Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Just How Effective is System Hardening?

timothy posted more than 6 years ago | from the how-large-is-your-facade dept.

Security 154

SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."

cancel ×

154 comments

Sorry! There are no comments related to the filter you selected.

Ahh yes, (5, Funny)

abolitiontheory (1138999) | more than 6 years ago | (#23390336)

/. is just the place to come for advice on "system hardening."

Re:Ahh yes, (5, Funny)

sm62704 (957197) | more than 6 years ago | (#23390680)

"Trinity" from The Matrix hardened my system!

Oh, you're talking about computer security? Never mind, then.

Re:Ahh yes, (4, Funny)

abolitiontheory (1138999) | more than 6 years ago | (#23390840)

Funny, all I got was,

"The system is down."

Am I gay?

Re:Ahh yes, (0, Offtopic)

larry bagina (561269) | more than 6 years ago | (#23390954)

Do you go down on man(1)? I hope you check if a hard dick is dirty before mount(2)ing it!

Re:Ahh yes, (0)

Anonymous Coward | more than 6 years ago | (#23391264)

Do you go down on man(1)? I hope you check if a hard dick is dirty before mount(2)ing it!
Shut the fsck(1) up.

Lunix bailout by big daddy gubment (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23390936)

It's kind of amazing how, after years and years and years of beating their chests and flexing and bragging about how secure they were... it was only until recently that Teh Lunix became a secure OS. And because of a handout by Big Gubment, at that.

Your tax dollars at work, fixing a horribly insecure OS. Or saving it from itself, and it's proponents, who believe obscurity is security.

BTW... why would the NSA be promoting computer security? Doesnt that just make it harder to spy on us all? I'd be suspicious of any code contributions on their end- it's more likely they've created hidden back doors (or just found plenty which were already there).

Re:Lunix bailout by big daddy gubment (4, Informative)

bkr1_2k (237627) | more than 6 years ago | (#23390974)

The NSA doesn't really care about hardening your system, they care about their own, first and those of the other US government agencies after that. They produce these guidelines to be used by other agencies, and contractors for use on systems that the NSA will then purchase.

As for backdoors, I don't know that they've created any code to secure the system, just produced a set of rules and guidelines that help people know what to secure and how.

Re:Lunix bailout by big daddy gubment (0)

Anonymous Coward | more than 6 years ago | (#23391568)

The NSA's a bunch of perverts!

Re:Lunix bailout by big daddy gubment (0)

Anonymous Coward | more than 6 years ago | (#23392026)

The NSA doesn't really care about hardening your system, they care about their own, first and those of the other US government agencies
No, the NSA is specifically tasked with protecting private US financial interests.

Re:Lunix bailout by big daddy gubment (4, Informative)

fuzzyfuzzyfungus (1223518) | more than 6 years ago | (#23391776)

The NSA, and state entities in general, has an interest in increasing security, even though it sometimes makes its job less convenient. The reason is pretty simple: Insecure systems can be broken by anybody with sufficient knowledge and motivation, NSA, spammers, organized crime, foreign intelligence services, etc. Secure systems can be broken by a search warrant, only available to state entities.There are, I'm sure, a number of exceptions to this trend; but for something like computer security, the government's best interests are pretty clear.

The rest of your post is probably trolling; but what the hell, I'll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
As for the "handout" angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.

Re:Lunix bailout by big daddy gubment (1)

AmaDaden (794446) | more than 6 years ago | (#23391860)

it was only until recently that Teh Lunix became a secure OS
There is no such thing as a secure OS. Security is relative. People have been saying that Linux has less known security holes then Windows. Thus it is more secure. Does this have something to do with Linux not being the top OS? Of course, but that does not change the numbers. Linux is harder to hack.

Your tax dollars at work, fixing a horribly insecure OS.
This was basically work on the internal govt systems, you know the ones that hold all your personal information. They realized that with some work the could make an OS that is more secure then any of the ones they can currently get. Since they could not get their hands on the Windows code Linux was the obvious choice.

Re:Ahh yes, ABSOLUTELY (Windows & *NIX too) (0)

Anonymous Coward | more than 6 years ago | (#23391716)

It is, & even for Windows NT-based OS of modern variety (although there is a HUGE "Pro-*NIX" slant to this website)!

See here:

----

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, & make it "fun to do", via CIS Tool Guidance:

http://www.security-forums.com/viewtopic.php?t=50567&sid=844e3c38a7f319ce1d05fd2ffd671294 [security-forums.com]

----

It just works... & CIS Tool is NOT JUST RESTRICTED TO Windows either (though that post url/thread above goes into way, WAY more you can do for Windows (or really *NIX too in some regards also), but also has models for Sun Solaris, various Linux distro variants, & BSD variants as well!

Enjoy!

APK

Defense in Depth (5, Insightful)

Hyppy (74366) | more than 6 years ago | (#23390342)

System hardening is just another layer of a "defense in depth" security posture. The more layers, the better. So, if an adversary manages to get through your site firewall, access lists, IPS, vlan segregation, virus scanner, etc, they still have to contend with a hardened local system in order to compromise data.

System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.

Re:Defense in Depth (4, Interesting)

tgatliff (311583) | more than 6 years ago | (#23390412)

I guess it depends on the type of system you are running, and how users interact with it. Most of what I do is building appliance based servers, so my focus is more on keeping users away from the shell, and limiting the number of services (http primarily) they can use. For me, adding SELinux to the mix on something like what I have would be allot more painful and time consuming to implement, and probably not worth the extra time...

If you have to allow actually users to use a shell on that box, however, I would agree that a SELinux approach is critical because you cannot really determine where you will get attacked from...

Re:Defense in Depth (5, Insightful)

Hyppy (74366) | more than 6 years ago | (#23390658)

If you consider system hardening as more than just installing SELinux, you can see it helps secure more than just users with shell access.

Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.

If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.

You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.

Re:Defense in Depth (4, Insightful)

jandrese (485) | more than 6 years ago | (#23390830)

On the other hand, denying logins because the security log is full is a great way to open up your box to DOS attacks, especially if you are judiciously logging everything.

Re:Defense in Depth (5, Insightful)

Hyppy (74366) | more than 6 years ago | (#23390888)

Weigh it depending on your needs. Prioritize, without putting any two factors on equal footing. What is more important and least important out of these three: secure data, catching an intruder who may have accessed secure data, or having regular users log on during a DOS attack?

That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.

Re:Defense in Depth (1)

SatanicPuppy (611928) | more than 6 years ago | (#23391624)

Just restrict your logging to failed logins for valid users on valid ports, and then jack up the login attempt delay.

By far the majority of attacks are implemented using guesswork credentials.

It's not much of a problem anymore, because storage space is so cheap. I set mine to log everything for a few months, just out of curiosity at the crap going around my ISP and even at the highest levels the logs were only taking up about 15% of my drive space; mostly automated brute force attacks.

Once I restricted the logging to ports that were open, and valid users, it dropped to practically nothing.

Re:Defense in Depth (1)

tgatliff (311583) | more than 6 years ago | (#23392580)

You certainly sound like a wonderful admin, and I can appreciate that...

As far as logs, we traditionally have a series of items, such as hd data, temp data, etc that we automate with an srsync snapshot nightly. From there, we use a custom app we wrote to parse out key word data or repeatable trends we find interesting, such as error, failed login attempts, etc... Meaning, we also erase nothing, but let software processes smooth over the sheer volume of data for us...

Also, as far as additional security items we could implement, I agree we definitely could go farther. The issue, however, is simply time and cost. Meaning, perfect security protection is nearly cost prohibitive, and since we have limited resources we try to pick a fine balance of security, detection, and functionality that works for us. Yes, it is quite possible that a security hole could be found and exploited in apache2, but considering its age and the fact that we do a nightly tree sync, in my opinion, it is a risk that my organization can take and be able to recover from..

Thanks for the free advice, however, as I very much appreciate reading it... :)

Re:Defense in Depth (5, Insightful)

Ryan Amos (16972) | more than 6 years ago | (#23391940)

SELinux is great for hardening a box. Unfortunately most sysadmins don't take the time to learn how it works and turn it off because they can't get something to work. Yes; it is a pain in the ass to deal with most of the time, but it's saved me from some big mistakes before as well.

SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.

The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?

Re:Defense in Depth (1)

dougmc (70836) | more than 6 years ago | (#23392202)

Nicely done -- you nailed it. Though I'd emphasize a little more what a pain selinux can be for a general-use system. The learning curve is relatively steep, and like many security measures, it often does get in the way of doing work, especially when you don't really understand it yet. And so yes, it does tend to get turned off.

Re:Defense in Depth (2, Interesting)

dpilot (134227) | more than 6 years ago | (#23392450)

I'd go one step further, and state that SELinux *can* be the enemy of defense-in-depth. To begin with, SELinux has been sufficiently difficult to get running properly that a common response is to just shut it off. So if you want defense-in-depth, and the other forms of defense are those that haven't been pre-configured into SELinux, you're essentially discouraged from using them. (If you think it's hard picking SELinux up off the shelf and using it, then try some fairly deep modifications to existing policies, and adding new policies.)

Add the amount of general awe the people hold toward the NSA and SELinux, and there is a tendency for it to be not just A silver bullet, but THE silver bullet.

That's not even to say anything necessarily bad about SELinux or the job it does, but there can be difficult circumstances created around it.

Re:Defense in Depth (1)

indifferent children (842621) | more than 6 years ago | (#23392636)

but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users

I'm not discouraging use of SELinux, but you can use Posix ACLs without SELinux. If flexible file permissions are the driving factor, SELinux is overkill.

Re:Defense in Depth (5, Insightful)

Jeruvy (1045694) | more than 6 years ago | (#23390688)

OS Hardening is exactly that, risk mitigation. If you know that you don't need to run certain processes or your can run them with reduced variables not only will your systems run with less risk, they can also be more stable. Less updates and patching, less dealing with new variables (because someone enabled some feature that was disabled), adding new functions only after approval and ensuring they meet your requirements. So yes, I'd say OS hardening is an essential part of your good security practices.

Re:Defense in Depth (1)

jellomizer (103300) | more than 6 years ago | (#23391990)

If you need test the effectiveness of your harden OS then you are already in troble it is just the difference between troble and disaster. That being said it is not a Silver bullet of protection if the hacker has goten that far then you probably have some holes in your full IT Security concept that needs to be addressed. But like most security now adays it isn't as much about protection as it is saying I did my due diligence in being protected.

Re:Defense in Depth (0)

Anonymous Coward | more than 6 years ago | (#23392166)

System hardening is just another layer of a "defense in depth" security posture. The more layers, the better.
That is just retarded. Those layers do not come for free. How many layers of gauze do you suppose you would have to wrap yourself in to stop a bullet? Once you do that, you are now immobilized. Now the attacker can walk up to you, douse you in gasoline, light you on fire, and watch you burn. He wins, and so do all of the gauze salesmen who took your money. The situation is not much different for the organizations who decide that they are going to take security seriously, shop all of the vendors, and order one of everything to get the famed "defense in depth".

Re:Defense in Depth (2, Insightful)

Hyppy (74366) | more than 6 years ago | (#23392246)

Your analogy makes no sense. So, you should just buy a firewall, and that's it? Or should you only have antivirus software, and that's it? Should you keep your admin password blank, because of the previously mentioned firewall? What is the one-stop answer to keep my network secure?

There is no one-stop panacea for security. Anyone who says otherwise is either a snake-oil salesman, or a massive liability to any company that hires them.

Would be really handy (1)

jimbobborg (128330) | more than 6 years ago | (#23390350)

if DISA put out a lockdown script for the various Unix flavors. The Gold Disk they have for Unix breaks shit. But dang if the Windows one works. What's up with that? It's a real pain manually doing this.

Re:Would be really handy (3, Insightful)

Hyppy (74366) | more than 6 years ago | (#23390378)

The DISA gold disk breaks Windows just as bad, believe me. The 100% Gold Disk Standard(tm) is only necessary for the highest security systems, which usually run software designed with gold disk hardening in mind in the first place.

Re:Would be really handy (4, Interesting)

jandrese (485) | more than 6 years ago | (#23390870)

Where did you find a Windows Gold Disk that doesn't make a complete mess of the OS? I'd really like to get that because I've never gone through that process and still have the application the box is designed for work. In fact it's typically worse with Windows because when something gets a permission denied (especially on something like a Registry key), it won't be like Unix and spit out a message like "Error: File /foo/bar: Permission denied", instead your application will crash and spit out a message like "Error: failure" to the system log (and only if you're lucky will it put something in the system error log)". Since locking down windows means changing the ACL on just about everything on the system, it's almost impossible to track down what broke your application.

Re:Would be really handy (1)

Hyppy (74366) | more than 6 years ago | (#23390910)

Completely agreed. One of my sections experimented with the DISA gold disk one time, turning it on in "high security" mode, and it took us 3 days with RegMon and a grab bag of other utilities to revert the system to just basic usable mode. Office XP wouldn't even open correctly!

Re:Would be really handy (0)

Anonymous Coward | more than 6 years ago | (#23392058)

- Start sysinternals' regmon and or filemon
- Start the application
- Wait for it to crash
- Stop regmon and or filemon and search their logs for 'acces denied'
- Change permissions for offending entries and or files

Re:Would be really handy (2, Informative)

cromar (1103585) | more than 6 years ago | (#23391320)

You might try (on a test box) the security information/tools CIS [cisecurity.org] (Center for Internet Security) has to offer. I have had good experience with the information for AIX (of all things). They provide automated tools for Windows and a few other OSs.

Re:Would be really handy (2, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#23390536)

Well, the SRR for UNIX released last month is only supported on specific flavors:

Solaris 2.5.1 through Solaris 10; HP-UX 11.0,HP-UX 11.11; Red Hat Enterprsie Linux 3 and 4; and AIX 4.3. FSO cannot guarantee the accuracy of these scripts if they are used on other UNIX versions.
That means if you are running any other version/flavor, you're going to need to review the script and modify it as necessary.

Re:Would be really handy (1)

jimbobborg (128330) | more than 6 years ago | (#23390594)

All the SRR for Unix does is check for vulnerabilities. It makes no changes.

Re:Would be really handy (1)

morgan_greywolf (835522) | more than 6 years ago | (#23391104)

Right, but the requirements are the same for the Gold Disk, no?

Re:Would be really handy (1)

Hyppy (74366) | more than 6 years ago | (#23390686)

Those are the only flavors, as far as I am aware, that the NSA has approved so far for government use in production environments.

Re:Would be really handy (1)

aproposofwhat (1019098) | more than 6 years ago | (#23390766)

Well I guess my old Sparcstation's fucked, then - but then again it's only running my CERN proxy, so that's OK :P

Chuck Norris can ./fsck selinux (-1, Offtopic)

extirpater (132500) | more than 6 years ago | (#23390358)

ha

Concrete (5, Funny)

Urger (817972) | more than 6 years ago | (#23390370)

I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful.

Re:Concrete (3, Insightful)

Hyppy (74366) | more than 6 years ago | (#23390398)

If you reinforce the concrete properly to create a Faraday cage, you can protect against TEMPEST [wikipedia.org] threats.

Re:Concrete (5, Funny)

abolitiontheory (1138999) | more than 6 years ago | (#23390404)

concrete does end users quite nicely though.

Re:Concrete (1)

Smidge207 (1278042) | more than 6 years ago | (#23391974)

Agreed. Especially since Windows uses the CE-ME-NT architecture. ::rolls-eyes::

Re:Concrete (1, Funny)

Anonymous Coward | more than 6 years ago | (#23392488)

Don't forget the amontillado.

Re:Concrete (0)

Anonymous Coward | more than 6 years ago | (#23391164)

Speak for yourself. I for one enjoy the peaceful isolation. Sure the first 30 years were pretty boring, but one day a few years ago I heard them laying some fiber next to me. I spent the next few months working on my telepathic interface. And I've been trolling slashdot ever since.

-J. Hoffa, the most secure end user on the planet

Re:Hardening (1)

icebrain (944107) | more than 6 years ago | (#23391602)

Am I the only one who first thought the article was referring to hardening systems against EMP effects from a nuclear event?

Re:Concrete (2, Insightful)

Chrisq (894406) | more than 6 years ago | (#23391726)

I found encasing the system in steel reinforced concrete made the system much harder. Similar attempts to place end users in the same situation were not as successful.
I don't know, the Maffia found it very effective in dealing with "security leaks".

I don't know. (0)

Anonymous Coward | more than 6 years ago | (#23390388)

And I don't care.

Re:I don't know. (0)

Anonymous Coward | more than 6 years ago | (#23390518)

Is slashdot becoming Yahoo! Answers?

Easy (5, Funny)

J3M (546439) | more than 6 years ago | (#23390446)

I use Ubuntu 8.04. It's hardy out of the box.

Re:Easy (1)

Culture20 (968837) | more than 6 years ago | (#23392028)

Hardy... Har Har!

Is it just me? (4, Insightful)

Layer 3 Ninja (862455) | more than 6 years ago | (#23390448)

Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

Re:Is it just me? (1, Funny)

Anonymous Coward | more than 6 years ago | (#23390514)

"We're from the government. We're here to help you."

Re:Is it just me? (1)

AikonMGB (1013995) | more than 6 years ago | (#23390838)

"We're here to protect you from the terrible secret of space?"

Re:Is it just me? (1)

sticks_us (150624) | more than 6 years ago | (#23390612)

Oh, I don't know...

There's a strong correlation between the libertarian/independent/freethinker community and the advocacy of Linux and other [F]OSS solutions.

And yet, doesn't every Linux kernel (2.6 or better) use SELinux [nsa.gov] [1] [wikipedia.org] ?

short answer, NO (1)

RiotingPacifist (1228016) | more than 6 years ago | (#23392504)

Linux kernel has no integrated security it has some security layer that gives all security systems access (or it can, its recommended to compile without it if you dont use it as otherwise a rootkit could use it).

SElinux sure it could have a NSA back-door, probably doesn't, but a lot of distros dont use SElinux instead they opt for apparmor, or nothing at all, or other security measures ( PAX, etc)

Re:Is it just me? (5, Insightful)

been42 (160065) | more than 6 years ago | (#23390956)

Am I the only one that is a bit skeptical of downloading .msi packages from nsa.gov?

I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.

Re:Is it just me? (0)

Anonymous Coward | more than 6 years ago | (#23391100)

Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.
And why would we want to benefit the government of a foreign country (especially the USA)?

Re:Is it just me? (1)

street struttin' (1249972) | more than 6 years ago | (#23391600)

Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.
From the stuff I've been reading about storm and kraken, they're not doing a very good job of keeping windows machines off botnets...

Re:Is it just me? (0)

Anonymous Coward | more than 6 years ago | (#23391462)

Ironically, the software you get straight from the NSA is probably the one without NSA backdoors. Software from third parties may have been compromised beforehand.

Very effective (4, Informative)

hal9000(jr) (316943) | more than 6 years ago | (#23390452)

System and network hardening is very effective. By hardening, I mean doing things like removing unnecessary services and applications; configuring the remaining services to be as featureless as possible while still doing what you need; examining the remaining service and application configurations and making changes to improve reduce features and employ security measures like encryption, etc; utilizing what ever access controls are available in the most strictest sense.

That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.

Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.

Everyone knows... (4, Funny)

neokushan (932374) | more than 6 years ago | (#23390472)

The best kind of security is obscurity! So batten down the hatches by ditching your fancy *nix/BSD servers and get those old Amigas you have stashed in a loft somewhere up and running. Bonus points for using a C64.

Re:Everyone knows... (3, Interesting)

Bert64 (520050) | more than 6 years ago | (#23390596)

There were some security advisories for Amiga Unix a few years ago, Yes, Commodore made a unix variant of the Amiga which is extremely rare.

Re:Everyone knows... (5, Funny)

sm62704 (957197) | more than 6 years ago | (#23390726)

I use security through obsolescence. Nobody's going to crack my ENIAC [wikipedia.org] clone!

Re:Everyone knows... (1)

tobiasly (524456) | more than 6 years ago | (#23390732)

So batten down the hatches by ditching your fancy *nix/BSD servers and get those old Amigas you have stashed in a loft somewhere up and running.

Judging by how well the NSA.gov website is (not) handling being Slashdotted, I'm guessing that's exactly what they did.

Re:Everyone knows... (0)

Anonymous Coward | more than 6 years ago | (#23391290)

this is /. nobody RTFA

Re:Everyone knows... (1)

idiotnot (302133) | more than 6 years ago | (#23391720)

Hey now, that Amiga if not being used as a Video Toaster, makes a pretty damn good BSD [netbsd.org] machine. :-)

The Network guides are nice (4, Interesting)

Facekhan (445017) | more than 6 years ago | (#23390474)

I've used the network equipment guides to harden routers and switches before and they are very handy.

I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)

I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.

Re:The Network guides are nice (3, Interesting)

Hyppy (74366) | more than 6 years ago | (#23390722)

I've found the NSA Cisco hardening guides to be amazing. I could hand the guide to a help desk tech we were training to be a netadmin, show him how a console cable works, and he would have a functional and secure test network of a few devices running in no time.

Re:The Network guides are nice (1)

JFitzsimmons (764599) | more than 6 years ago | (#23391102)

Do you have a link to them?

Re:The Network guides are nice (4, Informative)

Hyppy (74366) | more than 6 years ago | (#23391190)

Ask and you shall receive...

Cisco Routers [nsa.gov]
Cisco Switches [nsa.gov]

Everyday user? (1, Interesting)

MosesJones (55544) | more than 6 years ago | (#23390512)

First off the article talked about Snort, which I can't quite see my wife using it then moved on to talk about the development lifecycle not a major part of her internet and PC experience. The NSA files, while useful, are huge (the Mac OSX 10.3 one is 2.5MB) and I can't see the everyday user trawling through that. Its only for Vista that it is really viable as it says use the MS settings as these follow the NSA guidelines.

So in summary the only everyday users who could do this are those using Vista.... an unusual plug for Redmond from Slashdot.

Re:Everyday user? (1)

Torvaun (1040898) | more than 6 years ago | (#23390616)

Slashdot doesn't really cater to the everyday user.

Re:Everyday user? (2, Informative)

Hyppy (74366) | more than 6 years ago | (#23390772)

The Windows XP guide is also available [nsa.gov] , though they also point to the MS guides since they have become very good. If nothing else, a quick glance through the services to disable can be helpful.

Re:Everyday user? (2, Informative)

Aram Fingal (576822) | more than 6 years ago | (#23391114)

I read through the NSA guide for OSX 10.3 and it's surprisingly basic. Most of it just repeats common advice on Mac security that you can get from a number of places. Some of it covers things that the average user wouldn't do like disconnect the microphone so that a spy can't hack in, activate it and listen in on your conversations. The one part which I thought was good was the section on when and how to use the Keychain.

What happened to (0)

Capt James McCarthy (860294) | more than 6 years ago | (#23390572)

The days of "Security through Obscurity?" I just wonder if it's more or less prevalent today then in years past.

There's no perfect safety ... (4, Insightful)

richg74 (650636) | more than 6 years ago | (#23390692)

There is an often-repeated old story that is pertinent here:

Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."

Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.

Re:There's no perfect safety ... (3, Funny)

Anonymous Coward | more than 6 years ago | (#23390730)

I heard that story from a Chinese, but the bear was a testicle-eating wild pig. Much better story

Re:There's no perfect safety ... (2, Insightful)

jandrese (485) | more than 6 years ago | (#23390926)

The problem is when your site is "email.whitehouse.gov" and the other guy is "conglomerated-ironworks.com". One of which is going to be a much bigger target no matter how much extra security you have.

Re:There's no perfect safety ... (2, Funny)

WNight (23683) | more than 6 years ago | (#23392532)

Yeah, who'd hack the whitehouse? They've deleted all their own email and sensitive documents years ago. Now that ironworking company, that sounds interesting...

Re:There's no perfect safety ... (1)

dpilot (134227) | more than 6 years ago | (#23392510)

But what if the bear is bored, not hungry. He doesn't want a meal, he wants the chase and the kill.

To shift metaphors, I've heard that the way to handle canine attack is to get down on the ground and bare your neck. It's a submission symbol, and they generally respect it. Plus they can outrun and outbite you. Of course I've never tested this personally, and I've usually been able to intimidate dogs just by acting intimidating. (I once intimidated a pair of nasty looking German shepherds, until their owner came out with a gun and intimidated me.)

Re:There's no perfect safety ... (0)

Anonymous Coward | more than 6 years ago | (#23392878)

Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy
starts running away. The second yells after him, "You damned fool, you
can't outrun a grizzly bear!" The first says, over his shoulder,
"I know -- but I can outrun you."


Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.

This might be true were computer programs or black hats grizzly bears. But, try as one might, nothing is going to make a program, malicious or otherwise, satisfied at it's first victim, or it's 1024th. So, this is a fallacious argument in terms of computer security.

How hard is it to get any real work done on locked (1)

Joe The Dragon (967727) | more than 6 years ago | (#23390718)

How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?

Re:How hard is it to get any real work done on loc (5, Insightful)

abolitiontheory (1138999) | more than 6 years ago | (#23390930)

A lot more work and a lot less dead time than waiting for IT to resurrect a completely fsck'd system, maybe?

Re:How hard is it to get any real work done on loc (2, Interesting)

trolltalk.com (1108067) | more than 6 years ago | (#23390970)

You could always bring in a lappy and do like this guy [shandyking.com] did ...

  • 1. Find unsecured wireless router
  • 2. Secure it with your own ssid/password
  • 3. PROFIT - charge to "fix" the problem

Just because you're inept at systems management (2, Insightful)

apparently (756613) | more than 6 years ago | (#23390988)

doesn't mean that an IT professional is inept at locking down systems without impacting a firm's ability to do business.

How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?

So kindly go fuck yourself with your condescending attitude.

Re:How hard is it to get any real work done on loc (1)

gbjbaanb (229885) | more than 6 years ago | (#23391098)

its really easy. What's difficult is to get "real" work done on a locked down system.

Security hardening is all about removing unnecessary facilities. So obviously whatever is left is necessary for you to do your job, if not then the security guys/procedures didn't do their analysis well enough.

Of course, what they think is necessary and what you think is "necessary" may not be quite the same thing....

Re:How hard is it to get any real work done on loc (2, Informative)

hal9000(jr) (316943) | more than 6 years ago | (#23392702)

If your IT admins locked the system down to the point that you can't get work done, they have failed and you, or your boss, have the obligation to raise the issue.

Responsible IT departments will can configure your systems while still allowing you to work. mike

allow execution of only known good binaries (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23390844)

allow execution of only known good binaries

one good tool out there is from solidcore.. it is being used in Point of Sale devices, ATMs and production servers in some big enterprises..

works on windows* and unices..

-Yv

Re:allow execution of only known good binaries (3, Interesting)

tepples (727027) | more than 6 years ago | (#23390934)

Anonymous Coward wrote:

allow execution of only known good binaries
But who declares a binary "known good"? And how well do you expect your method to scale down to home and small-office PCs?

Re:allow execution of only known good binaries (2, Insightful)

Hyppy (74366) | more than 6 years ago | (#23391424)

You can do that with group policy, but its very time-intensive. Basically, you whitelist your approved binaries by filename with a hash to ensure people don't just rename their game "explorer.exe"

holy crap (1)

Trailer Trash (60756) | more than 6 years ago | (#23391210)

Am I the only one who is surprised that the nsa uses coldfusion?

Best System Defense (0)

Anonymous Coward | more than 6 years ago | (#23391238)

I have found one sure-fire method to secure a system and prevent ANY known or unknown attacks.

Remove the black cable in the back with the prongy thingies. There, problem solved.

Old Guides (0)

Anonymous Coward | more than 6 years ago | (#23391306)

If you look at the browser guides, they are from 2003. Not very relevant today I would say.

works ok for me (3, Interesting)

myxiplx (906307) | more than 6 years ago | (#23391466)

Basic hardening of a windows system has stood us in good stead here. IE's locked down so sites can't run scripts. CD-ROM drives are disabled, users can't install USB thumb drives. All e-mails and internet access is filtered.

It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.

Re:works ok for me (0)

Anonymous Coward | more than 6 years ago | (#23392786)

[quote]IE's locked down so sites can't run scripts.[/quote]
They can, due to escalation via ActiveX, which in turn can be always used due to internal policy overrides. Not that this would be needed, there are a lot of buffer overflows in the CSS parser and DOM handling, heck even the FTP protocol implementation is left vulnerable.

Long story short, with IE you have already lost in first place. What about using a real webbrowser instead? Especially Mozilla/Seamonkey has a very good deployment facility (though does not integrate with Group Policies).

define "effective" (3, Insightful)

darkuncle (4925) | more than 6 years ago | (#23391488)

system hardening is effective at defeating certain classes of attacks. that said, most security breaches are NOT due to fancy footwork with memcpy or other low-level wizardry. They're due to either:

1) improperly designed trusts between systems (e.g. the Internet can't talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.

2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem - education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help ... but in the end, users just want to do whatever it is they're using the computer for. If an attacker can convincingly pretend to be legitimate, or present a convincing enough temptation, users will bypass, override or disregard any level of protection. Vista's UAC is the canonical example here - great idea foiled by end users (granted, the implementation was almost guaranteed to train users to eventually ignore the constant repeated warnings).

Marcus Ranum's got them beat... (1)

argent (18001) | more than 6 years ago | (#23391712)

You can completely prevent unauthorized access with Marcus Ranum's ultimate firewall!

Some people can build secure servers, not desktops (1)

ChrisA90278 (905188) | more than 6 years ago | (#23392472)

Just How Effective is System Hardening? It can be very, very effective. But the problem is the average end user completely lacks the skills and time to do this and I'd say the average sysadmin is not much better off. But if you do take the take to read up and set up services runing inside (say) Solaris "containers" or on xen under link and get all you access lists set up and fire wall rules do at the IP address level you can build a very secure server. I've seen server farms run for years without a problem

But the unsolvable problem is social enginerring and Trojans. When so guy is told that if he runs this program he will get access to free goatporn, he runs it and it seems to work but in doing so maybe he has in effect openned up his machine to remote access. No good way to fix this if thr attacker is good and uses ports that need to be left open, like https.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>