Securing Network Access with Open Source Solutions Nick Owen 9/19/09 @wikidsystems [email_address]
Letting the Good Guys In <ul><li>You must setup a firewall, but it is just a bump in the road for the attacker </li></ul><...
Is this your Network? <ul><li>Lots of firewall rules </li></ul><ul><li>Multiple password datastores </li></ul><ul><li>Lots...
Our Goal: Securely allow access to the network  with simplicity and flexibility.
What's important? <ul><li>Security! </li></ul><ul><li>Meet Regulatory/Compliance requirements </li></ul><ul><li>Flexibilit...
What are we going to do? <ul><li>Authenticate user </li></ul><ul><li>Through encrypted tunnels </li></ul><ul><li>Using aut...
There's more than one way... <ul><li>A number of two-factor solutions </li></ul><ul><li>Multiple Authentication Protocols ...
To skin this cat <ul><li>SSH </li></ul><ul><li>Astaro </li></ul><ul><li>OpenVPN </li></ul><ul><li>Apache/Squid </li></ul><...
Who or what is connecting? Evil Princess Duck  Bot Sweet Chicky Chirpalot
Static Passwords <ul><li>The most frequent password: '123456', followed by 'password' </li></ul><ul><li>Password reuse </l...
Trivia <ul><li>What was Dan Kaminsky's Wordpress password? </li></ul>
Certs & Keys  <ul><li>Certificates </li></ul><ul><ul><li>Offline brute-force of passphrase </li></ul></ul><ul><ul><li>Is t...
One-time passwords <ul><li>A number of Open Source options: </li></ul><ul><ul><li>WiKID, Opie, FreeToken, OTP Auth </li></...
About SMS <ul><li>Trivia:  What security question got attackers control of Paris Hilton's cell phone account? </li></ul>
Flexibility comes from Protocols <ul><li>Radius </li></ul><ul><li>LDAP </li></ul><ul><li>TACACS+ </li></ul><ul><li>SAML </...
Why I like Radius <ul><li>Simple. Server, Port, Shared Secret </li></ul><ul><li>It's a pretty standard standard </li></ul>...
PAM rules! <ul><li>Once you grok PAM, you get: </li></ul><ul><li>SSH </li></ul><ul><li>Sudo </li></ul><ul><li>Login </li><...
PAM Radius  <ul><li>Edit /etc/raddb/server: </li></ul><ul><li>radiusserverIPaddress  shared_secret  1 </li></ul><ul><li>Ed...
Pam radius example <ul><li>#%PAM-1.0 </li></ul><ul><li>auth  include  system-auth </li></ul><ul><li>auth  sufficient  /lib...
SSH  <ul><li>Create an SSH Gateway box </li></ul><ul><ul><li>All users auth using 2 Factor to the GW </li></ul></ul><ul><u...
Astaro & WiKID <ul><li>A detailed example </li></ul><ul><li>Two-factor authentication & VPN Access </li></ul><ul><li>Using...
Configure Radius on Astaro
Enable Radius
Point it to the OTP or Radius server
Associate the Group with a VPN
Create A WiKID Domain
Create a Radius Network Client
Add Shared Secret
Done!
For the End-User
Select Domain & Enter PIN
Enter OTP & Connect
OpenVPN <ul><li>Create an /etc/pam.d/openvpn file  </li></ul><ul><li>Add to client.conf or client.opvn: </li></ul><ul><li>...
Apache! <ul><li>Http-auth, & most web apps </li></ul><ul><li>CMSs </li></ul><ul><li>Web-DAV </li></ul><ul><li>Webmail </li...
Apache Radius Example Install mod-auth-radius $ sudo apt-get install libapache-mod-auth-radius In your httpd.conf add: Add...
Apache Radius Example con't Enter this into your apache2.conf: <location> Options Indexes FollowSymlinks AuthType Basic Au...
Squid <ul><li>Configure auth_param to use pam:  </li></ul><ul><li>auth_param basic program /usr/lib/squid/pam_auth </li></...
SSL Attacks <ul><li>Malicious WiFi APs </li></ul><ul><li>DNS-Cache poisoning </li></ul><ul><li>Malware </li></ul><ul><li>S...
Prevent MITM attacks with Mutual HTTPS Auth <ul><li>In WiKID, add a “Registered URL” to the domain </li></ul><ul><li>The S...
Remote Desktop <ul><li>FreeNX, NoMachine, Tacix, NeatX (google) </li></ul><ul><li>Remote X, VNC, RDP, desktop sharing and ...
Postgresql <ul><li>Edit the pg_hba.conf:  </li></ul><ul><li>host  all  all  192.168.0.0/24  pam postgresql </li></ul><ul><...
Pretty Lame Diagram VPN, SSH, HTTPS Gateway  Desktop, Mail, Web Auth/Radius Server RADIUS, LDAP, etc SSH, RDP,  VNC, HTTPS
Join the cause! <ul><li>If Linux geeks aren't leading the way to increased security, who will? </li></ul><ul><li>Static pa...
The next Dan Kaminsky? <ul><li>Protect SSH with two-factor </li></ul><ul><li>Have root password > 5 characters, don't use ...
More Information <ul><li>http://www.kernel.org/pub/linux/libs/pam/ </li></ul><ul><li>http://freeradius.org/pam_radius_auth...
Any questions? [email_address] @wikidsystems
Upcoming SlideShare
Loading in...5
×

Securing Network Access with Open Source solutions

3,748

Published on

My presentation from Atlanta Linux Fest on how to allow users secure access to your network using open source technologies. Examples include how to add two-factor authentication to Apache, OpenVPN, Astaro, NX etc.

Published in: Technology, News & Politics
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,748
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
111
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Securing Network Access with Open Source solutions

  1. 1. Securing Network Access with Open Source Solutions Nick Owen 9/19/09 @wikidsystems [email_address]
  2. 2. Letting the Good Guys In <ul><li>You must setup a firewall, but it is just a bump in the road for the attacker </li></ul><ul><li>You need to open ports for access </li></ul><ul><li>You need to provide services </li></ul><ul><li>You need to do it as securely as possible </li></ul>
  3. 3. Is this your Network? <ul><li>Lots of firewall rules </li></ul><ul><li>Multiple password datastores </li></ul><ul><li>Lots of protocols </li></ul><ul><li>Static passwords </li></ul>
  4. 4. Our Goal: Securely allow access to the network with simplicity and flexibility.
  5. 5. What's important? <ul><li>Security! </li></ul><ul><li>Meet Regulatory/Compliance requirements </li></ul><ul><li>Flexibility – add/remove pieces </li></ul><ul><li>Users are happy-ish </li></ul><ul><li>Admins are happy-ish </li></ul>
  6. 6. What are we going to do? <ul><li>Authenticate user </li></ul><ul><li>Through encrypted tunnels </li></ul><ul><li>Using authentication protocols </li></ul><ul><li>To secure applications! </li></ul>
  7. 7. There's more than one way... <ul><li>A number of two-factor solutions </li></ul><ul><li>Multiple Authentication Protocols </li></ul><ul><li>Many applications </li></ul>
  8. 8. To skin this cat <ul><li>SSH </li></ul><ul><li>Astaro </li></ul><ul><li>OpenVPN </li></ul><ul><li>Apache/Squid </li></ul><ul><li>NX </li></ul><ul><li>Postgresql </li></ul>
  9. 9. Who or what is connecting? Evil Princess Duck Bot Sweet Chicky Chirpalot
  10. 10. Static Passwords <ul><li>The most frequent password: '123456', followed by 'password' </li></ul><ul><li>Password reuse </li></ul><ul><li>Passwords are clearly a 20 th Century Technology </li></ul>
  11. 11. Trivia <ul><li>What was Dan Kaminsky's Wordpress password? </li></ul>
  12. 12. Certs & Keys <ul><li>Certificates </li></ul><ul><ul><li>Offline brute-force of passphrase </li></ul></ul><ul><ul><li>Is there a passphrase? </li></ul></ul><ul><ul><li>Integration across apps is the real problem </li></ul></ul><ul><li>SSH Keys </li></ul><ul><ul><li>Love them, but there are audit issues </li></ul></ul><ul><ul><li>Is there a passphrase? </li></ul></ul><ul><ul><li>No key expiration system </li></ul></ul>
  13. 13. One-time passwords <ul><li>A number of Open Source options: </li></ul><ul><ul><li>WiKID, Opie, FreeToken, OTP Auth </li></ul></ul><ul><li>Passwords work everywhere </li></ul><ul><li>Just need to change the back-end </li></ul><ul><li>Shared Secret or Public key </li></ul>
  14. 14. About SMS <ul><li>Trivia: What security question got attackers control of Paris Hilton's cell phone account? </li></ul>
  15. 15. Flexibility comes from Protocols <ul><li>Radius </li></ul><ul><li>LDAP </li></ul><ul><li>TACACS+ </li></ul><ul><li>SAML </li></ul><ul><li>etc </li></ul>
  16. 16. Why I like Radius <ul><li>Simple. Server, Port, Shared Secret </li></ul><ul><li>It's a pretty standard standard </li></ul><ul><li>All commercial VPN products support it </li></ul><ul><li>Can do ACL </li></ul><ul><li>Freeradius is an excellent product </li></ul><ul><li>Even MS supports proxy radius auth now! </li></ul>
  17. 17. PAM rules! <ul><li>Once you grok PAM, you get: </li></ul><ul><li>SSH </li></ul><ul><li>Sudo </li></ul><ul><li>Login </li></ul><ul><li>SFTP </li></ul><ul><li>Etc, etc, etc </li></ul>
  18. 18. PAM Radius <ul><li>Edit /etc/raddb/server: </li></ul><ul><li>radiusserverIPaddress shared_secret 1 </li></ul><ul><li>Edit /etc/pam.d/sshd (for example) </li></ul><ul><li>auth sufficient /lib/security/pam_radius_auth.so </li></ul>
  19. 19. Pam radius example <ul><li>#%PAM-1.0 </li></ul><ul><li>auth include system-auth </li></ul><ul><li>auth sufficient /lib/security/pam_radius_auth.so </li></ul><ul><li>account include system-auth </li></ul><ul><li>account sufficient /lib/security/pam_radius_auth.so </li></ul><ul><li>password include system-auth </li></ul><ul><li>session optional pam_keyinit.so force revoke </li></ul><ul><li>session include system-auth </li></ul>
  20. 20. SSH <ul><li>Create an SSH Gateway box </li></ul><ul><ul><li>All users auth using 2 Factor to the GW </li></ul></ul><ul><ul><li>Keys on Gateway for SSO to boxes </li></ul></ul><ul><ul><li>No password file on Gateway boxes </li></ul></ul><ul><ul><li>No remote root access </li></ul></ul><ul><ul><li>Sudo requires 2 nd OTP </li></ul></ul><ul><li>Use the command line token :) </li></ul>
  21. 21. Astaro & WiKID <ul><li>A detailed example </li></ul><ul><li>Two-factor authentication & VPN Access </li></ul><ul><li>Using Radius </li></ul><ul><li>PPTP vpn </li></ul>
  22. 22. Configure Radius on Astaro
  23. 23. Enable Radius
  24. 24. Point it to the OTP or Radius server
  25. 25. Associate the Group with a VPN
  26. 26. Create A WiKID Domain
  27. 27. Create a Radius Network Client
  28. 28. Add Shared Secret
  29. 29. Done!
  30. 30. For the End-User
  31. 31. Select Domain & Enter PIN
  32. 32. Enter OTP & Connect
  33. 33. OpenVPN <ul><li>Create an /etc/pam.d/openvpn file </li></ul><ul><li>Add to client.conf or client.opvn: </li></ul><ul><li>auth-user-pass </li></ul><ul><li>Add to server.conf: </li></ul><ul><li>plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn </li></ul>
  34. 34. Apache! <ul><li>Http-auth, & most web apps </li></ul><ul><li>CMSs </li></ul><ul><li>Web-DAV </li></ul><ul><li>Webmail </li></ul><ul><li>Wordpress </li></ul><ul><li>PHPBB, Etc, etc </li></ul>
  35. 35. Apache Radius Example Install mod-auth-radius $ sudo apt-get install libapache-mod-auth-radius In your httpd.conf add: AddRadiusAuth radius_server:1812 shared_secret 5 AddRadiusCookieValid 60 Remember Radius is port 1812 *UDP*
  36. 36. Apache Radius Example con't Enter this into your apache2.conf: <location> Options Indexes FollowSymlinks AuthType Basic AuthName &quot;WiKID RADIUS authentication&quot; AuthBasicAuthoritative Off AuthBasicProvider radius AuthRadiusAuthoritative on AuthRadiusActive On Require valid-user </location> Restart Apache!
  37. 37. Squid <ul><li>Configure auth_param to use pam: </li></ul><ul><li>auth_param basic program /usr/lib/squid/pam_auth </li></ul><ul><li>Then set the ACL rules, delete the other http_access rules: </li></ul><ul><li>acl pam proxy_auth REQUIRED </li></ul><ul><li>http_access allow pam </li></ul>
  38. 38. SSL Attacks <ul><li>Malicious WiFi APs </li></ul><ul><li>DNS-Cache poisoning </li></ul><ul><li>Malware </li></ul><ul><li>SSL stripping </li></ul>
  39. 39. Prevent MITM attacks with Mutual HTTPS Auth <ul><li>In WiKID, add a “Registered URL” to the domain </li></ul><ul><li>The Server will store a hash of the site's SSL cert. </li></ul><ul><li>When the user requests an OTP, the token gets the SSL and compares the two </li></ul><ul><li>If OK, it launches the browser to the URL </li></ul>
  40. 40. Remote Desktop <ul><li>FreeNX, NoMachine, Tacix, NeatX (google) </li></ul><ul><li>Remote X, VNC, RDP, desktop sharing and session shadowing </li></ul><ul><li>Tunneled through SSH </li></ul><ul><li>Auth via pam: /etc/pam.d/sshd </li></ul><ul><li>Quite Fast </li></ul>
  41. 41. Postgresql <ul><li>Edit the pg_hba.conf: </li></ul><ul><li>host all all 192.168.0.0/24 pam postgresql </li></ul><ul><li>Edit your /etc/pam.d/postgresql </li></ul><ul><li>What about MySQL? </li></ul>
  42. 42. Pretty Lame Diagram VPN, SSH, HTTPS Gateway Desktop, Mail, Web Auth/Radius Server RADIUS, LDAP, etc SSH, RDP, VNC, HTTPS
  43. 43. Join the cause! <ul><li>If Linux geeks aren't leading the way to increased security, who will? </li></ul><ul><li>Static passwords are teh suxxor </li></ul><ul><li>Demand two-factor authentication! </li></ul><ul><li>Contribute! </li></ul>
  44. 44. The next Dan Kaminsky? <ul><li>Protect SSH with two-factor </li></ul><ul><li>Have root password > 5 characters, don't use it, use sudo </li></ul><ul><li>Protect sudo with two-factor </li></ul><ul><li>WordPress – protect /wordpress/wp-admin/ with two-factor </li></ul><ul><li>Switch to Postgresql & use two-factor </li></ul><ul><li>Only open ports are 22, 80 and 443 </li></ul>
  45. 45. More Information <ul><li>http://www.kernel.org/pub/linux/libs/pam/ </li></ul><ul><li>http://freeradius.org/pam_radius_auth/ </li></ul><ul><li>http://sourceforge.net/projects/tacplus/ </li></ul><ul><li>http://www.wikidsystems.com/ </li></ul><ul><ul><li>WiKID Documentation Center ->Integration How-tos </li></ul></ul><ul><li>Downloads -> Network Clients </li></ul><ul><ul><li>Ruby, Python, PHP, C#, Java </li></ul></ul>
  46. 46. Any questions? [email_address] @wikidsystems
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×