A pinguin as a bouncer... Open Source Security Solutions


Published on

Rough sidenotes i used for a presentation on open source security solutions for the handsonlab open source @ schoten 18th of october 2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Purpose of presentation: 20 slides, 20 seconds, maximum presentation time of 6 minutes Objective: visionary and innovating introduction
  • Keywords: A) Virtual; Integrated; Enterprise; Federated; Combined; Contextual; Ad hoc; Distributed; Structured; Aggregated B) Information; Data; Knowledge; Wisdom; Query; Content; Schema; Resource; Model C) Integration; Infrastructure; Base; Broker; Systems; Management; Convergence; Architecture; Solution; Federation;
  • Connect keywords with focus Keywords for Mobility: Freedom, Future, Productivity Keywords for Security: Threats, Globalisation, Competition Keywords for Virtualisation: Environment, Cost control, Financial crisis Keywords for Digitisation: Future, Sustainability, Preservation; Competition
  • A pinguin as a bouncer... Open Source Security Solutions

    1. 1. <ul>A pinguin as bouncer Open source security solutions Jan Guldentops ( [email_address] ) BA N.V. ( http://www.ba.be ) </ul>
    2. 2. RIP Dennis Ritchie (1941 - 2011)
    3. 3. <ul>ABout BA </ul><ul>More information </ul>
    4. 4. <ul>I nformation I ntegration </ul><ul>i </ul>
    5. 5. <ul>Our Commitment Ask our partners </ul>
    6. 6. <ul>Our Commitment Ask our clients </ul><ul>Government </ul><ul>Non-profit </ul><ul>Enterprise </ul><ul>Association Vincotte Nuclear, Idewe, Handicap international, Jeugd en Stad Vzw) </ul><ul>Hamburger Mannheimer, Didak Injection, Credimo, Nollekens (PGZ International), Altrad Havico, Paratel, Sodexo, Securex </ul><ul>Leuven, Hasselt, Boom, Overpelt, Mortsel, Ranst, Lummen, Olen, ST-Katelijne-Waver, Kasterlee, Oud-Turnhout, OCMW Kontich, PZ Noord, Balen, Schoten, Zwijndrecht, KBR </ul>
    7. 7. <ul>Information Integration BA’s infrastructure for: </ul><ul>Digitisation </ul><ul>Security </ul><ul>Mobility </ul><ul>Virtualisation </ul><ul>Data Storage and Warehousing </ul><ul>Data Protection and Integrity </ul><ul>Digital Preservation and Archiving </ul><ul>Data Access and Portability </ul>
    8. 8. <ul>Why BA? Principles </ul><ul>Experienced </ul><ul>Committed </ul><ul>Access to local know how from a motivated team contributing to solving problems </ul><ul>Offering cost effective open source integrations and IT services since more than 12 years </ul><ul>Reliable </ul><ul>Long standing reputation as security innovator and managed solutions provider </ul>
    9. 9. <ul>BA & Open Source Principles </ul><ul>Oldest Belgian Linux Company </ul><ul>Focus on open source </ul><ul>> 90% of the solutions we deliver are open source. </ul><ul>Delivering Linux & open source solutions since 1996. </ul><ul>Realism no fundamentalism </ul><ul>We are convinced that open source is the best solution without loosing grip with reality. </ul>
    10. 10. <ul>Who am I ? </ul><ul><li>Jan Guldentops (°1973) </li><ul><li>Building server- and ict infrastructures and solutions for > 15 years
    11. 11. Open source / Linux user since 1993
    12. 12. Founder of Better Access (°1996) / BA (°2003)
    13. 13. Open Source Fundamentalist (in my free time)
    14. 14. Pass a lot of my time in the lab </li></ul></ul>
    15. 15. <ul>I am not a security expert </ul><ul><li>Beware of experts and consultants !
    16. 16. Rolled into it by putting securityproblems in the lab and proving they are real !
    17. 17. But I have been researching and trying to develop solutions since 1996.
    18. 18. Involved in : </li><ul><li>V-ict-or security task force
    19. 19. Infosecurity </li></ul></ul>
    20. 20. Who are you ?
    21. 21. <ul>BA and security </ul><ul><li>Standardized open source solutions : </li><ul><li>Secure Firewalling Platform
    22. 22. Monitoring Platform
    23. 23. Packaged Antispam
    24. 24. Web Application Firewall </li></ul><li>“ Mac Guyver”-projects </li><ul><li>Troubleshooting
    25. 25. Developping custom solutions largely based on open source </li></ul></ul>
    26. 26. <ul>What is security ? </ul><ul><li>A term that is often abused </li><ul><li>Marketing
    27. 27. Politicians
    28. 28. FUD </li></ul><li>Guarantee in CIA </li><ul><li>Confidentiality
    29. 29. Integrity
    30. 30. Availability </li></ul></ul>
    31. 31. <ul><li>There is no such thing as absolute security </li></ul><ul><li>Absolute security is an illusion
    32. 32. Allways balance between useability / security
    33. 33. Common sense is the best security product
    34. 34. Plan for the worse </li><ul><li>Security policy
    35. 35. Good systemadministration
    36. 36. Keep in the back of your head that things can go wrong </li></ul></ul>
    37. 37. Religious wars <ul><li>Open source is more secure than closed source </li><ul><li>In se it is not but : </li><ul><li>More eyeballs
    38. 38. No security by obscurity
    39. 39. Easier to fix problems </li></ul></ul><li>BSD versus Linux </li><ul><li>BSD is what you get when a bunch of UNIX hackers sit down to try to port a UNIX system to the PC. Linux is what you get when a bunch of PC hackers sit down and try to write a UNIX system for the PC. </li></ul></ul>
    40. 40. Lots of hidden open source in commercial solutions <ul><li>60 % of appliances today have some sort of open source embedded in them </li><ul><li>The underlying OS
    41. 41. Parts of software such as webservers, application servers, etc. </li></ul><li>Just to name a few : </li><ul><li>Checkpoint, Vasco, Mobile Iron, Vmware, Barracuda , Blue Coat, Netgear, Cisco
    42. 42. But also: Facebook, Amazon, Google </li></ul></ul>
    43. 43. Security stuff embedded in the OS <ul><li>Hardening linux and other OS to make them more secure </li><ul><li>Minimal install, minimal running services, minimal users, etc. </li></ul><li>Secure administration </li><ul><li>Strong authentication, decent passwords, secure administration </li></ul><li>Firewalling
    44. 44. Setup servers in a correct way
    45. 45. Hostbased IDS </li></ul>
    46. 46. SELINUX <ul><li>Security Enhanced Linux </li><ul><li>Donated to linux by NSA in 2000
    47. 47. Mandatory Access Controll through a kernel module </li></ul><li>Every process / hardware / file has 3 string context (Role, User, Domain) </li><ul><li>Read execute bind connect </li></ul><li>Easy to create policies and tell exactly what a proces can do </li></ul>
    48. 48. Firewalls <ul><li>Advanced networking tools in Linux </li><ul><li>Ipv6, bridging, QoS, traffic shaping, tagged vlans, etc. </li></ul><li>Firewalling through iptables
    49. 49. Very cheap devices available </li><ul><li>e.g. Netgear WRT3700 </li></ul></ul>
    50. 50. Iptables firewalls <ul><li>Traditionally initscripts with the iptables commands in them
    51. 51. Bad webinterfaces
    52. 52. We use : Fwbuilder </li><ul><li>http://www.fwbuilder.org </li></ul></ul>
    53. 53. FWBuilder <ul><li>One program to manage all firewalling, routing and NAT
    54. 54. Works on a workstation and creates two files : </li><ul><li>Xml file with all metainfo
    55. 55. Initscript </li></ul><li>Can create firewallinscripts for Cisco, bsd, linux, Procurve with one rule and objectset ! </li></ul>
    56. 56. Web application firewalls <ul><li>Firewall on an http(s) level </li><ul><li>Apache in combination with mod_security, mod_rewrite, mod_proxy
    57. 57. Checks / logs every request
    58. 58. Prevent known security problems
    59. 59. Temporally patch new holes in your webapp
    60. 60. Logs everything for forensic research </li></ul></ul>
    61. 61. Authentication / user management <ul><li>Strong need for one user/rightsbase (Directory) </li><ul><li>Openldap
    62. 62. Edirectory / Red Hat Directory </li></ul><li>If you have to integrate with AD
    63. 63. Security through kerberos
    64. 64. Strong authentication </li><ul><li>Complete EID integration
    65. 65. Certificates, tokens </li></ul></ul>
    66. 66. VPN solutions <ul><li>Traditional VPN solutions </li><ul><li>IPSEC
    67. 67. PPTP </li></ul><li>Openvpn </li><ul><li>Crossplatform, works through allmost every network, compresses and easy to use
    68. 68. Two implementations </li><ul><li>Certificate based
    69. 69. Password based </li></ul></ul></ul>
    70. 70. SSL VPN's <ul><li>Webbased vpn's
    71. 71. There was an excellent solution : Ssl explorer
    72. 72. Bought by Barracuda, no more open source dev
    73. 73. Fork Adito, later Openvpn ALS but not really a lot of development </li></ul>
    74. 74. <ul>Vulnerability assessment tools </ul><ul><li>The grandfather : </li><ul><li>SATAN </li></ul><li>Current : </li><ul><li>NESSUS
    75. 75. OpenVAS </li></ul><li>Lots of other smaller tools </li><ul><li>e.g. Nmap, hydra, crack, webscarab, Nikto, Kismac, L0phtcrack, etc. </li></ul><li>Sniffers: tcpdump / wireshark
    76. 76. Good distro: backtrack </li></ul>
    77. 77. NMAP/NESSUS/OPENVAS <ul><li>What can you do with this ? </li><ul><li>Inventarise your network
    78. 78. Check for </li><ul><li>remote and local exploitable vulnerabilities
    79. 79. Misconfiguration (e.g. open mail relay, missing patches, etc).
    80. 80. Bad passwords
    81. 81. DoS Vulnerabilities </li></ul></ul></ul>
    82. 82. IDS <ul><li>Networkbased IDS </li><ul><li>Snort
    83. 83. Sniffs the network and looks for predefined attack signatures
    84. 84. Alerts you for potential attacks
    85. 85. Can be combined with scripts that automagically change the firewall </li></ul><li>Hostbased IDS </li><ul><li>Checks if there is nothing rotten in the kitchen
    86. 86. Aide, samhain, tripwire </li></ul></ul>
    87. 87. Antispam <ul><li>Step 1: Correct MTA configuration </li></ul><ul><ul><li>SPF
    88. 88. Whitelisting
    89. 89. Blacklisting </li></ul></ul><ul><li>Step 2: Check content for typical known spam </li></ul><ul><ul><li>spamassassin
    90. 90. Dspam </li></ul></ul><ul><li>Step 3: Manage your spam (e.g. Maia) </li></ul>
    91. 91. Niches / remarks <ul><ul><li>e.g. SQL firewall (greensql) </li><ul><li>Allows you to filter sql queries through a proxy to prevent attacks </li></ul><li>Monitoring </li><ul><li>Use specialised monitoring to keep an eye on the security / status of your infrastructure
    92. 92. e.g. nagios </li></ul></ul></ul>
    93. 93. New trends <ul><li>Cloud / Consumerism </li><ul><li>Software as a service
    94. 94. Platform as a service </li></ul><li>Virtualisation
    95. 95. Mobile </li><ul><li>Android is a strong competitor </li></ul></ul>
    96. 96. <ul>Thank You Contact us </ul><ul>016/ 29.80.45 </ul><ul>016/ 29.80.46 </ul><ul>www.ba.be </ul><ul>Vaartdijk 3/501 B-3018 Wijgmaal </ul><ul>[email_address] </ul><ul>Twitter: JanGuldentops </ul>