Securing Network Access with Open Source Solutions Nick Owen 9/19/09 @wikidsystems [email_address]

Letting the Good Guys In You must setup a firewall, but it is just a bump in the road for the attacker You need to open ports for access You need to provide services You need to do it as securely as possible

You must setup a firewall, but it is just a bump in the road for the attacker

You need to open ports for access

You need to provide services

You need to do it as securely as possible

Is this your Network? Lots of firewall rules Multiple password datastores Lots of protocols Static passwords

Lots of firewall rules

Multiple password datastores

Lots of protocols

Static passwords

Our Goal: Securely allow access to the network with simplicity and flexibility.

What's important? Security! Meet Regulatory/Compliance requirements Flexibility – add/remove pieces Users are happy-ish Admins are happy-ish

Security!

Meet Regulatory/Compliance requirements

Flexibility – add/remove pieces

Users are happy-ish

Admins are happy-ish

What are we going to do? Authenticate user Through encrypted tunnels Using authentication protocols To secure applications!

Authenticate user

Through encrypted tunnels

Using authentication protocols

To secure applications!

There's more than one way... A number of two-factor solutions Multiple Authentication Protocols Many applications

A number of two-factor solutions

Multiple Authentication Protocols

Many applications

To skin this cat SSH Astaro OpenVPN Apache/Squid NX Postgresql

SSH

Astaro

OpenVPN

Apache/Squid

NX

Postgresql

Who or what is connecting? Evil Princess Duck Bot Sweet Chicky Chirpalot

Static Passwords The most frequent password: '123456', followed by 'password' Password reuse Passwords are clearly a 20 th Century Technology

The most frequent password: '123456', followed by 'password'

Password reuse

Passwords are clearly a 20 th Century Technology

Trivia What was Dan Kaminsky's Wordpress password?

What was Dan Kaminsky's Wordpress password?

Certs & Keys Certificates Offline brute-force of passphrase Is there a passphrase? Integration across apps is the real problem SSH Keys Love them, but there are audit issues Is there a passphrase? No key expiration system

Certificates

Offline brute-force of passphrase

Is there a passphrase?

Integration across apps is the real problem

SSH Keys

Love them, but there are audit issues

Is there a passphrase?

No key expiration system

One-time passwords A number of Open Source options: WiKID, Opie, FreeToken, OTP Auth Passwords work everywhere Just need to change the back-end Shared Secret or Public key

A number of Open Source options:

WiKID, Opie, FreeToken, OTP Auth

Passwords work everywhere

Just need to change the back-end

Shared Secret or Public key

About SMS Trivia: What security question got attackers control of Paris Hilton's cell phone account?

Trivia: What security question got attackers control of Paris Hilton's cell phone account?

Flexibility comes from Protocols Radius LDAP TACACS+ SAML etc

Radius

LDAP

TACACS+

SAML

etc

Why I like Radius Simple. Server, Port, Shared Secret It's a pretty standard standard All commercial VPN products support it Can do ACL Freeradius is an excellent product Even MS supports proxy radius auth now!

Simple. Server, Port, Shared Secret

It's a pretty standard standard

All commercial VPN products support it

Can do ACL

Freeradius is an excellent product

Even MS supports proxy radius auth now!

PAM rules! Once you grok PAM, you get: SSH Sudo Login SFTP Etc, etc, etc

Once you grok PAM, you get:

SSH

Sudo

Login

SFTP

Etc, etc, etc

PAM Radius Edit /etc/raddb/server: radiusserverIPaddress shared_secret 1 Edit /etc/pam.d/sshd (for example) auth sufficient /lib/security/pam_radius_auth.so

Edit /etc/raddb/server:

radiusserverIPaddress shared_secret 1

Edit /etc/pam.d/sshd (for example)

auth sufficient /lib/security/pam_radius_auth.so

Pam radius example #%PAM-1.0 auth include system-auth auth sufficient /lib/security/pam_radius_auth.so account include system-auth account sufficient /lib/security/pam_radius_auth.so password include system-auth session optional pam_keyinit.so force revoke session include system-auth

#%PAM-1.0

auth include system-auth

auth sufficient /lib/security/pam_radius_auth.so

account include system-auth

account sufficient /lib/security/pam_radius_auth.so

password include system-auth

session optional pam_keyinit.so force revoke

session include system-auth

SSH Create an SSH Gateway box All users auth using 2 Factor to the GW Keys on Gateway for SSO to boxes No password file on Gateway boxes No remote root access Sudo requires 2 nd OTP Use the command line token :)

Create an SSH Gateway box

All users auth using 2 Factor to the GW

Keys on Gateway for SSO to boxes

No password file on Gateway boxes

No remote root access

Sudo requires 2 nd OTP

Use the command line token :)

Astaro & WiKID A detailed example Two-factor authentication & VPN Access Using Radius PPTP vpn

A detailed example

Two-factor authentication & VPN Access

Using Radius

PPTP vpn

Configure Radius on Astaro

Enable Radius

Point it to the OTP or Radius server

Associate the Group with a VPN

Create A WiKID Domain

Create a Radius Network Client

Add Shared Secret

Done!

For the End-User

Select Domain & Enter PIN

Enter OTP & Connect

OpenVPN Create an /etc/pam.d/openvpn file Add to client.conf or client.opvn: auth-user-pass Add to server.conf: plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn

Create an /etc/pam.d/openvpn file

Add to client.conf or client.opvn:

auth-user-pass

Add to server.conf:

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn

Apache! Http-auth, & most web apps CMSs Web-DAV Webmail Wordpress PHPBB, Etc, etc

Http-auth, & most web apps

CMSs

Web-DAV

Webmail

Wordpress

PHPBB, Etc, etc

Apache Radius Example Install mod-auth-radius $ sudo apt-get install libapache-mod-auth-radius In your httpd.conf add: AddRadiusAuth radius_server:1812 shared_secret 5 AddRadiusCookieValid 60 Remember Radius is port 1812 *UDP*

Apache Radius Example con't Enter this into your apache2.conf: <location> Options Indexes FollowSymlinks AuthType Basic AuthName &quot;WiKID RADIUS authentication&quot; AuthBasicAuthoritative Off AuthBasicProvider radius AuthRadiusAuthoritative on AuthRadiusActive On Require valid-user </location> Restart Apache!

Squid Configure auth_param to use pam: auth_param basic program /usr/lib/squid/pam_auth Then set the ACL rules, delete the other http_access rules: acl pam proxy_auth REQUIRED http_access allow pam

Configure auth_param to use pam:

auth_param basic program /usr/lib/squid/pam_auth

Then set the ACL rules, delete the other http_access rules:

acl pam proxy_auth REQUIRED

http_access allow pam

SSL Attacks Malicious WiFi APs DNS-Cache poisoning Malware SSL stripping

Malicious WiFi APs

DNS-Cache poisoning

Malware

SSL stripping

Prevent MITM attacks with Mutual HTTPS Auth In WiKID, add a “Registered URL” to the domain The Server will store a hash of the site's SSL cert. When the user requests an OTP, the token gets the SSL and compares the two If OK, it launches the browser to the URL

In WiKID, add a “Registered URL” to the domain

The Server will store a hash of the site's SSL cert.

When the user requests an OTP, the token gets the SSL and compares the two

If OK, it launches the browser to the URL

Remote Desktop FreeNX, NoMachine, Tacix, NeatX (google) Remote X, VNC, RDP, desktop sharing and session shadowing Tunneled through SSH Auth via pam: /etc/pam.d/sshd Quite Fast

FreeNX, NoMachine, Tacix, NeatX (google)

Remote X, VNC, RDP, desktop sharing and session shadowing

Tunneled through SSH

Auth via pam: /etc/pam.d/sshd

Quite Fast

Postgresql Edit the pg_hba.conf: host all all 192.168.0.0/24 pam postgresql Edit your /etc/pam.d/postgresql What about MySQL?

Edit the pg_hba.conf:

host all all 192.168.0.0/24 pam postgresql

Edit your /etc/pam.d/postgresql

What about MySQL?

Pretty Lame Diagram VPN, SSH, HTTPS Gateway Desktop, Mail, Web Auth/Radius Server RADIUS, LDAP, etc SSH, RDP, VNC, HTTPS

Join the cause! If Linux geeks aren't leading the way to increased security, who will? Static passwords are teh suxxor Demand two-factor authentication! Contribute!

If Linux geeks aren't leading the way to increased security, who will?

Static passwords are teh suxxor

Demand two-factor authentication!

Contribute!

The next Dan Kaminsky? Protect SSH with two-factor Have root password > 5 characters, don't use it, use sudo Protect sudo with two-factor WordPress – protect /wordpress/wp-admin/ with two-factor Switch to Postgresql & use two-factor Only open ports are 22, 80 and 443

Protect SSH with two-factor

Have root password > 5 characters, don't use it, use sudo

Protect sudo with two-factor

WordPress – protect /wordpress/wp-admin/ with two-factor

Switch to Postgresql & use two-factor

Only open ports are 22, 80 and 443

More Information http://www.kernel.org/pub/linux/libs/pam/ http://freeradius.org/pam_radius_auth/ http://sourceforge.net/projects/tacplus/ http://www.wikidsystems.com/ WiKID Documentation Center ->Integration How-tos Downloads -> Network Clients Ruby, Python, PHP, C#, Java

http://www.kernel.org/pub/linux/libs/pam/

http://freeradius.org/pam_radius_auth/

http://sourceforge.net/projects/tacplus/

http://www.wikidsystems.com/

WiKID Documentation Center ->Integration How-tos

Downloads -> Network Clients

Ruby, Python, PHP, C#, Java

Any questions? [email_address] @wikidsystems