Linux and security
By Hervé Schauer, Guillaume Malgras and Sylvain Gil.
(Check http://www.hsc.fr/ressources/presentations/index.html.en for the slides for the talks, as well as many more, in French and English).
Hervé Schauer is a well-known computer security consultant in France. His company (www.hsc.fr) has 12 consultants, was started in 1989 and specializes in Unix and Internet security.
Some of his consultants are very good at Windows security, just to be able to explain to their customers why they should better use Linux!
Security advantages of open source software
To choose a proper security solution, the user has to understand its own security ans service needs, and match it with appropriate resources (financial and human).
Example: Microsoft has switched from Unix technology to its own technology, and the result is that they have been hacked. HSC consultants are usually able to hack IIS servers, but not a properly configured Apache on Linux.
Trouble with proprietary software in security is that it's impossible to know the inner workings of the software, because it's usually treated as a trade secret. Examples from Cisco or Firewall-1 that claim that they can do things that it fact they don't do properly (like stateful inspection) -> they are lying! So you have to do some reverse-engineering because you can't rely on vendors that you can't trust. This can lead to huge surprises.
Open source software is usually better than proprietary software in security. Its code is usually better than proprietary (code size, modularity, readability, quality, documentation). Open source software is driven by the developer ideas, not by marketing (no deadline pressures...). Of course there is also bad open source software.
In particular, open source permits source code analysis, fast bug corrections and support independence. Peer review do works, and no proprietary security software vendor can afford the same amount of peer review. With respect to bug corrections, you have the possibility to apply the correction yourself, or ask someone you trust to do it for you. Security is not absolute, but you have to react in time when there is a treat. With open source, you don't have to fear that the support for your support won't be discontinued after some change of politics in (like a buy out, a merger or some strategic decision).
IP filtering configurators:
Inbound IP filtering for a server:
Vulnerability tests suites
Network level cryptography
Application level cryptography
Secure Web servers
Name servers and mail transport
Linux 2.2 security
Linux 2.2 has "capabilities", which are a way to give to a process some, but not all, of rights usually associated with root. Example: ping only needs CAP_NET_RAW to access raw sockets. They were first defined in a (now obsolete) POSIX draft. There are also two projects under way to give capabilities to files.
You have to compile the kernel with the right option, and use the 'lcap' program to update capabilities.
Setting capabilities for a process is done by using 'execcap' and 'sucap'. 'fcaps' and 'elfcaps' are two utilities currently under development.
Kernel modules are a threat to kernel security because they are executed in kernel space ans can intercept the system calls. A system administrator can use modules to update drivers without reboot the system, or to divert certain system call to increase security. But a cracker can take advantage of modules, like by hiding files or processes, filtering logs or breaking out of a chrooted jail.
Another way to increase security in Linux 2.2 is accounting. You have to turn in on by using the command 'accton' and you can tune it by modifying /proc/sys/kernel/acct. Commands to use it are 'sa' and 'lastcomm'.
Last important tool is filesystem encryption. You can use many algorithms like CAST-128, Twofish, Blowfish, DES... You have to use 'losetup' and 'mount' to setup the encryption properly.
There are many other security patches to the Linux kernel, like non-executable user stack.
Some secure Linux distribution: nmrcOS (based on Slackware), Bastille-Linux (based on Red Hat), Stack Guard, Nexus Linux and Slinux (development not yet started).
See also Subterfuge.
PAM (Pluggable authentification modules) provide a way to upgrade security functions without recompiling every application (that must perform some kind of authentification).
Overview of the main applications of Linux for security
As a security gateway, use the IP filtering (IP chains and soon NetFilter). It provides advanced filtering, session analysis and address translation. You can use a proxy like Squid for HTTP, or more sophisticated proxies like NSM to perform content analysis. Linux is also very good for Web service (remember to always put your Web server in a DMZ, not in the same network as the other servers). Use a split DNS, with a public DNS (only hosts that should be visible from the outside) and a private DNS. For mail servers, you can use Postfix and Cucipop (also in the DMZ). Put different services in different DMZs (if possible). You can use Snort on an intrusion detection station (put it between the router and the firewall). Use IPsec with FreeS/WAN to create a VPN.
Linux is excellent for security consultants. It is not possible to do a complete intrusion test on Windows! You have to use Linux. Same for corporate security departments (real-time logging, intrusion detection, vulnerability tests... -> use Nessus). With Windows, you have to use one server by applications, you can't mix several applications on the same servers. For office networks, use Samba. You can use Linux workstations even if you're developing Windows software (because you can use CVS over SSH...).
But Linux doesn't protect against bad use. Use of Linux for security is growing quickly. Do not forget other open source Unices (OpenBSD has a better IPsec stack, so it's better for some VPN stuff, FreeBSD seems better for Web servers).
Mail, DNS and Web under Linux
[Sendmail: I came too late after the break after speaking to Christian Tibirna of KDE.]
Postfix: written by Wietse Venema (who also wrote tcp_writer and Satan). Its goal was to benefit from Sendmail experience, to be easy to administer and so easy to secure, and to have maximum Sendmail compatibility (for instance, there a fake 'sendmail' command).
Architecture: it is written the Unix way, with small programs, so that it easy to read, more difficult to break in, easier to chroot. There is a patch to allow SMTP-TLS in Sendmail. It has multiple waiting queues (good for performance).
Configuration: just edit /etc/postfix/master.cf and /etc/postfix/main.cf
You have anti-spam control: blacklist (IP address, RBL, no reverse lookup in DNS)...
Other systems: Qmail (reputed secure but has less functionality; Exim not widely used, and has some problems).
DNS is like a very large distributed database. BIND is the universal reference for DNS. It was written at Berkeley in the 80s (like sendmail). BIND is robust and standard. BIND supports Linux. Configuration is easy in simple caes but can become very complex. You configure it using /etc/named.conf and zone files. For each zone file you put RR (resource records). Two zone records ars mandatory: SOA (don't forget the serial number) and NS. Other resource records are A (IP address), PTR (reverse) MX (for mail servers) and CNAME (for aliases).
Security: take the last version (8.2.2pl05). BIND must not run as root and run it chrooted.
BIND 9: next generation, fully rewritten from scratch. New security features like DNSSEC and TSIG. There are no credible alternatives to BIND.
Apache is 'the' Web server. Even Microsoft uses it (for Hotmail). There are many security related modules, like ldap_auth, mod_rewrite and EAccess. Apache is very secure (no vulnerability since 1.3.4). The config file 'http.conf' is simple and well documented. It has proxying capabilities. Apache performs access control (.htaccess). Apache has integrated SSL support (use apache-ssl or mod_ssl). But be very careful with CGI programming.
Squid is an HTTP/HTTPS/FTP proxy/cache. It has ACLs and can perform several authentification methods. You can also use it as a reverse proxy (to protect IIS, for instance).
Network encryption under Linux
You have to encrypt network traffic to deny illegal spying on information. Three needs: authentification, confidentiality and integrity.
IPsec was first designed to work with IPv6. It's an IETF standard since 1995. Includes key management protocol (IKE). IPsec encrypts traffic at network layer, so that it can be used by all applications. There are three protocols: AH (authentification header), ESP (encapsulated security payload) and IKE. IPsec uses different algorithms for encryption: 3DES, DES (not secure anymore), CAST-128, Blowfish and AES. For data authentification: HMAC-MD5 and HMAC-SHA1. For peer authentification: public keys and shared secrets.
One can use IPsec for VPNs to encrypt traffic between gateways. Under Linux, use FreeS/WAN (www.freeswan.org). Quite easy to install. Uses only 3DES. There is also a native implementation in OpenBSD and KAME (by WIDE consortium for ***BSD / IPv6).
SSL was designed by Netscape, it is now an IETF standard under the name TLS. It is used by HTTPS, NNTPS, LDAPS, FTPS, telnets, IMAPS, POP3S, SMTP-TLS.
SSL provides data confidentiality (RC4, DES, 3DES...), data integrity and authentification (MD5, SHA-1). Server authentification is made with a certificate (X509v3). Application: Apache-SSL or mod_ssl. You first need OpenSSL.
SSH is a secure shell, developed to replace telnet and rlogin, and to allow file transfer (scp). It provides services like server and client authentification (via public key cryptography). Encryption of data via IDEA, DES, 3DES, aRC4. ssh (the program) was written by Tatu Ylonen in Helsinki. It is now an Internet draft. In 1999, OpenBSD created the OpenSSH project, which is a 100% free replacement of ssh (that had become proprietary).
SSH server listens on port 22. The client sends a session key, encrypted with the public key of the server. There is a mutual authentification between client and server. SSH port redirection allows to access hosts or ports that normally cannot be accessed.
It's the new IP filtering system in kernel 2.4. Historically, filtering was first introduced by Alan Cox in 1.1 (ipfw from BSD), then ipwadm in Linux 2.0 by Jos Vos, then ipchains by Rusty Russel and Michael Neuling, and now NetFilter by Rusty Russel. Rusty Russel works for Watchguard, a company that makes Linux-based firewalls.
A packet always goes through one of these chains: Input, Output or Forward. There are these following bultin chains: ACCEPT, DROP, RETURN, REJECT, LOG and QUEUE (a user program will decide of its fate -> performance problem).
NetFilter can filter packets on input or output of an interface, on source or destination address, service type, protocol, fragment or not, ICMP type and code, port (for TCP / UDP), TCP option (SYN...).
One can do connection tracing of TCP, UDP and ICMP connections. Note: doing stateful inspection is very memory-intensive.
One incredible feature: one can match a packed created created locally, by pid, uid, gid, sid.
NetFilter can also do address translation, for instance source address translation (always done last by the chain POSTROUTING). Used for IP masquerading.
Conclusion: not yet ready for production. New and complicated syntax. But NetFilter will be as good as ipfilter on BSD, and both are much better than any commercial firewall offering.