• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security's Final Fantasy.doc
 

Security's Final Fantasy.doc

on

  • 338 views

 

Statistics

Views

Total Views
338
Views on SlideShare
338
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security's Final Fantasy.doc Security's Final Fantasy.doc Document Transcript

    • DFWUUG SECURITY SIG Security’s Final Fantasy – Virtual Networks with User Mode Linux COMPUTER SECURITY IS TRYING A large part of computer security is trying. We all knew that computer security can be trying. But computer security is trying, as in trying things out. This is part of the learning process of computer security because computer security is anything but static. Some of the “trying” things in computer security are: • New versions of the kernel • New kernel features • New firewall rules • New intrusion detection rules • New exploits • Old exploits in new settings • Regression testing • New security programs • New networking protocols • And lots more… How do you go about trying these things out? A MAZE OF TWISTY LITTLE PASSAGES One way is use the live production network for trying things out. While this method is live and real time, it is almost certainly guaranteed not to endear you to either your user community or your management. Eventually, you are going to get your “Get-Out-of-Jail” card revoked. Another less-intrusive way of trying things is the Sandbox Method or Iconic Method. In the Sandbox Method, the complexity of the network is reduced to just a few key systems and hard- ware and software components. While this approach may be very useful and produce significant results, it has several drawbacks: • All those pieces of hardware, software, and infrastructure components can get expensive. • All those pieces/parts can take up a lot of physical space. • The pieces/parts of the Sandbox are frequently scavenged and put into production thus rendering the Sandbox less effective. • Connecting all the parts together can be a real drag if not a nightmare. If you’re really in love with this method you can cut down on the physical space by using lap- tops instead of towers. Even scamming cheap laptops at First Saturday gets to be consumptive of both space and dollars. Dallas/Fort Worth Unix Users Group – Security SIG Page 1
    • July 2004 Just as there is physical memory and virtual memory, it’s possible to have physical machines and virtual machines. This concept has been running around computing for some time. One of the oldest examples is IBM’s operating system, VM (Virtual Machine). This is an operating system that runs other operating systems (including VM itself) as tasks. On the x86 architecture family, there is VMware. As IBM’s VM creates virtual machines for the mainframe, VMware creates virtual machines for the desktop. VMware is capable of running multiple operating systems, in- cluding Microsoft Windows, Linux, and Novell NetWare, simultaneously on a single PC in fully networked, portable virtual machines. A problem with VMware is it is not an inexpensive piece of software. It is, however, cheaper than multiple PC’s. Another drawback is VMware uses a lot of resources. ENTER USER MODE LINUX Another way to do virtualization is with UML (User Mode Linux). In brief, UML is a Linux kernel that has been constructed to run as a program under Linux. UML gives you a virtual ma- chine that may have more hardware and software virtual resources than your actual, physical computer. An operating system needs programs to run. This is provided as disk storage for the virtual machine entirely contained inside a single file on your physical machine. You can assign your virtual machine only the hardware access you want it to have. With properly limited access, nothing you do on the virtual machine can change or damage your real computer, or its software. UML hardware support comes in the form of virtual devices which use resources on the host. It supports all the usual types of devices that a physical system does: • Block devices • Console and serial lines • Network devices • SCSI devices • USB devices • PCI hardware Just as there are virtual machines there are also virtual switches. Using virtual switches, you can combine several hosts to form a network. Basically, anything in Linux that's not hardware-specific just works. This includes kernel mod- ules, the filesystems, software devices, and network protocols. Jeff Dike is the originator and driving influence behind UML. The UML web site is located at http://user-mode-linux.sourceforge.net. The UML community site is located at http://usermod- elinux.org. Dallas/Fort Worth Unix Users Group – Security SIG Page 2
    • July 2004 WHAT’S IT GOOD FOR I’m glad you asked. Here are just a few of the things User Mode Linux is being used for: • Virtual hosting • Kernel development and debugging • Process debugging • Safely experimenting with the latest kernels • Trying out new distributions • Education, yours or somebody else’s • Experimental development • Poking around inside the guts of a running system • Virtual networking • All sorts of security-related things BUILDING A USER MODE LINUX KERNEL The first step in building a UML kernel image is getting the source to a kernel of interest to you. Download the source to a plain vanilla kernel from http://www.kernel.org. Next retrieve the UML patches from the UML web site corresponding to the version of the kernel you download- ed. You patch and build the kernel image like this: tar –jxf linux-<version number>.tar.bz2 cd linux bzcat ../uml-patch-<version number>.bz2 | patch -p1 make xconfig (At this point enable/disable any kernel features you are interested in) make ARCH=um linux file linux linux: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, statically linked, not stripped ls -lsh linux 15M -rwxr-xr-x 1 gsmith1 utmp 15M 2004-06-25 10:12 linux strip linux ls -lsh linux 2.1M -rwxr-xr-x 1 gsmith1 utmp 2.1M 2004-06-25 10:23 linux Dallas/Fort Worth Unix Users Group – Security SIG Page 3
    • July 2004 Now you need a filesystem for the UML kernel. You can download pre-made filesystem from the UML home page or you can build your own. If you are interested in building your own UML filesystem, the easiest Linux distribution to build a UML filesystem is Slackware. There is a HOWTO on the UML web site for building a UML filesystem. Another way is to use mkuml from Tobias Poschwatta (http://www.tkn.tu-berlin.de/~posch/mkuml-2004.01.23-ananas.tar.bz2) This script takes the hassle out of creating a UML filesystem and swap file. Specifically, mkuml will: • Create root_fs (ext3) and swap_fs files • Install packages • Set up the console • Create etc/fstab • Disable filesystem checks in uml (etc/fastboot) • Create etc/HOSTNAME • Copy host's timezone config • Run netconfig • Copy host's /etc/hosts file • Make link to no-x11 emacs version • Set the uml's filesystem’s root password Dallas/Fort Worth Unix Users Group – Security SIG Page 4
    • July 2004 CONSTRUCT A VIRTUAL NETWORK Figure 1 – The Network Using UML and other virtual components, our task is to create the following network. We have two networks sunnyvale.com and elay.com. Each network has a dual-homed firewall connected to the Internet and some number of clients connected to the firewall by a switch or switches. For simplicity’s sake, the switches are not depicted in the diagram. Dallas/Fort Worth Unix Users Group – Security SIG Page 5
    • July 2004 The first step in building the virtual network is setting up the infrastructure, in this case the switches to which systems will connect. We need two switches, one for sunnydale.com and one for elay.com. This functionality is provided by the UML utility, uml_switch. The program can operate as a hub or switch. The format of the command is uml_switch [ -unix control-socket ] [ -hub ] To observe the switches operation, in particular, clients connecting and disconnecting, we’ll start them up in the foreground each in a separate window. uml_switch –unix /tmp/sunnydale.ctl uml_switch –unix /tmp/elay.ctl Let’s start the first system in sunnyvale.com. linux umid=buffy ubd0=buffy/root_fs udb1=buffy/swap_fs mem=32M eth0=daemon,10:00:01:01:00:00,,/tmp/sunnydale.ctl The “umid” assigns a unique identity to this UML machine. This is useful for keeping multiple UML instances straight. The “udb0” and “udb1” used to associate a device with a file in the underlying filesystem. You can have up to 8 total devices. The “mem=32M” configures the UML machine with 32 megabytes of memory. The “eth0” configures a network device. In this case it connects the network device to the switch we created earlier and assigns a MAC address to the network device. You can have up to 10 net- work devices on a UML machine. Once the system is up you can log into it. Using ifconfig and netstat commands, we can see that the interfaces are up, the IP addresses and netmasks have been set, and default routes are also set. Next, let’s start up the firewall for sunnydale.com. linux umid=giles ubd0=giles/root_fs ubd1=giles/swap_fs mem=32M eth0=tuntap,,,3.255.255.254 eth1=daemon,10:00:01:02:00:00,,/tmp/sunnyvale.ctl Dallas/Fort Worth Unix Users Group – Security SIG Page 6
    • July 2004 In this instance, we assign a unique identifier of “giles” to this UML machine. Note also that there are two interfaces on the firewall. One interface, eth1, is connected to the sunnyvale.com network. It is instantiated similar to network interface on buffy; a unique MAC address is as- signed to the interface and it is connected to the virtual switch. The eth0 interface is connected to the router (whose part is played by the host machine) via the TUN/TAP driver. The TUN/TAP is the preferred mechanism on 2.4 and beyond to exchange packets with the host. To use the TUN/ TAP mechanism, the tun.o driver must be present on the host. Instantiating eth0 in this manner will create a TUN/TAP device and assign it an IP address of 3.255.255.254 and eth0 will be au- tomagically connected to the TUN/TAP driver as if the interface were connected to a router. Once the firewall is up, buffy and giles should be able to ping each other. Now, let’s start the first system in elay.com. linux umid=angel ubd0=angel/root_fs ubd1=angel/swap_fs mem=32M eth0=daemon,10:00:02:02:00:00,,/tmp/elay.ctl As with the buffy on the sunnydale.com network, we have assigned and identifier of “angel” to the UML machine and connected it to the virtual switch. Next, start up the firewall for the elay.com network. linux umid=wesley ubd0=wesley/root_fs ubd1=wesley/swap_fs mem=32M eth0=tuntap,,,5.255.255.254 eth1=daemon,10:00:02:02:00:00,,/tmp/elay.ctl Once the firewall for the elay.com network is up, log into it. At this point, angel and wesley should be able to ping each other. To enhance security on Linux, the kernel, by default, will not forward packets across network interfaces. For a firewall to function properly, it is necessary to forward packets across network interfaces. There are two ways to do this. One way is to explicitly enter the command to do this: sysctl –w net.ipv4.ip_forward=1 Since we are using the Slackware release of Linux, a better way is to accomplish this at each boot is to set the permissions on the file /etc/rc.d/rc.ip_forward to -rwxr-xr-x Dallas/Fort Worth Unix Users Group – Security SIG Page 7
    • July 2004 To perform a sanity check on IP forwarding, do sysctl net.ipv4.ip_forward The result of the above command should be net.ipv4.ip_forward = 1 The last step is to configure the host to act as a router between the two networks. Do the follow- ing commands on the host as root: route add -net 10.0.1.0 netmask 255.255.255.0 gw 3.0.0.1 route add -net 10.0.2.0 netmask 255.255.255.0 gw 5.0.0.1 If everything has gone according to plan, buffy.sunnydale.com should be able to ping angel.e- lay.com and vice versa. If telnet has been enabled and accounts set up the UML machines, you should be able to log into machines across the network. FUN ON THE NETWORK Even with a modest, little sandbox network like this there are a plethora of things that a security maven can do: • Test firewall rule sets • Test sendmail rules • Test alternatives to sendmail, e.g., Postfix, exim • Test Apache configurations • Run exploit code (Many possibilities here) • Set up and Intrusion Detection System • Test new IDS signatures • Analyze network protocols with tcpdump and Ethereal • Experiment with cryptography • Set up a VPN (Virtual Private Network) CONCLUSION User Mode Linux is an excellent application for testing new kernels and programs. It also has many security related uses that the security maven might not be able to do on a live, production network. Many things are possible with different kernels and configurations. Dallas/Fort Worth Unix Users Group – Security SIG Page 8
    • July 2004 SCRIPTS #!/bin/sh # This script starts wesley.elay.com with 32M of memory, an IP address # of 5.0.0.1 on eth0 automagically connected to the TUN/TAP interface # at 5.255.255.254, an IP address of 10.0.2.1 on eth1. Before starting this # script be sure to start the switch (uml_switch -unix /tmp/elay.ctl). linux umid=wesley ubd0=wesley/root_fs ubd1=wesley/swap_fs mem=32M eth0=tuntap,,,5.255.255.254 eth1=daemon,10:00:02.02:00:00,,/tmp/elay.ctl #!/bin/sh # This script starts up angel.elay.com with 32M memory, an IP address of # 10.0.2.100 and a default route of 10.0.2.1. Before starting this # script, be sure to start the switch (uml_switch -unix /tmp/elay.ctl) # beforehand. linux umid=angel ubd0=angel/root_fs ubd1=angel/swap_fs mem=32M eth0=daemon,10:00:02:01:00:00,,/tmp/elay.ctl #!/bin/sh # This script starts up buffy.sunnydale.com with 32M memory, an IP address of # 10.0.1.100 and a default route of 10.0.1.1. Before starting this # script, be sure to start the switch (uml_switch -unix /tmp/sunnydale.ctl) # beforehand linux umid=buffy ubd0=buffy/root_fs ubd1=buffy/swap_fs mem=32M eth0=daemon,10:00:01:01:00:00,,/tmp/sunnydale.ctl #!/bin/sh # This script starts giles.sunnydale.com with 32M of memory, an IP address # of 3.0.0.1 on eth0 automagically connected to the TUN/TAP interface # at 3.255.255.254, an IP address of 10.0.1.1 on eth1. Before starting this # script be sure to start the switch (uml_switch -unix /tmp/sunnydale.ctl). linux umid=giles ubd0=giles/root_fs ubd1=giles/swap_fs mem=32M eth0=tuntap,,,3.255.255.254 Dallas/Fort Worth Unix Users Group – Security SIG Page 9
    • July 2004 eth1=daemon,10:00:01:02:00:00,,/tmp/sunnydale.ctl #!/bin/sh # Enable routing between the sunnyvale.com network (10.0.1.0/24) and the # elay.com network (10.0.2.0/24). route add -net 10.0.1.0 netmask 255.255.255.0 gw 3.0.0.1 route add -net 10.0.2.0 netmask 255.255.255.0 gw 5.0.0.1 Dallas/Fort Worth Unix Users Group – Security SIG Page 10