Scope of article
When it comes to securing network infrastructure, it is a common trend to invest into commercial grade appliances. It is found that security designers tend to ignore built-in security features available within a FOSS distro. This article explains few such features and helps decide when and how to use those in a given network scenario.
What is Perimeter Defense?
Before we talk about various features built into the FOSS systems, we need to understand few terminologies as well as various attack methods. A network is typically divided into LAN and WAN, wherein the LAN can have network switches to further sub-divide it into manageable small networks. LAN and WAN are separated by a router. A firewall is deployed within the network to keep a watch on network packets from security standpoint. This division of internal and external network is called as a perimeter, and as we just saw, the firewall is an important component which forms a fence of the perimeter. Drilling down into the firewall operations at high level, the policies of what should be allowed to get into the network from external world, as well as the policies deciding what should be accessed on the internet from internal network decides the perimeter defense. In a complex network scenario the perimeter defense can also incorporate intrusion detection systems, UTM devices etc to make it more robust.
In cyber security world, it is a fact that most of the attacks happen from within the network. This can happen either due to a root-kit, spyware or virus which made its way to the desktops/servers or by a disgruntled employee who knows much about internal network and plants an attack. How an attack takes place is also important to understand. Please refer to the table below, which segregate various security attacks into network and web category.
|Network Attacks||Web Attacks|
|Denial of Service||Denial of Service|
|Network sniffing||Cross site scripting|
|Packet crafting||Man in the middle|
|Packet spoofing||Cryptographic attacks|
|Device invasion||Database hacking|
|DNS attacks||Cookie injection|
|Wireless attacks||Code exploitation|
As we can see, this is an elaborate list of attacks and no single device can stop all, and protect the network. For example, since a firewall sits on the perimeter, it hardly helps to prevent such internal attacks, prompting for a need to have application level firewall. Similarly, an antivirus running on servers may not capable of performing packet level security analysis, which is crucial for a mission critical database server. Cyber security is never hundred percent, hence the security designers need to take all possible measures to put appropriate controls in place, leading to a robust design. This is where the understanding and usage of FOSS internal features becomes important, to introduce the robustness.
FOSS security features
While there are so many distros available, with various built-in features, we will be concentrating on those which are found in almost all versions. We will discuss those features which are very effective and hence predominantly used in security designing. Please be advised that some of the features mentioned below are actually open source projects which became an integral part of distro over time.
IPTables – All Linux distros support iptables which is essentially a truth table sort of database containing information which lets the net-filter algorithm decide on how to treat a packet. It is a kernel module, requiring elevated privileges to configure. The working operation of iptables is very simple. Each packet is stripped into various fields and the rules from truth table are applied to make a decision in terms of letting it go ahead, or block it, or drop it etc. For a given server role, iptables can be written only once by taking into account all the packet acceptance and rejection scenarios, and would rarely be needed to change. While many production farms use iptables to introduce an additional layer of security, it is important to note that it puts an overburden on the server resources. Since every packet is stored temporarily and checked against a set of rules, it needs considerable amount of computational power. Hence the iptables rules should not be very elaborate, but should be just adequate enough for the given network or application scenario. As a reference to learn setting up iptables on Ubuntu Linux, please check this link https://help.ubuntu.com/community/IptablesHowTo
ConnTrack – This is another kernel based module that falls under net-filter framework. As an extension to iptables, ConnTrack essentially tracks the connection for all network sessions. It further tries to relate packets that formed a sensible and successful connection. ConnTrack operates at Layer 3 and 4, and creates useful information about each packet by reading its various fields. This can optionally be used further by iptables, to improve its effectiveness. For example, if the high level protocol is HTTP, the packets are found to contain http headers, as well as a session based source and destination IP address as well as service port information. If this data is made available by ConnTrack, it becomes easy for iptables to allow those packets without diving deep into them, thus saving precious server computational resources. The right approach is to have iptables and ConnTrack together.
Source Address Verification – One of the serious security attacks is packet spoofing, whereby attackers modify the source IP address to fool the destination host. As a result, it is rather difficult to detect and stop the spoofing attack. Most of the Linux FOSS systems come with a built in, but usually less known feature called as the source address verification. It is a kernel feature which when turned on, starts dropping packets which appear to be arriving from the internal network, but in reality are not. Most of the latest kernels such as Ubuntu and CentOS do support it, but if your Linux distro does not support, it is the time to upgrade it. Modifying hosts.conf file to add “nospoof on” is another level of defense to try. In terms of detection, for smaller Linux networks a nice utility called arpwatch is very useful. Arpwatch keeps track of MAC and IP addresses and it records all changes and can be scripted to alert administrators upon a possible attack. Scripting can also be done to go through network interface logs and look for anomalies in terms of source address forging.
Anti-Sniff – Another serious attack type is packet sniffing wherein the network cards are put into promiscuous mode and packets are dumped for analysis to create an attack vector. All famous distros such as Ubuntu and CentOS do support anti-sniffing utilities, which monitor the network interface settings and ensure that the promiscuous mode is not enabled. This effectively stops the sniffers to function, thus thwarting further security attacks.
SniffIt – While the anti-sniffer is deployed in a FOSS network, it is important to see if it is functioning properly. For that, we need to simulate sniffing and SniffIT or DSniff utilities does that. Wireshark is another good example. The idea behind a sniffer is also to capture packet patters which can eventually be fed into an intrusion detection system. Snort is a famous FOSS IDS system. DSniff is powerful in terms of capturing SSL traffic.
Beyond FOSS built-in security
As explained earlier, no single device or method can help us reach hundred percent security. Also it is important to note that for few attacks such as packet sniffing, packet crafting etc, there are no built-in features available within an open source distro. All the methods explained above, surely strengthen security, but those must be complemented with commercial grade appliances and devices, to design a robust perimeter defense system.