Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A pinguin as a bouncer... Open Source Security Solutions

734 views

Published on

Rough sidenotes i used for a presentation on open source security solutions for the handsonlab open source @ schoten 18th of october 2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

A pinguin as a bouncer... Open Source Security Solutions

  1. 1. <ul>A pinguin as bouncer Open source security solutions Jan Guldentops ( [email_address] ) BA N.V. ( http://www.ba.be ) </ul>
  2. 2. RIP Dennis Ritchie (1941 - 2011)
  3. 3. <ul>ABout BA </ul><ul>More information </ul>
  4. 4. <ul>I nformation I ntegration </ul><ul>i </ul>
  5. 5. <ul>Our Commitment Ask our partners </ul>
  6. 6. <ul>Our Commitment Ask our clients </ul><ul>Government </ul><ul>Non-profit </ul><ul>Enterprise </ul><ul>Association Vincotte Nuclear, Idewe, Handicap international, Jeugd en Stad Vzw) </ul><ul>Hamburger Mannheimer, Didak Injection, Credimo, Nollekens (PGZ International), Altrad Havico, Paratel, Sodexo, Securex </ul><ul>Leuven, Hasselt, Boom, Overpelt, Mortsel, Ranst, Lummen, Olen, ST-Katelijne-Waver, Kasterlee, Oud-Turnhout, OCMW Kontich, PZ Noord, Balen, Schoten, Zwijndrecht, KBR </ul>
  7. 7. <ul>Information Integration BA’s infrastructure for: </ul><ul>Digitisation </ul><ul>Security </ul><ul>Mobility </ul><ul>Virtualisation </ul><ul>Data Storage and Warehousing </ul><ul>Data Protection and Integrity </ul><ul>Digital Preservation and Archiving </ul><ul>Data Access and Portability </ul>
  8. 8. <ul>Why BA? Principles </ul><ul>Experienced </ul><ul>Committed </ul><ul>Access to local know how from a motivated team contributing to solving problems </ul><ul>Offering cost effective open source integrations and IT services since more than 12 years </ul><ul>Reliable </ul><ul>Long standing reputation as security innovator and managed solutions provider </ul>
  9. 9. <ul>BA & Open Source Principles </ul><ul>Oldest Belgian Linux Company </ul><ul>Focus on open source </ul><ul>> 90% of the solutions we deliver are open source. </ul><ul>Delivering Linux & open source solutions since 1996. </ul><ul>Realism no fundamentalism </ul><ul>We are convinced that open source is the best solution without loosing grip with reality. </ul>
  10. 10. <ul>Who am I ? </ul><ul><li>Jan Guldentops (°1973) </li><ul><li>Building server- and ict infrastructures and solutions for > 15 years
  11. 11. Open source / Linux user since 1993
  12. 12. Founder of Better Access (°1996) / BA (°2003)
  13. 13. Open Source Fundamentalist (in my free time)
  14. 14. Pass a lot of my time in the lab </li></ul></ul>
  15. 15. <ul>I am not a security expert </ul><ul><li>Beware of experts and consultants !
  16. 16. Rolled into it by putting securityproblems in the lab and proving they are real !
  17. 17. But I have been researching and trying to develop solutions since 1996.
  18. 18. Involved in : </li><ul><li>V-ict-or security task force
  19. 19. Infosecurity </li></ul></ul>
  20. 20. Who are you ?
  21. 21. <ul>BA and security </ul><ul><li>Standardized open source solutions : </li><ul><li>Secure Firewalling Platform
  22. 22. Monitoring Platform
  23. 23. Packaged Antispam
  24. 24. Web Application Firewall </li></ul><li>“ Mac Guyver”-projects </li><ul><li>Troubleshooting
  25. 25. Developping custom solutions largely based on open source </li></ul></ul>
  26. 26. <ul>What is security ? </ul><ul><li>A term that is often abused </li><ul><li>Marketing
  27. 27. Politicians
  28. 28. FUD </li></ul><li>Guarantee in CIA </li><ul><li>Confidentiality
  29. 29. Integrity
  30. 30. Availability </li></ul></ul>
  31. 31. <ul><li>There is no such thing as absolute security </li></ul><ul><li>Absolute security is an illusion
  32. 32. Allways balance between useability / security
  33. 33. Common sense is the best security product
  34. 34. Plan for the worse </li><ul><li>Security policy
  35. 35. Good systemadministration
  36. 36. Keep in the back of your head that things can go wrong </li></ul></ul>
  37. 37. Religious wars <ul><li>Open source is more secure than closed source </li><ul><li>In se it is not but : </li><ul><li>More eyeballs
  38. 38. No security by obscurity
  39. 39. Easier to fix problems </li></ul></ul><li>BSD versus Linux </li><ul><li>BSD is what you get when a bunch of UNIX hackers sit down to try to port a UNIX system to the PC. Linux is what you get when a bunch of PC hackers sit down and try to write a UNIX system for the PC. </li></ul></ul>
  40. 40. Lots of hidden open source in commercial solutions <ul><li>60 % of appliances today have some sort of open source embedded in them </li><ul><li>The underlying OS
  41. 41. Parts of software such as webservers, application servers, etc. </li></ul><li>Just to name a few : </li><ul><li>Checkpoint, Vasco, Mobile Iron, Vmware, Barracuda , Blue Coat, Netgear, Cisco
  42. 42. But also: Facebook, Amazon, Google </li></ul></ul>
  43. 43. Security stuff embedded in the OS <ul><li>Hardening linux and other OS to make them more secure </li><ul><li>Minimal install, minimal running services, minimal users, etc. </li></ul><li>Secure administration </li><ul><li>Strong authentication, decent passwords, secure administration </li></ul><li>Firewalling
  44. 44. Setup servers in a correct way
  45. 45. Hostbased IDS </li></ul>
  46. 46. SELINUX <ul><li>Security Enhanced Linux </li><ul><li>Donated to linux by NSA in 2000
  47. 47. Mandatory Access Controll through a kernel module </li></ul><li>Every process / hardware / file has 3 string context (Role, User, Domain) </li><ul><li>Read execute bind connect </li></ul><li>Easy to create policies and tell exactly what a proces can do </li></ul>
  48. 48. Firewalls <ul><li>Advanced networking tools in Linux </li><ul><li>Ipv6, bridging, QoS, traffic shaping, tagged vlans, etc. </li></ul><li>Firewalling through iptables
  49. 49. Very cheap devices available </li><ul><li>e.g. Netgear WRT3700 </li></ul></ul>
  50. 50. Iptables firewalls <ul><li>Traditionally initscripts with the iptables commands in them
  51. 51. Bad webinterfaces
  52. 52. We use : Fwbuilder </li><ul><li>http://www.fwbuilder.org </li></ul></ul>
  53. 53. FWBuilder <ul><li>One program to manage all firewalling, routing and NAT
  54. 54. Works on a workstation and creates two files : </li><ul><li>Xml file with all metainfo
  55. 55. Initscript </li></ul><li>Can create firewallinscripts for Cisco, bsd, linux, Procurve with one rule and objectset ! </li></ul>
  56. 56. Web application firewalls <ul><li>Firewall on an http(s) level </li><ul><li>Apache in combination with mod_security, mod_rewrite, mod_proxy
  57. 57. Checks / logs every request
  58. 58. Prevent known security problems
  59. 59. Temporally patch new holes in your webapp
  60. 60. Logs everything for forensic research </li></ul></ul>
  61. 61. Authentication / user management <ul><li>Strong need for one user/rightsbase (Directory) </li><ul><li>Openldap
  62. 62. Edirectory / Red Hat Directory </li></ul><li>If you have to integrate with AD
  63. 63. Security through kerberos
  64. 64. Strong authentication </li><ul><li>Complete EID integration
  65. 65. Certificates, tokens </li></ul></ul>
  66. 66. VPN solutions <ul><li>Traditional VPN solutions </li><ul><li>IPSEC
  67. 67. PPTP </li></ul><li>Openvpn </li><ul><li>Crossplatform, works through allmost every network, compresses and easy to use
  68. 68. Two implementations </li><ul><li>Certificate based
  69. 69. Password based </li></ul></ul></ul>
  70. 70. SSL VPN's <ul><li>Webbased vpn's
  71. 71. There was an excellent solution : Ssl explorer
  72. 72. Bought by Barracuda, no more open source dev
  73. 73. Fork Adito, later Openvpn ALS but not really a lot of development </li></ul>
  74. 74. <ul>Vulnerability assessment tools </ul><ul><li>The grandfather : </li><ul><li>SATAN </li></ul><li>Current : </li><ul><li>NESSUS
  75. 75. OpenVAS </li></ul><li>Lots of other smaller tools </li><ul><li>e.g. Nmap, hydra, crack, webscarab, Nikto, Kismac, L0phtcrack, etc. </li></ul><li>Sniffers: tcpdump / wireshark
  76. 76. Good distro: backtrack </li></ul>
  77. 77. NMAP/NESSUS/OPENVAS <ul><li>What can you do with this ? </li><ul><li>Inventarise your network
  78. 78. Check for </li><ul><li>remote and local exploitable vulnerabilities
  79. 79. Misconfiguration (e.g. open mail relay, missing patches, etc).
  80. 80. Bad passwords
  81. 81. DoS Vulnerabilities </li></ul></ul></ul>
  82. 82. IDS <ul><li>Networkbased IDS </li><ul><li>Snort
  83. 83. Sniffs the network and looks for predefined attack signatures
  84. 84. Alerts you for potential attacks
  85. 85. Can be combined with scripts that automagically change the firewall </li></ul><li>Hostbased IDS </li><ul><li>Checks if there is nothing rotten in the kitchen
  86. 86. Aide, samhain, tripwire </li></ul></ul>
  87. 87. Antispam <ul><li>Step 1: Correct MTA configuration </li></ul><ul><ul><li>SPF
  88. 88. Whitelisting
  89. 89. Blacklisting </li></ul></ul><ul><li>Step 2: Check content for typical known spam </li></ul><ul><ul><li>spamassassin
  90. 90. Dspam </li></ul></ul><ul><li>Step 3: Manage your spam (e.g. Maia) </li></ul>
  91. 91. Niches / remarks <ul><ul><li>e.g. SQL firewall (greensql) </li><ul><li>Allows you to filter sql queries through a proxy to prevent attacks </li></ul><li>Monitoring </li><ul><li>Use specialised monitoring to keep an eye on the security / status of your infrastructure
  92. 92. e.g. nagios </li></ul></ul></ul>
  93. 93. New trends <ul><li>Cloud / Consumerism </li><ul><li>Software as a service
  94. 94. Platform as a service </li></ul><li>Virtualisation
  95. 95. Mobile </li><ul><li>Android is a strong competitor </li></ul></ul>
  96. 96. <ul>Thank You Contact us </ul><ul>016/ 29.80.45 </ul><ul>016/ 29.80.46 </ul><ul>www.ba.be </ul><ul>Vaartdijk 3/501 B-3018 Wijgmaal </ul><ul>[email_address] </ul><ul>Twitter: JanGuldentops </ul>

×