LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

All Fluff

All Fluff

Posted Jun 4, 2002 22:11 UTC (Tue) by AnswerGuy (guest, #1256)
Parent article: Unique Preventative IDS for Linux

This article isn't about Linux, and hasn't got one practical tip, link, code or configuration excerpt. It reads like a college freshman's essay on "what is wrong with computer security today."

The terms in the headline "Unique" and "IDS" (intrusion detection system) are mistaken here. There is nothing unique in the article and it has almost nothing to do with IDS since it talks almost exlusively about policies and (human/management) procedures.

I hate to be harsh, but what's this doing on LWN?

(Log in to post comments)

All Fluff

Posted Jun 5, 2002 13:16 UTC (Wed) by Shamgar (guest, #1356) [Link]

I have to agree. I've seen a fair bit of this posturing lately, and it is getting rather old. We all know there are problems with the current security model, but it doesn't help anyone to just describe the problem another way and call it a solution. This was a tremendous waste of my time.

Re: All Fluff

Posted Jun 6, 2002 16:07 UTC (Thu) by DeletedUser1598 ((unknown), #1598) [Link]

AnswerGuy,

Scott Wimer here. I must appologize, this article was never meant for distribution into highly technical audiences. Its only purpose is to get management and budget folks looking at security as a cost area that they can control, rather than the cyclic cost center it is right now for them.

Because of its intended audience, I was forced to adopt a completely vendor neutral position in the article. This meant that it would be pretty well useless for technical people looking for ways to do these things unless they were already familiar with such tools. (In which case the article's only benefit for them would be something they might show upper management to say, "See, other people think that this is the right way to go about security too.")

Here's a quick listing of the tools that I see being useful in each of these areas for the Linux platform. The weak spot in my knowledge of these is the authentication methods. I've not spent much time looking at that area, because it seems like a problem that has already been more or less solved. You'll note that the listing below reflects a host-centric view of security. 

1. Authentication
1.1  Strong passwords
1.1.1  crack
1.1.2  John the ripper
1.2  Password expiration
1.2.1  (Is there a PAM module that does this?)

2.  Access Control
2.1  Firewalls
2.1.1  Netfilter, IP chains
2.1.2  Checkpoint's Firewall 1
2.1.3  Nokia
2.1.4  (Other commercial firewalls for Linux.)
2.2  Encryption
2.2.1  GPG
2.2.1  PGP
2.3  Mandatory Access Control Lists
2.3.1  Gresecurity
2.3.2  LIDS
3.3.3  SELinux
3.3.4  LOMAC

3.  Behavioral Control
3.1  CylantSecure
3.2  SPADE for Snort (not really host based, but could be used that way)
3.3  Calvin Ko's generic wrappers.

These tools provide practical methods for implementing the ideas of preventative security.

That's probably a whole lot quicker to read, and a whole lot more useful for this audience, but I suspect you can see why it's pretty useless for management folks.

Regards,
scottwimer

Re: All Fluff

Posted Jun 6, 2002 17:51 UTC (Thu) by Shamgar (guest, #1356) [Link]

I think your primary problem came from the title. In the future, I'd encourage you to choose something more reflective of the content so that reader expectations fall in line with what you are actually going to give them.

If, for example, you'd described it the way you did in this post I'd have read it with a completely different mindset and would not have been disappointed. ;-)

Re: All Fluff

Posted Jun 6, 2002 20:28 UTC (Thu) by DeletedUser1598 ((unknown), #1598) [Link]

Shamgar,

I didn't post the article. :( Our PR agency did. And, quite frankly, the title threw me a bit when I saw it this morning.

We work with a PR agency because, well, the process of getting in touch with news agencies is well outside of our internal strengths.

I didn't let our PR agency know the general types of audiences that the paper is structured to reach. That is something that I have addressed today.

Regards,
scottwimer

Re: All Fluff

Posted Jun 6, 2002 20:57 UTC (Thu) by AnswerGuy (guest, #1256) [Link]

Scott, I appreciate your candor, and the fact that you were alert enough post a follow-up to my comments. I can appreciate that this was a press release that was intended or a non-technical audience, and that it's publication here was inappropriate. As a fairly well know Linux sysadmin, writer, teacher and consultant I can comment on the technical points that you've made with some confidence. You're also welcome to contact me offline if you'd like to engage in a more detailed discussion about the specifics of Linux security. I'm JimD at http://www.starshine.org

While strong passwords are still a fundamental of "best practice" they haven't been the primary cause of intrusions on Linux systems. The most common intrusion vectors continue to be exploitable software bugs in privileged code (mostly in network service daemons). These days it seems that BIND has taken the top spot from sendmail for being most frequently exploited. There are a few PAM modules that can be used to enforce password strength policies (especially while passwords are being set or changed). We could probably write some additional ones.

Password expiry schemes are largely irrelevant to normal security --- they alienate users without measurable benefit and I've routinely seen users go to great lengths to "trick" the expiry and tracking software into allowing them to repeatedly re-use "their" passwords; or they'll be forced to write down their password and store it "in a safe place" because the expiry of a password always occurs when the user is busy with their real work.

By far the greatest risk in user/account passwords today is simply in the sheer number of them that are required by moderately active computer users. For example, consider the password you used to log into this site and post your response; was it strong and completely unique or did you use a variant of some other password from one of your other accounts? [I'll admit that I use similar passwords for most of my "public web" personae --- from here, and slashdot and my subscription account on The Wall Street Journal.] Passwords being shared among accounts in different administrative domains is the primary modern threat to their integrity. A cracker who gets into LWN or slashdot's web servers can gain usernames, passwords and IP addresses with which they are VERY LIKELY to compromise a statistically significant number of other accounts, from which they can glean more info.

This problem is inherent in allowing user selection of passwords.

Unfortunately it may be the case that no human usable passwords will be sufficient in the near future. I'm not going to suggest alternatives in this forum. Suffice it to say that we need to look beyond passwords for the authentication models of the future. For the present we probably needn't focus much on password security --- other than an ongoing effort to educate users and provide some minimal enforcement on pass phrase strength.

Regarding firewalls: iptables is sufficient for most applications. I don't see advantages to the commercial offerings in this arena. The major issue here is that most users in most organizations today are not willing to tolerate uniform, strict use of application layer proxies. They want to "browse" the web and they don't want to hear that Javascript this and Java that, and various plug-ins, etc are not supported through a given organization's firewall. The easiest way through a firewall is to have one of the authorized users on the inside pop open the door and drag the miscreant code in.

A better approach would be to isolate the public browsing from the local intranet applications use --- so there's a quarantine. Basically any attempt to access "outside" sites should bring up a browser that's running remotely on a sacrificial system; such that a compromise of the sacrificial system doesn't constitute any access to the internal workstations or servers. Unfortunately nobody seems to even be attempting this approach. Simple identity based authorization systems (UNIX/Linux, NT/W2K, VMS and Netware, etc) are arguably not going to protect our systems from a subverted program or "socially engineered" user.

Regarding Encryption: Where would we start! The biggest problem with PGP and GNUPG is that no one is using them. There is no corporate buy-in. If a number of major corporations and/or government agencies instituted a policy that all "official" e-mail from all of their employees was to be GPG signed, and added a support mechanism (e.g. a webservice application) for verifying the keys of their employees; then we'd have a chance. As it is, only a few dedicated cybergeeks and cryptopunks even have GPG keys and usage among them is spotty at best.

Add to that the problem posed by other media. For example, how would I sign this posting? How would you verify my signature on it? It may seem like a spurious example, but consider that an ever increasing amount of our WORK (real work, as it our jobs) is done through web forms. SSL client certificates are not nearly as widespread nor nearly as easy to use as GPG/PGP keys; and the key management for SSL client certs is abysmal. [A promising idea was to have local browsers configured to connect to local daemon proxies --- have the local proxy act as the SSL engine and certificate "wallet" or agent; so that all browsers in use by a given user would share the same keys, this might be extended for cases where users are "apartmented" at different workstations from day to day].

Regarding MACs: The various patches you mention (LIDS, GRsecurity, et al) are interesting. There are several others (like Samhain, and Medusa DS9). None of them is provided in major mainstream Linux distributions. This relegates them to use by dedicated security geeks and dilletante nerds (such as I am). Eventually some of them or some of their features will be available (probably as options) in some future version of Red Hat, S.u.S.E. etc. (Several of these are partially available as Debian packages, though there isn't an initial installation option for them and they aren't fully integrated with the rest of the distribution. It is more likely that LIDS or GRsecurity will find use in specialized, dedicated server bundles --- not general purpose distributions. However, most companies show a decided preference to use GP distributions (often "standardizing" on Red Hat) due to management (rather than purely technical) concerns.

It seems likely that Linux 2.6 (the kernel) will include filesystem ACL support. This will probably be touted as a great boon for Linux security. Unfortunately support for ACLs has not been shown to have any benefit to overall system security. The fact is that most compromises involve a subverted user or process --- that user or process then has access to ALL resources of the associated UID; making ACLs irrelevant. However ACLs do signficantly increase administrative complexity and further increase the probability that hurried and harried sysadmins will apply blanket permissions grants for expediency. Auditing ACL based systems is about an order of magnitude more difficult than auditing a system in which filesystem level ACLs are not used.

You mention Snort in passing, I'll take that as a reference to IDS (host and network) and just say that Snort is only as good as your isolation and host policy definitions. For example, if you have a system which is supposed to be a dedicated NTP/DNS server then you want to create a Snort rule to alert you any time ANY traffic other than NTP (from specific time server peers) and DNS and (possibly) SSH (from VERY specific administrative hosts) is seen going to or coming from that server. If you add an SNMP agent to that server, you have to update your Snort rules with the appropriate list of NMS addresses. Combining Snort rules with active countermeasures (forcing the system that's violating policy to shutdown through a remote power switch, etc) must be done with extreme caution (if it is to be done at all). Whenever one considers automated countermeasures one must also consider how they might be used for a DoS (denial of service) or how they might be misdirected and used as a weapon to attack an innocent bystander.

For host file integrity management I'd recommend AIDE (the free re-implementation of tripwire). I'd also recommend installing one additional one from among many that are available (or writing a small custom one in Python, PERL or C). Samhain also has a very nice file integrity system. For critical servers I suggest two different ones; statically linked. (Belts and suspenders, not two belts, and not two pairs of suspenders; diversity is required).

By far my favorite file integrity system is a write-protected backup tape containing a comprehensive tar of the system, and an LNX-BBC (bootable business card) or Tom's Root/Boot (floppy). tar dzf /dev/st0 is my friend.

The problem with security under Linux is NOT a dearth of tools or features. The major problem is that there are way too few people who have the compination of time, training and inclination/motivation to configure their systems, monitor them and keep them up-to-date.

In this sense I understand that your article is attempting to address the problem by appealing to the people who set policies and provide the funding and management that is ultimately needed. I quibble with your comments about security being about "control" (I like to say that security is the enforcement of policy; policies are requirements that relate to the availability, confidentiality, and/or the integrity of computing resources; and that all security efforts must be cast in the context of a greater risk analysis and recovery planning effort). However, I understand what you're trying to do.

(Of course I also understand that you want these managers to purchase Cylant products and services).

Re: All Fluff

Posted Jun 6, 2002 22:11 UTC (Thu) by DeletedUser1598 ((unknown), #1598) [Link]

Hello Jim,

I appreciate the time you've taken in formulating your responses to my comments.

About authentication in general...
I don't bring this up as a particular problem area, but rather as an area that must be done "right" in order to have securable systems. Individual users might screw up and impinge the security of the system, but without the mechanisms in place and some formal policy stating that they're going to be followed, the box is not very securable.

Firewalls...
I don't know that I have a good handle on the benefits of commercial firewalls vs. their open source brethren. My suspicion is that the benefits fall into the areas of managebility by "C" or "B" level staff rather than "A" level staff. Beyond that, maybe it's just that budget people want to have a company that they can blame when things break.

Encryption...
In my own experience, I've found that GPG is enough extra work to use, that I just don't endup using it as often as I should. I could probably institute a policy here that would for me to, but I doubt that I'll do that any time soon. Human laziness simply isn't working for me here. :(

MAC...
I think that an older version of Grsecurity was included in a Mandrake distribution not to far back. But yes, the fact that some form of MAC (beyond just file access control) is not a default feature doesn't help. The subverted user or process method of getting around ACLs is why behavioral control is a key component of creating securable systems. The difficulty of actually using strict MACs without just creating blanket holes is, in my opinion, the reason for their scarcity despite their age and the protection they can provide.

More MAC...
I guess this is a shameless plug, but it's for open sourced code, so I don't feel to bad about it. We are working with Michael and Brad of the Grsecurity.net project to make the ACL system self training. Well, sort of self training, as the admin you have to tell it when to start and stop training. This provides for a much simpler way to create ACL rules that have only the necessary holes in them, and ensure that those holes are no bigger than absolutely necessary. We're currently running this code in house shaking some of the last bugs out of it before its beta release. Information about this will be carried at www.grsecurity.net and at www.cylant.com.

File integrity...
This is an area where I have mixed and conflicting feelings. On the one hand, file integrety checkers can be a tremendous boon when an attacker manages to subvert the security mechanisms in place on a server. On the other hand, if the security mechanisms weren't so frail and blindsidable as they are today, this wouldn't be nearly the issue it is. Mostly, I like the fresh-backup on a CD or a spare off-line disk method myself.

Behavioral control...
This is the one area that you didn't address. It also happens to be the area that I see most security and comp sci folks ignore, but the area that engineers and accountants look at first. I think this has to do with the education we get in the security and comp sci disciplines, but I'm not sure. Behavioral control speaks to monitoring application execution looking for deviances from its normal execution activity. There are a variety of ways to do this, some are really slow, others aren't, some don't work very well, others do.

Security seen as control...
We tend to look at security as control because of the following: If you can control the resources a process can access, and if you can control the execution behavior of that process, and if you can control who is allowed to run that process, you've got a handle on security. But, if you can't do even one of those things, then attackers, internal or external, can do things your security policy probably doesn't allow. Control is where the rubber meets the road. Control is not forensics, its purpose is to prevent undesirable situations, not generate reports about their damage level and outcome.

Naturally we'd like people to use our software where it's applicable. But, we also recognize that we don't build tools or offer services across the three areas of preventative security. To a certain extent, we're not really interested in doing so. We're moving into the MAC area simply because it makes sense for that to integrate with our current product. We're also giving it away for free too, since that seems to be the smartest thing to do in that case.

Regards,
scottwimer

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds