could allow an attacker to
execute code. Note that some updates may not be applied to the computer until a reboot
occurs. The following applications should be given particular attention because they have
been frequently targeted (e.g., by CodeRed, Melissa virus, Nimda): IIS, Outlook, web
browsers (e.g. Internet Explorer, Mozilla Firefox), Adobe Acrobat, database servers (e.g. SQL
Server, Oracle), media players (e.g. Windows Media Player, RealPlayer), BIND and
Sendmail.
UNCLASSIFIED
6
UNCLASSIFIED
Know Your Network
Developing and maintaining a list of all hardware devices and installed software is important
to the security of the IT infrastructure. Understanding software applications that are installed
by default is also important (e.g., IIS is installed by default by SMS and SQL Server on
Windows platforms). Although not thorough, a quick method for taking inventory of services
running on the network is to port scan.
TCP/UDP Servers and Services on the Network
Scan the network for all active TCP/UDP servers and services on each computer in the
network. Shut down unnecessary servers and services. For those servers that are necessary,
restrict access to only those computers that need it. Turning off functional areas, which are
seldom used but potentially have vulnerabilities, prevents an attacker from being able to take
advantage of them. An application may install sample CGI scripts or other applications,
which sometimes contain problems. As a general rule do not install sample applications in
production systems.
Passwords
Passwords are a primary method used to control access to resources. Because
authenticated access is seldom logged, a compromised password is a way to explore a
system without causing suspicion. An attacker with a compromised password can access any
resource available to that user.
Poor passwords or blank passwords are still a common occurrence on many networks. Many
users still use dictionary words, hybrids, names, and default passwords. Additionally
passwords less than 8 characters and passwords that are the same as the username are
also frequently used. These types of passwords can be cracked within minutes or even
seconds using any number of publicly available password crackers.
General guidelines for password security include:
• Passwords should be 12 or more characters in length on Windows systems.
• In older releases of some UNIX operating systems, a maximum of 8 characters was
the maximum number of characters allowed. However, on more modern day UNIX
systems passwords length is based upon the available algorithm (MD5, Blowfish, etc)
residing on the systems. This gives the added benefit of maximizing the password
length to 255 characters on some systems.
• Users should never share their passwords nor keep written passwords in an easily-
accessible place (e.g. under a keyboard, on the computer monitor).
• Passwords should be difficult to guess and include uppercase, lowercase, special
(e.g., punctuation and extended character set), and numeric characters. They should
not include dictionary words or names.
• Users should not transmit passwords in cleartext (e.g. via Telnet or FTP)
• System administrators should crack passwords monthly to identify problems with
weak passwords and to determine if the password policy is being followed.
Password-guessing programs (e.g. “John the Ripper,'’ “L0phtCrack,” and “Crack”)
identify those users having easily guessed passwords. Because password cracking
programs are very CPU intensive and can slow down the system on which it is
running, it is a good idea to transfer the encrypted passwords (the dumped SAM
database for Windows and the /etc/passwd and /etc/shadow files in UNIX) to a stand-
UNCLASSIFIED
7
UNCLASSIFIED
alone (not networked) system. Also, by doing the work on a non-networked machine,
any results found will not be accessible by anyone unless they have physical access
to that system. NOTE: Always obtain explicit and preferably written permission from
the organization before running any password scanner/cracker.
• Passwords should be changed regularly (every 30 to 90 days). Set up password
aging via Account Policy for Windows systems or the /etc/default/passwd file in
SOLARIS. Some Linux releases use the ‘charge’ command to set up and modify the
password aging requirements for users.
UNIX Password Recommendations
The following are UNIX-specific password recommendations:
• Passwords should be encrypted and stored in the /etc/shadow file (for some UNIX
systems) with permissions set to 400 with ownership by root and group sys. The
/etc/passwd file should have permissions 644 with owner root and group root.
• Lock the following accounts by placing a *LK* in encrypted password field in
/etc/shadow: adm, bin, daemon, listen, lp, nobody, noaccess, nuucp, smtp, sys, uucp.
These accounts should not have login shells, rather they should be set to /dev/null.
Windows Password Recommendations
Passwords for Windows operating systems and domains should adhere to the policy detailed
in the table below. Additionally, NSA has written an enhanced password filter (
ENPASFLT.DLL)
that enforces password minimum length of 8 characters, 4 character sets, and does not allow
the password to include the username. This password filter is available to government
customers upon request. Also, various third-party tools (e.g. PPE) can serve as excellent
password enforcers, allowing customizable password restrictions across an enterprise.
The following settings can be configured via Local Security Policy or a Group Policy Object
(GPO). Note that password and account policies for a domain MUST be configured in a
domain-level GPO.
Password Policy Options Recommended Settings
Enforce Password History 24 Passwords
Maximum Password Age 90 days
Minimum Password Age 1 day
Minimum Password Length 12 characters
NOTE: It is recommended for privileged accounts such as
administrator to have a password of at least 14 characters.
Passwords must meet complexity requirements Enabled
NOTE: If using NSA’s ENPASFLT.DLL this option should be set to
Disabled to avoid conflict with Microsoft’s PASSFLT.DLL
Store password using reversible encryption for all users in Disabled
the domain
UNCLASSIFIED
8
UNCLASSIFIED
Account Lockout Policy Options Recommended Settings
Account Lockout Duration 15 minutes
Account Lockout Threshold 3-5 invalid logon attempts
Reset account lockout counter after 15 minutes
In addition to the password policy described in the table, several other practices should be
followed.
• Services should be run under their own Non-privileged accounts, as opposed to
using the built-in SYSTEM or Administrator accounts. These service accounts should
also have strong passwords.
• Passwords for privileged accounts should be at least 14 characters long and contain
at least four different types of characters.
• The Guest account should be disabled. Ensure that all accounts (service and user)
have passwords regardless if the account is enabled or disabled.
• To prevent LM hashes being stored in the SAM or Active Directory, the creation of
LM hashes can be turned off with a registry control on Windows 2000, 2003, and XP.
The following registry key can be set on Windows 2000 SP2 or later:
HKLM\System\CurrentControlSet\Control\LSA\NoLMHash. This prevents LM hashes
from being generated. Existing LM hashes will remain until the next time the user
changes his or her password. See the Windows Configuration section later for more
detailed information on configuring this security option.
Do Not Run Code From Non-Trusted Sources
For the most part, software applications run in the security context of the person executing
them without any consideration to source. A PKI infrastructure may help, but when not
available remember that spoofing the “From” line of an e-mail message and disguising URLs
are trivial. DO NOT OPEN E-MAIL ATTACHMENTS OR RUN PROGRAMS UNLESS THE
SOURCE AND INTENT ARE CONFIRMED AND TRUSTED. Always run Outlook so that it
executes in the restricted zone and disable all scripting and active content for that zone. For
more specific details, reference “E-mail Client Security in the Wake of Recent Malicious Code
Incidents” Reference [ 2]
Read E-mail as Plain Text
Outlook 2002 and Outlook 2003, as well as some email clients from other sources, have a
highly recommended security feature that will strip out HTML from incoming messages. This
is to prevent HTML scripting attacks that have been known to take advantage of Windows
vulnerabilities by a simple preview of a message. To enable this feature in Outlook 2002,
create the following registry key:
Key: [HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail]
Value Name: ReadAsPlain
Data Type: REG_DWORD
Value: 1 [enable]
0 [disable]
Outlook 2003 does not support this key. Instead, the option is exposed via
Tools/Options/Preferences. Click on E-mail Options and enable Read all standard mail in
plain text and Read all digitally signed mail in plain text.
UNCLASSIFIED
9
UNCLASSIFIED
Later versions of Outlook Express include the ability to read messages as plain text as well. It
is accessed under Tools/Options/Read.
Other Malicious Code Countermeasures
Scanning for malicious code at both the perimeter and desktop is recommended as a
fundamental counter to a highly prevalent attack vector. Most virus scanning products
function by scanning for known malicious code signatures; therefore, they can be ineffective
against new or uncharacterized attacks. They can, however, be effective at preventing
reoccurrences of past attacks. Some products also allow the definition of attachment types
that are then blocked from entry onto the network - a "black list." Populating the black list can
be problematic in that determining all the attachment types that represent unacceptable risk
is a difficult problem given the plethora of file types. To assist with such an effort, Reference
[1] offers a list of file types that can be used as a starting point; however, it can be much
easier, and potentially more secure, to utilize products that enforce the acceptance of only
those attachment types allowed by the organization's security policy a "white list." A
combination of both techniques is attractive as well. Assume that a hypothetical file extension
.xyz is allowed via the organization's security policy but a known attack uses a file attachment
entitled "open_me_please.xyz". Placing the .xyz file extension on the white list but blocking
that specific file with a black list entry would be effective in this instance. Unfortunately there
are few products which support a white list; black list support is much more common.
Some email clients also support the notion of blocking potentially dangerous file types. For
example, Microsoft Outlook releases starting with Outlook 2000 with Microsoft Office Service
Pack 2 include attachment blocking. The specific file types that are blocked depend upon the
version of the software being run and are included in Reference [1].
Follow The Concept Of Least Privilege
Least privilege is a basic tenet of computer security that means users should be given only
those rights required to do their job. Malicious code runs in the security context of the user
launching the code. The more privileges the user has, the more damage the code can do.
Recommendations pertaining to the least privilege principle include:
• Keep the number of administrative accounts to a minimum.
• Administrators should use a regular account as much as possible instead of logging
in as administrator or root to perform routine activities such as reading mail.
• Set resource permissions properly. Tighten the permissions on tools that an attacker
might use once he has gained a foothold on the system. Tools or utilities that should
be restricted are operating system configuration editing tools, network and domain
information gathering tools, Windows Resource Kit and Support Tools, debuggers,
compilers, and scripting languages such as gcc, perl, etc.
• The least privilege concept also applies to server applications. Where possible, run
services and applications under a non-privileged account.
Application Auditing
Most server-level applications have extensive auditing capabilities. Auditing can be of value
in tracking down suspected or actual intrusions. Enable auditing for server applications and
audit access to key files (such as those listed above) that an attacker might use once he has
gained a foothold on a compromised server.
UNCLASSIFIED
10
UNCLASSIFIED
Network Printers
Today’s network printers contain built-in FTP, WEB, and Telnet services as part of their OS.
Enabled network printers can be readily exploited and are often overlooked by system
administrators as a security threat. These network printers can and are often exploited as
FTP bound servers, Telnet jump-off platforms, or exploited via web management services.
Change the default password to a complex password. Explicitly block the printer ports at the
boundary router/firewall and disable these services if not needed.
Simple Network Management Protocol (SNMP)
SNMP is widely used by network administrators to monitor and administer all types of
computers (e.g., routers, switches, printers). SNMP uses an unencrypted "community string"
as its only authentication mechanism. Attackers can use this vulnerability in SNMP to
possibly gather information from, reconfigure or shut down a computer remotely. If an attack
can collect SNMP traffic on a network, then he can learn a great deal about the structure of
the network as well as the systems and devices attached to it.
Disable all SNMP servers on any computer where it is not necessary. However, if SNMP is a
requirement, then consider the following:
• Allow read-only access and not read-write access via SNMP.
• Do not use standard community strings (e.g., public, private).
• If possible, only allow a small set of computers access to the SNMP server on the
computer.
• Alternately, SNMPv3 does include security features; however, this version is not
widely available in products which may make implementing it impractical today.
Network Security Testing
Test regularly the security of all of the following devices on the network: clients, servers,
switches, routers, firewalls and intrusion detection systems. Also, do this after any major
configuration changes on the network.
UNCLASSIFIED
11
UNCLASSIFIED
Perimeter Routers and Firewalls
The following section addresses recommendations for securing network perimeter routers
and firewalls. These devices remain a first line of defense that can serve to limit the access a
potential adversary has to an organization's network. While the passing of legitimate
operational traffic does represent a risk (e.g., malicious emails, attacks delivered via the web
browser) tightening these critical devices can offer substantial security benefits.
Host Security
Recommendations for improved host security include:
• Shut down unneeded TCP/UDP servers (e.g., bootps, finger) on the router or the
firewall. Servers that are not running cannot break. Also, more memory and
processor slots are available with fewer servers running.
• For TCP/UDP servers on the router or the firewall that are necessary, make sure that
access to them is limited only to the administrators.
• Shut down unneeded services (e.g., source routing, remote configuration) on the
router or the firewall.
• Disable any unused interface on the router or the firewall. Protect each and every
active interface on the router or the firewall from information gathering and attacks.
• Protect each and every management port on the router or the firewall from attacks.
Disable any unused management port.
• Configure durable passwords on the router or the firewall. . . in accordance with the
suggestions offered on page 7.
Example: Cisco IOS Routers
The following scenario steps through the recommendations listed above.
The show processes command can help to show active information about the servers on
the router. The following commands show how to disable the following servers:
TCP/UDP small servers (echo, discard, daytime, chargen), bootps, finger, http, identd
and snmp.
Router(config)# no service tcp-small-servers
Router(config)# no service udp-small-servers
Router(config)# no ip bootp server
Router(config)# no service finger
Router(config)# no ip http server
Router(config)# no ip identd
Router(config)# no snmp-server community <community string>
UNCLASSIFIED
12
UNCLASSIFIED
If SNMP on the router is required, use the following commands to clear out any SNMP
servers with default community strings.
Router(config)# no snmp-server community public
Router(config)# no snmp-server community private
Then set up the SNMP server with a community string that is difficult to guess. Also, if
possible, allow only read-only access to the server; do not allow read-write access to the
server. Apply an access-list to the server. Refer to the following section on TCP/IP Filters
for discussion of an access-list for SNMP in more detail. The following command is an
example.
Router(config)# snmp-server community S3cr3t-str1n9 ro 10
The following commands disable the following services: Cisco Discovery Protocol (CDP),
remote configuration downloading, source routing and zero subnet.
Router(config)# no cdp run
Router(config)# no service config
Router(config)# no ip source-route
Router(config)# no ip subnet-zero
The following command disables a router interface.
Router(config-if)# shutdown
Secure each and every active interface on the router from Smurf attacks, ad-hoc routing
and access-list queries with the following commands.
Router(config-if)# no ip directed-broadcast
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip unreachables
Configure the console line () and the virtual terminal lines () on the router to time out a
session, to require a password at login and to allow only telnet traffic. If the auxiliary line
() is not needed, then it should be disabled. Use the following line configuration
commands to configure the lines.
Router(config)# line con 0
Router(config-line)# exec-timeout 5 0
Router(config-line)# login
Router(config-line)# transport input telnet
Router(config)# line aux 0
Router(config-line)# no exec
UNCLASSIFIED
13
UNCLASSIFIED
Router(config-line)# exec-timeout 0 5
Router(config-line)# no login
Router(config-line)# transport input none
Router(config)# line vty 0 4
Router(config-line)# exec-timeout 5 0
Router(config-line)# login
Router(config-line)# transport input telnet
Configure the Enable Secret password, which is protected with an MD5-based algorithm.
The following global configuration command is an example.
Router(config)# enable secret 0 2manyRt3s
Configure passwords for the console line, the auxiliary line and the virtual terminal lines.
Use a different password for the console line and the auxiliary line versus the virtual
terminal lines. The following line configuration commands are examples.
Router(config)# line con 0
Router(config-line)# password Soda-4-jimmY
Router(config)# line aux 0
Router(config-line)# password Popcorn-4-sara
Router(config)# line vty 0 4
Router(config-line)# password Dots-4-georg3
Provide a basic protection for the line passwords by using the following global
configuration command.
Router(config)# service password-encryption
TCP/IP Filters
Carefully consider which TCP/IP services will be allowed through and to the perimeter routers
and firewalls (inbound and outbound). The guiding principle should be that services not
explicitly permitted are prohibited. In other words, the administrator should create filters
focusing on what services and hosts are permitted and denying everything else. This method
means that one may not need to block each service individually; however if an organization
has a need to individually list services the following tables present common services to
restrict because they can be used to gather information about the protected network or they
have weaknesses that can be exploited against the protected network.
Table 1 lists those TCP or UDP servers that should be completely blocked at the
perimeter router or firewall. These services should not be allowed across the router or the
firewall in either direction. Also, they should not be allowed to the router or the firewall.
Table 2 lists those TCP or UDP servers on the protected network, on the router, or on the
firewall that should not be accessible by external clients.
UNCLASSIFIED
14
Không có nhận xét nào:
Đăng nhận xét