Auditing the Astaro Secure Linux Firewall: An Evaluation
Contents
1. hain USR FORWARD Qm tcp tcp Q o ftp data ftp PT tcp EPT udp domain PT icmp T all achable F o Op O p O p O p O p p t O J EJ q o udp udp tcp E DS pu dpt smtp ACCEPT icmp LOGREJECT icmp Chain USR_INPUT 1 target mode srcip dstip htable size mode srcip dstip htable size prot opt source anywnere anywnere anywnere anywnere anywnere anywnere 1 references prot opt source 0 10 0 0 10 0 0 100 10 0 10 0 20 anywhere anywhere anywhere references prot opt source Chain USR_OUTPUT 1 references target prot opt source astaro home jeff SANS Institute 2004 2 references 0 references prot opt source 28 25 28 25 28 25 28 25 28 25 28 25 28 25 28 25 28 25 destination anywhere anywhere destination anywhere anywhere destination anywhere anywhere anywhere anywhere destination anywhere anywhere destination destination anywhere 0 htable max O htable gcinterval 1000 anywhere 0 htable max O htable gcinterval 1000 anywhere anywhere anywhere anywhere destination anywhere anywhere anywhere anywhere anywhere anywhere anywhere anywhere anywhere anywhere anywhere 10 10 0 20 anywnere anywnere destination destination AS LOG level info prefix reject with icmp port LOG level info prefix IP limit limit2. avg 100 sec burst 30 htable expire 10000 avg 100 sec burst 30 htable expire 10000 LOG level info prefix LOG level info prefix tcp spts 1024 65535 dpt http tcp spts 1024 65535 tcp spts 1024 65535 tcp spts 1024 65535 tcp spts 1024 65535 tcp spts tcpmux 65535 udp spts tcpmux 65535 icmp type 8 reject with udp spt ntp udp spt ntp code 0 icmp port dpt ntp dpt ntp tcp spts tcpmux 65535 icmp type 0 icmp type 0 As part of GIAC practical repository code 0 code 0 Author retains full rights Figure 13 Output from IPTables The firewall rules that were entered appear under the USR FORWARD chain These do match the basic policy outlined in the table above The rules for managing the firewall via ssh https and snmp can be found under the AUTO INPUT rule It is also apparent that in addition to the firewall rules that were entered the firewall has its own default settings like controlling tcp syn rates not allowing spoofed addresses and settings for logging sudo nmap sP 10 10 0 Starting nmap 3 50 http www insecure org nmap at 2004 09 19 12 08 EDT Host 10 10 0 1 appears to be up Nmap run completed 256 IP addresses 1 host up scanned in 6 662 seconds Figure 14 Output from nmap probe of the inside network from the outside This scan reveals little information which indicates that the firewall is doing its job sudo hping 10 10 0 50 c 1 j V s 80 p 17865 qd 500 u
3. Evidence jeff astaro home jeff gt ps ax PID ITY STAT S SW SWN SW SW SW SW SW SW SW SW SW SW SW ex al o zl wm e oM M sl ow sl zl ow sl rd sl zl ow M oM e zi un X S S S S S S S S S S S S S S S S S S S zl zi Jo ej o ow wj rd ejos ow wj rd ej os o wj rd ej tn n n n n 2 n n 2 n 2 n n n n n n n n n SANS Institute 2004 TIME OO OO O O O O OC ON ja OF 00 00 00 EN O Q O O 0000000000 6040004042050 1050100 OD OO 0 0 amp COMMAND init keventd ksoftirqd CPUO0 kswapd bdflush kupdated kinoded kjournal kjournal kjournal kjournal kjournal kjournal kjournal sbin syslog ng f etc syslog ng conf usr sbin cron usr bin dns resolver 127 0 0 1 16498 etc confd disp usr local bin alicd L syslog daemon loglevel 2 usr bin v4watcher 127 0 0 1 16498 etc confd dispatc usr bin confd 127 0 0 1 16498 etc confd dispatcher usr sbin httpd f etc httpd httpd conf var mdw mdw daemon pl usr local bin selfmonng pl usr local bin daemon watcher selfmonng pl usr local login root Sbin mingetty no hostname tty2 Sbin mingetty no hostname tty3 sbin mingetty no hostname tty4 var aua aua bin etc wfe conf aua main config ini bash usr sbin sshd 4 f etc ssh sshd_config bin logger t httpd p local6 notice usr sbin fcgi f etc httpd httpd conf usr bin hyperdyper usr bin hyperdyper sbin squidf sYD squid
4. jeff astaro home jeff gt cat etc passwd root x 0 0 root root bin bash bin x 1 1 bin bin bin bash daemon x 2 2 Daemon sbin bin bash uucp x 10 14 Unix to Unix CoPy system etc uucp bin bash wwwrun x 30 65534 WWW daemon apache var lib wwwrun bin bash nobody x 65534 65533 nobody var lib nobody bin bash sshd x 71 65 SSH daemon var lib sshd bin false ntp x 74 65534 NTP daemon var lib ntp bin false loginuser x 100 100 remote login user home login bin bash chroot x 666 666 chroot user var bin false jeff x 667 100 home jeff bin bash jeff astaro home jeff gt Figure 5 Contents of etc passwd Output from cat etc hosts equiv jeff astaro home jeff gt cat etc hosts equiv hosts equiv This file describes the names of the hosts which are to be considered equivalent i e which are to be trusted enough for allowing rsh 1 commands hostname Figure 6 Contents of etc hosts equiv jeff astaro home jeff gt cat etc hosts deny etc hosts deny See man tcpd and man 5 hosts access as well as etc hosts allow for a detailed description http rman ALL EXCEPT LOCAL Figure 7 Contents of etc hosts deny jeff astaro home jeff gt cat etc hosts allow etc hosts allow See man tcpd and man 5 hosts access for a detailed description of etc hosts allow and etc hosts deny short overview about daemons and servers that are built with tcp wrappers su
5. 2 references target prot opt source destination Chain INVALID_PKT 0 references target prot opt source destination LOG all anywhere anywhere LOG level info prefix INVALID PKT DROP all anywhere anywhere Chain LOGACCEPT 0 references target prot opt source destination LOG all anywhere anywhere LOG level info prefix ACCEPT ACCEPT all anywhere anywhere Chain LOGDROP 6 references target prot opt source destination LOG all anywhere anywhere LOG level info prefix DROP DROP all anywhere anywhere Chain LOGREJECT 1 references 44 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights target LOG all REJECT REJECT unreachable prot opt source anywhere anywhere Chain SANITY CHECKS 3 references target SYNRATE LIMIT tcp prot opt source anywhere flags SYN RST ACK SYN SYNRATE LIMIT udp Chain SPOOFING PROTECTION target prot SPOOF DROP El SPOOF_DROP 11 SPOOF_DROP 11 SPOOF_DROP 11 anywhere Source astaro mycompany com 10 1 0 0 24 astaro mycompany com 10 10 0 0 24 Chain SPOOF DROP 4 references target LOG all SPOOFING DROP DROP all Chain STRICT TCP STATE target prot opt source anywhere anywhere Chain SYNRATE LIMIT 2 references target RETURN cp ss RETURN udp LOG TED E SYNRATE LIMIT LOG udp SYNRATE LIMIT DROP eps gt DROP udp
6. 4 wireless tools 26 1 hostap 0 1 2 2 tools 5 0 8 26 SANS Institute 2004 As part of GIAC practical repository Author retains full rights nro nro hcp hro hro hro hro hro asp hro hro hro hro hro hro hro et hro hro hro hro p d p 1 p i p 1 p w p c p c p n p w p t p h p s p 1 p n p r p p p h p s p 1 p 1 ps p c p c pon p c pt p c p c p c p c pos p c p w p w p w p u p w p w p w p m p c e e d e d e e e e k e e e e e e e n e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e ot bind 5 0 20 ot dhcpc 5 0 20 cd 1 3 22p11 12901 ot dhcps 5 0 19 ot http 5 0 21 ot ident 5 0 16 ot ipsec 5 0 33 ot kav 5 0 13 ersky 5 0 1 0 19 ot pop3 5 0 24 ot ppp 5 0 23 ot pppoe 5 0 26 ot pptp 5 0 20 ot pptpc 5 0 18 ot smtp 5 0 32 ot snmp 5 0 19 snmp 5 1 101 ot snort 5 0 23 ot socks 5 0 16 ot squid 2 5 23 ot weed 5 0 26 ocs 5 0 16 icd 5 0 19 nit texts 5 0 3 ibs 5 0 25 001 1 0 313 onfd 1 0 414 p confd helpers 5 0 274 hroot squid 5 0 25 otifier db 5 0 12 p backupconverter 5 0 23 p webadmin pics 5 0 86 ebadmin 5 0 113 p license tools 5 0 12 ools 5 0 48 p up2date pattern 5 0 3 yperdyper 0 1 304 p up2date system 5 0 3 yslog ng 5 0 38 ogging 5 0 45 otifier 5 0 43 eporting 5 0 50 cmcia 5 0 17 a 5 0 4
7. Findings Hands On Phase STEP 3 Preliminary Work The audit steps enumerated below will help ensure the viability of the firewall server platform However before going through those steps it is important to get a feel for the server and its related processes and derive a baseline of information all of which can be referred back to later In order to do this the following operations will be conducted and the results will be recorded in the next section 1 Rebootthe server to verify which processes actually start up and run without intervention 2 psax Get a feel for what is running The results are ephemeral but it can still give some interesting information 3 uname a e Which Linux kernel is running 4 top e Which processes seem to be utilizing the most resources These results are also ephemeral but again they can yield interesting results 5 cat etc passwd What types of accounts are present 6 cat etc hosts equiv e Are tcp wrappers being used 7 cat etc hosts allow Are rlogin rsh etc configured 8 rpm qa gt installed packages out e Which packages are installed via rpm All of this information should give a sense of what the server does Next a baseline scan of the firewall will be obtained from both the outside and the inside that can be referred back to during the audit steps Tools like nmap and nessus will be used to accomplish this from both the outside and inside interfaces 14 O SA
8. Threat 0 1 0 5 1 Impact 10 50 100 The table below displays a matrix of vulnerability threat impact and associated risk Not every combination of vulnerabilities and threats is valid so this matrix only shows those pairs that can lead to pernicious outcomes The assigned values were derived based on the subject environment and the auditor s experience United States Dept of Commerce National Institute of Standards and Technology Risk Management Guide for Information Technology Systems Washington NIST July 2002 URL http csrc nist gov publications nistpubs 800 30 sp800 30 pdf d O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Realizable Vulnerability Threat Impact Risk Risk Vulnerability Threat Impact Value Value Value Value Lack of Business Fire flood or l business 1 0 0 1 100 0 10 0 Low Continuity plan functions would pl be down for a Back t dieser prolonged time Bee eier 0 1 0 1 100 0 1 0 Low being made Eeer 1 0 1 0 100 0 100 0 High Firewall could be compromised affecting the Unauthorized EE User accounts access n AUDI e e with weak deus died 1 0 1 0 100 0 100 0 High passwords business critical Systems and data Business x applications SE requiring internet 1 0 0 1 50 0 5 0 Low access would be down Firewall hardware Hardware fails failure The availability 1 0 0 1 50 0 5 0 Low
9. a baseline nmap sP 10 10 0 The auditor will also use hping to craft packets to simulate the following attacks Incoming web traffic made to look like a response FTP data channel being initiated from the internet SMTP traffic sent to mail server NTP attacks directed at servers hping 10 10 0 50 c 1 SL s 80 p 17865 d 500 hping 10 10 0 50 c 1 udp s 22 p 17865 d 500 hping 10 10 0 20 c 1 s 25 p 25 d 100 hping 10 10 0 20 c 1 s 123 p 123 d 50 Compliance is based on the firewall behaving as the firewall policy dictates Test Nature Objective Evidence Findings STEP 5 V4 Firewall management interface web passwords weak can be broken Reference SANS Track 7 Section 7 3 Auditing Web Applications Belani Rohyt Basic Web Session Impersonation Security Focus 14 April 2004 URL http www securityfocus com infocus 1774 e Nikto Web CGI Scanning Tool URL http www cirt net code nikto shtml Personal experience Risk The web interface is the one portal for configuring all aspects of the firewall If a brute force attack were successful the firewall would then be compromised which would lead to servers and workstations being compromised The auditor will focus on the web application here and delve into the web server application in V7 below 16 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Testing and Compliance Two separate categori
10. astaro destination d notif or filter f_syslog or program cron filter f_crond MSGAn MSGAn MSGAn bin reporter socks reporter pl te template_escape no bin reporter pfilter reporter pl template escape no bin reporter cfilter reporter pl template escape no bin reporter ips reporter pl temp template escape no bin reporter vpn reporter pl temp template escape no bin sarg logger pl f access temp template escape no program usr local bin sarg logger pl f blocked tem HOUR MIN SEC SHOST MSG Wn template escape no file var log logging log templa template escape no filter f ainfo destination d as destinatio filter f ainfo notif flags final filter f awarn destination d as destinatio filter f awarn notif flags final filter f acrit destination d as destinatio y filter f_acrit_notif flags final program syslog ng template escape no destination d astaro mycompany co y destination d_astaro mycompany com match DROP ACCEPT REJECT ICMP REDIRECT INVALID_T flags final filter f RATE LIMIT kernel lterl udp 10 10 0 1 port 514 SMSG n filter f_kernel filter f_iptbl com packetfilter0 filter f synlim lter0 file var log packetfilter l TH SDAY S HOUR MIN SEC HOST MSG Wn template esc
11. cat etc inetd conf Is etc xinetd d Compliance is based on no rpc services being used or turned on Test Nature Objective Evidence Findings STEP 8 V7 Apache httpd vulnerabilities Reference Apache Security version 1 3 URL http www apacheweek com features security 13 Apache Security version 2 0 URL http www apacheweek com features security 20 SANS Top 10 Unix vulnerabilities URL http www sans org top20 Zu3 Risk The Astaro firewall uses the Apache web server to run its web interface If Apache were compromised with a buffer overflow that would drop the attacker into a shell as root this would lead to the firewall also being compromised The web application has already been explored for vulnerabilities in V4 Therefore the auditor will focus on Apache here Testing and Compliance The first step is to check which version of Apache the Astaro firewall uses httpd v The most current version as of this writing is 2 0 50 however new patch versions come out frequently It is also important to know whether httpd is running as root or as another user ps axu grep httpd 19 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights The next step is to test Apache using the nessus vulnerability scanner The auditor will enable all Apache plugins Compliance is based on running 2 0 50 or later and or finding no vulnerabilities The reason for this ambiguity i
12. changed before moving the firewall into production and this test should be performed at that time Test Nature Objective Evidence Findings STEP 6 V5 BIND vulnerabilities Reference Carnegie Mellon Software Engineering Institute URL http www cert org nav index_red html Advisories and Incidents Internet Software Consortium writers of BIND URL http www isc org products BIND bind security html additional security issues with BIND Nemeth Snyder Hein Linux Administration Handbook Prentice Hall PTR 2002 Chapter 16 SANS Top 10 Unix vulnerabilities URL http www sans org top20 Zu1 Personal experience 17 SANS Institute 2004 As part of GIAC practical repository Author retains full rights Risk If the BIND version running contains one of the buffer overflow vulnerabilities and BIND is being run as root this can lead to the compromising of the firewall Thus the BIND version needs to be ascertained and whether it is being run as a different user in a chroot ed jail Testing and Compliance Determine the version of BIND running named v Determine where named runs from who it runs as and if it is running from a chroot directory ps ax grep named grep bin etc init d named The auditor should also test if other devices can resolve using this server He can use the attacker laptop with nslookup or dig Ideally the server will not respond to these types of requests This wil
13. daemon or through cron FAIL lt lt SANS Institute 2004 As part of GIAC practical repository Author retains full rights Audit Report Executive Summary The most significant risks in a firewall installation do not lie in the firewall device itself Rather they tend to be manifest in the implementation In this audit vulnerabilities were found to exist in the firewall but they can be mitigated by installing the latest patches and denying access to the firewall appliance This will be described in more detail below However the most significant risks were found in the configuration of the firewall and in the procedures surrounding the management of the firewall The audit covered all of these issues and the results should be very helpful in the implementation phase of this project Audit Findings The audit consisted of 19 separate steps examining 19 potential vulnerabilities The following chart shows how the firewall performed throughout all steps of the audit Note that not all of the 19 steps were covered in detail in the preceding section Audit Steps Pass vs Fail This chart shows that the firewall passed the vast majority of tests performed However the chart does not give weight to the criticality of each step The following two charts show this detail S O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Audit Steps This chart shows the audit steps that the fir
14. escape no filter f pluto destination d v flags final filter f_login destination d_ ade y di M file var log contentfilter SSEC HOST SMSG n template escape filter f spamd destination d asta flags final y file var log smtp log template Y template_escape no filter f_smtp destination d_smtprr flags final Nothing in the configuration file indicates that the logs are being rotated O SANS Institute 2004 54 As part of GIAC practical repository Author retains full rights more packetfilter 2004 09 19 10h46m log 2004 09 19 08 26 32 none kernel DROP IN ethl MAC ff ff ff ff ff ff 00 a 95 b3 bo 68 08 00 SRC 0 0 0 0 DST 255 255 255 EN 328 TOS 0x00 PREC 0x00 PL 255 ID 14124 PROTO UDP SPT 68 DPT 67 LEN 308 004 09 19 08 26 34 none kernel DROP IN ethl MAC ff ff ff ff ff ff 00 95 b3 bc 68 08 00 SRC 0 0 0 0 DST 255 255 255 EN 328 TOS 0x00 PREC 0x00 PL 255 ID 14125 PROTO UDP SPT 68 DPT 67 LEN 308 004 09 19 08 26 36 none kernel DROP IN ethl MAC ff ff ff ff ff ff 00 95 b3 bc 68 08 00 SRC 0 0 0 0 DST 255 255 255 EN 328 TOS 0x00 PREC 0x00 L 255 ID 14126 PROTO UDP SPT 68 DPT 67 308 004 09 19 08 26 40 none kernel DROP IN ethl MAC ff ff ff ff ff ff 00 95 b3 bc 68 08 00 SRC 0 0 0 0 DST 299 299 EN 328 TOS 0x00 PREC 0x00 L 255 ID 14127 PROTO UDP SPT 68 DPT 67 308 F
15. lists the significant vulnerabilities along with a value that describes the relative likelihood of a threat combining with the vulnerability to cause damage Vulnerabilities Value Environmental Environmental control failure High Physical security High Operational Network administrator does not properly understand how to configure firewall High Firewall configuration does not match corporate firewall policy High ACL failure on edge router defense in depth Med Firewall policy is not in place High Incident Handling procedure is not in place Med Logging is not being monitored High Updates to firewall platform do not occur patching High Lack of Incident Handling procedure High Lack of Change Management procedure High Hardware chosen is not sufficient for the traffic and processing load High Hardware fails High Lack of Business Continuity Plan High Backups not being made Low Firewall Firewall does not behave as expected High Firewall management interface web passwords weak can be brute forced High Underlying Linux OS The following is from SANS Top 10 Unix Bind named High RPC High Apache httpd High Unnecessary user accounts weak or no password High Clear Text Services High Sendmail High SNMP High SSH High Misconfiguration of NIS NFS High OpenSSL High The following is from the Cert Bulletin Jun
16. of business critical systems and data could aa be 0 1 0 1 50 0 0 5 Low compromised Administrator 1 0 1 0 100 0 100 0 High Error Internal systems Firewall does could be 1 0 1 0 100 0 100 0 High not behave as compromised expected Firewall can This could Firewall d TTT include both irewati does allows traffic Severe and not match through that WOES 1 0 1 0 100 0 100 0 High policy it should not es dino to i corruption or Firewall web loss of data interface can ba Brute forc 1 0 1 0 100 0 100 0 High attacked SANS Institute 2004 As part of GIAC practical repository R Author retains full rights Vulnerability Threat Impact Risk S Realizable Risk Vulnerability Threat Impact Value Value Value Value Firewall Chosen overtaxed F ll Id hardware is relativeto Gan 1 0 0 1 50 0 5 0 Low underpowered hardware and iodicall traffic loads sy affecting Dos attack availability of Os attac services oo at directed at 0 5 0 1 50 0 2 5 Low 9 firewall Logging not being kept or 1 0 1 0 100 0 100 0 High monitored Firewall Administrator updates not error Attacks could 1 0 1 0 100 0 100 0 High occurring take place undetected Backups not affecting s 0 1 1 0 100 0 10 0 Low being made confidentiality pem integrity and BRA d availability of 1 0 1 0
17. running exim version 4 32 or later and that header syntax checking is disabled Test Nature Objective Evidence Findings an O SANS Institute 2004 As part of GIAC practical repository Author retains full rights STEP 20 V19 NTP not being used for logging synchronization Reference NTP Man Page Astaro User Manual URL http docs astaro org ACM_manuals Risk Without the use of a time protocol such as ntp the various log files that are kept on disparate systems that make up the modern data center would not be synchronized Consequently it would be very difficult to correlate logs when an incident occurs or when trying to be proactive Testing and Compliance The auditor will start by checking to see whether ntp is running on the system ps ax grep ntp Next he will check to see how ntp is configured cat etc ntp conf At a minimum the configuration file should include server directive s to point to upstream time server s If ntp is not running then cron should be checked to see if ntpdate is being run manually This can be done by checking the crontab as root crontab l Compliance will be based on ntp running either as a daemon or out of cron and configured to synchronize with an outside ntp server Test Nature Objective Evidence Findings 31 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Conducting the Audit STEP 3 Preliminary Work
18. sYD unlinkd syslogger squid access usr sbin localhttpd f etc httpd httpd loopback usr sbin localhttpd f etc httpd httpd loopback usr sbin localhttpd f etc httpd httpd loopback usr sbin localhttpd f etc httpd httpd loopback usr bin weed 127 0 0 1 16464 etc weed weed xml usr bin weed 127 0 0 1 16464 etc weed weed xml usr bin weed 127 0 0 1 16464 etc weed weed xml usr bin perl usr local bin sarg logger pl f blocke usr bin perl usr local bin sarg logger pl f access usr bin perl usr local bin reporter vpn reporter pl usr bin perl usr local bin reporter ips reporter pl usr bin perl usr local bin reporter cfilter reporte usr bin perl usr local bin reporter pfilter reporte usr bin perl usr local bin reporter socks reporter usr bin perl usr local bin reporter smtp reporter p 29 As part of GIAC practical repository Author retains full rights 2299 2300 232 4140 424 usr bin perl usr local bin notifier pl bin exim bd q20m aua bin defunct var wfe index fpl usr sbin httpd f etc httpd httpd conf usr sbin httpd f etc httpd httpd conf usr sbin sshd 4 f etc ssh sshd config usr sbin sshd 4 f etc ssh sshd config bash ps ax 451 4514 4732 4734 4735 pts 0 4864 pts 0 R jeff astaro home jeff gt s lt ss ss ss wj sJ Ne n n n n n n Po n Q O O O COP OP POP Yoo O OOO Figure 2 Output from ps ax jeff astaro home jeff gt uname
19. this line to activate gt auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes Figure 28 Checking for ntlm support in squid conf Findings The firewall is running a vulnerable version of squid but ntlm support is not activated The firewall should be updated to the latest patch level If NT authentication is enabled in the content filter feature this will need to be revisited PASS STEP 17 V16 Linux kernel Evidence The firewall is running the 2 4 21 kernel This is taken from figure 3 above Findings This is an older version of the kernel and needs to be upgraded to the 2 4 23 kernel Again by updating the firewall to the latest patch level the kernel may be updated as well FAIL 1 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights STEP 18 V17 Log rotation Evidence jeff astaro home jeff gt cat etc syslog ng conf HERE HH FE TE FE HE HH EH FE HE FE FE EE HH FE FE AE FE E TE FE EH HE HE HE HE EE HE EE E E E E E E E E E EE syslog ng config file asl customized This file is auto generated Edit the configuration file or the template and re run the template parsing engine Generated on Wed Sep 29 13 54 40 2004 HEHE EH HH EH HE HE HE FE FE E EE EE FE FE HE HE FE FE HE HE HE FE FE EE EE EE FE HE EE EE HEHEHE HEHE RE ERE HE HEE HE E HE E lobal section HEE HH HEHE EH FE TE FE HE HH HE
20. this task dsniff n m w dsniff out Compliance is based on the firewall not responding to SNMP queries and the community strings being something other than the defaults Test Nature Objective Evidence Findings STEP 13 V12 SSH vulnerabilities Reference SANS Top 10 Unix vulnerabilities URL http www sans org top20 Zu8 e CERT OpenSSH Challenge Response Handling Vulnerability URL http www cert org advisories CA 2002 18 html e CERT OpenSSH Buffer Management Vulnerability URL http www cert org advisories CA 2003 24 html e OpenSSH Security Page URL www openssh org security html Risk The Astaro firewall uses ssh for administrators to access to the server Since sshd is running if it were vulnerable to attack it would be an easy attack vector to compromise the server Thus the risk is high and it must be ensured that the version running does not have known vulnerabilities Testing and Compliance The first test is to verify that sshd is running ps ax grep sshd Next the version of ssh needs to verified ssh V Affected versions include 2 3 1p1 through 3 3 with newer vulnerabilities in later versions As of this writing the current version is 3 7 1p2 Compliance is based on running sshd version 3 7 1p2 or later If the firewall is running a vulnerable version it must be upgraded to a version that includes a fix In order to ascertain 24 O SANS Institute 2004 As part of GIAC practical repos
21. txt Risk OpenSSL is a critical component of both the Apache web interface and the ssh interface on the firewall Therefore this is yet another vulnerability that could be exploited to compromise the firewall and it is a risk that must be mitigated Testing and Compliance Test which version is running openssl version The current version as of this writing is 0 9 7d Compliance is based on running openssl 0 9 7d or later If the firewall is running a vulnerable version it must be upgraded to a version that includes a fix In order to ascertain whether the version is free of vulnerabilities the references above should be checked Generally the latest version of OpenSSL is preferred Test Nature Objective Evidence Findings STEP 16 V15 Squid cache buffer overflow Reference e CIAC Squid NTLM Buffer Overflow URL http www ciac org ciac bulletins o 168 shtml e Squid Security Advisory URL http www squid cache org Advisories SQUID 2004 2 txt Risk The Astaro firewall uses squid for content filtering and offers the Windows domain authentication function as well Since this vulnerability exists in the NTLM authentication piece it becomes imperative to test on the firewall platform If this feature were enabled on the firewall it could potentially result in the firewall being compromised 26 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Testing and Compliance The first step
22. usr bin openssl version OpenSSL 0 9 6g engine 9 Aug 2002 Figure 25 openssl version found directly The same results were obtained by looking at the rpm packages figure 9 above and from running openssl directly Findings The version running is not the current version of 0 9 7d This should be upgraded and the latest firewall patch may accomplish this FAIL n O SANS Institute 2004 As part of GIAC practical repository Author retains full rights STEP 16 V15 Squid cache Evidence chroot squid 2 5 23 Figure 26 Version of squid found from rpm package jeff astaro home jeff gt var storage chroot squid sbin squidf v Squid Cache Version 2 5 STABLE4 configure options prefix jeff astaro home jeff gt Figure 27 Version of squid found by asking grep ntlm squid conf Specify the command for the external ntlm authenticator and replies with the ntlm CHALLENGE then waits for the If you use an ntlm authenticator make sure you have 1 acl of type proxy_auth By default the ntlm authenticator_program auth_param ntlm program bin ntlm_auth auth_param ntlm children 5 The maximum number of times a challenge given by a ntlm caching See max_ntlm_challenge_lifetime for more information auth_param ntlm max_challenge_reuses 0 The maximum time period that a ntlm challenge is reused auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm program lt uncomment and complete
23. 055 days since Sun Sep 19 10 39 44 2004 Nmap run completed 1 IP address 1 host up scanned in 76 507 seconds Figure 10 Running nmap from the outside 38 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights sudo nmap 10 10 0 1 Starting nmap 3 50 http www insecure org nmap at 2004 09 19 14 06 EDT Interesting ports on 10 10 0 1 The 1656 ports scanned but not shown below are in state filtered PORT STATE SERVICE 22 tcp open ssh 53 tcp closed domain 443 tcp open https Nmap run completed 1 IP address 1 host up scanned in 68 881 seconds Figure 11 Running nmap from the inside This report gives details on hosts that were tested and issues that were found Please follow the steps and procedures to eradicate these threats Hosts which where alive and responding 1 during test Number of security holes found Number of security warnings found Host s Possit return to top Address of E vu m 20 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights me port eemm 0 0 55 Vulnerability ssh 22 tcp Warning ssh 22 tcp Warning ssh 22 tcp O SANS Institute 2004 You are running a version of OpenSSH which is older than Versions older than 3 7 1 are vulnerable to a flaw in the buf functions which might allow an attacker to execute arbitra this host An exploit for this issue is rumored to ex
24. 100 0 100 0 High Attacks are internal systems Logs not ing i and data mica un 1 0 1 0 100 0 100 0 High monitoring Syslog ng not the logs configured 1 0 1 0 100 0 100 0 High properly Logs not i synchronized Getting to root NTE riot so forensic Cause of 0 5 1 0 50 0 25 0 Med running data will be compromises or lost attacks may be impossible leading to further incidents EE at 0 5 0 5 100 0 25 0 Low Bind 1 0 0 5 100 0 50 0 Med RPC Firewall is 4 1 0 0 5 100 0 50 0 Med Apache Gegen 1 0 0 5 100 0 50 0 Med User accounts attacks and 1 0 0 5 100 0 50 0 Med compromising of x aed Attacker ugs internal systems 1 0 0 5 100 0 50 0 Med OS H affecting Sendmail confidentiality 1 0 0 5 100 0 50 0 Med SNMP DE 1 0 0 5 100 0 50 0 Med availability o SSH systems and 1 0 0 5 100 0 50 0 Med NIS NFS data 1 0 0 5 100 0 50 0 Med OpenSSL 1 0 0 5 100 0 50 0 Med Squid 1 0 0 5 100 0 50 0 Med Linux kernel 1 0 0 5 100 0 50 0 Med SANS Institute 2004 As part of GIAC practical repository Q Author retains full rights Realizable Vulnerability Threat Impact Risk Risk Vulnerability Threat Impact Value Value Value Value Firewall is compromised leading to attacks and Attacker compromising of Exim compromises intemal systems 1 0 0 5 100 0 50 0 Med OS affecting confidentiality integrity and availability of systems and data ACL Pallu at 0 5 0
25. 3 24 25 United States Dept of Commerce National Institute of Standards and Technology Risk Management Guide for Information Technology Systems Washington NIST July 2002 URL http csrc nist gov publications nistpubs 800 30 sp800 30 pdf Hansche Susan Berti John and Hare Chris Official ISC 2 Guide to the CISSP Exam Boca Raton Auerbach 2004 Netfilter Organization Documentation found at http www netfilter org documentation index html Jones Alan Netfilter and IPTables A Structural Examination GSEC Practical Feb 2004 Nemeth Snyder Hein Linux Administration Handbook Prentice Hall PTR 2002 Zwicky Cooper and Chapman Building Internet Firewalls 2 Edition O reilly and Associates June 2000 Page 746 SANS Track 7 Section 7 3 Auditing Web Applications Belani Rohyt Basic Web Session Impersonation Security Focus 14 April 2004 URL http www securityfocus com infocus 1774 http www cirt net code nikto shtml CGI scanning tool Brutus brute force cracking tool URL http www hoobie net brutus index html Carnegie Mellon Software Engineering Institute URL http www cert org nav index red html Advisories and Incidents Internet Software Consortium writers of BIND URL http www isc org products BIND bind security html additional security issues with BIND SANS Top 10 Unix vulnerabilities URL http www sans org top20 Zu1 Garfinkel Spafford and Schwartz Practica
26. 3 arg 5 0 4 6d 5 0 7 ocalpics 5 0 3 hroot bind 5 0 21 hroot dhcpc 5 0 17 hroot dhcps 5 0 17 hroot ident 5 0 18 hroot ipsec 5 0 28 hroot ppp 5 0 20 hroot pppoe 5 0 24 hroot pptp 5 0 22 hroot pptpc 5 0 19 hroot smtp 5 0 21 hroot snort 5 0 28 hroot socks 5 0 17 eed htt eed pop eed smt p2date ool pop ool smt ool weed 1 0 324 rpopper 1 1 112 apwrapper 1 4 SANS Institute 2004 hcp chroot server 3 0 1rc9 4301 p webadmin external helpers 5 0 93 p webadmin helpers 5 0 95 p webadmin log helpers 5 0 7 p contentfilter templates 5 0 5 27 As part of GIAC practical repository Author retains full rights p defaults 5 0 48 p defaults kaspersky 5 0 10 p confd default config 5 0 3 p bootsplash 5 0 6 p aua 5 0 36 p init 5 0 63 p mdw 5 0 103 p selfmon 5 0 42 p webadmin lang us 5 0 88 p weed 0 3 347 p wool http 1 0 324 p wool squid 1 0 324 jeff astaro home jeff gt e e e e e e e e e e e e Figure 9 Output from rpm qa sudo nmap sT O 10 1 0 2 Starting nmap 3 50 http www insecure org nmap at 2004 09 19 11 57 EDT Warning OS detection will be MUCH less reliable because we did not find at lea st 1 open and 1 closed TCP port Interesting ports on 10 1 0 2 The 1658 ports scanned but not shown below are in state filtered PORT STATE SERVICE 443 tcp open https Device type general purpose Running Linux 2 4 X OS details Linux Kernel 2 4 19 2 4 20 Uptime 0
27. 4 As part of GIAC practical repository Author retains full rights zip 2 3 49001 timezone 2 2 5 21301 terminfo 5 2 40202 gzip 1 3 32601 libgcc 3 2 2 3801 libstdc 3 2 2 3801 db 4 0 14 1940 iproute2 2 4 7 49501 g3utils 1 1 28 25402 mgetty 1 1 28 25402 cracklib 2 7 71601 pam 0 76 10901 libxcrypt 1 1 5401 sh utils 2 0 37702 sudo 1 6 6 510 vlan 1 6 7401 libcap 1 92 22601 perl 5 8 0 11501 perl XML Parser 2 31 4001 perl XML Simple 1 08 4301 perl Unix Syslog 0 98 2601 perl MIME Lite 2 117 2601 perl MIME Types 0 16 6801 perl HTML Tagset 3 03 30001 perl HTML Parser 3 26 3901 1ilo 22 3 2 5701 gpg 1 0 7 9401 openssi 0 9 6g 11401 heimdal 1ib 0 4e 20701 cyrus sasl 1 5 27 28001 openldap2 client 2 1 4 7001 shadow 4 0 2 36502 vim 6 1 19401 aaa base 2003 3 27 5504 ash 0 2 64101 util linux 2 11u 9502 mktemp 1 5 48201 k deflt 2 4 21 21503 kbd 1 06 16901 openssh 3 4p1 26301 ps 2003 10 7 101 pam modules 2002 8 29 1201 xntp 4 1 1 28902 rpm 3 0 6 5540 expat 1 95 4 4101 pcre 3 9 13101 libpcap 0 7 1 17601 tcpdump 3 7 1 35101 netcfg 2002 9 4 1301 logrotate 3 5 9 19801 hertp 3 1 3 5501 cron 3 0 1 83901 hwinfo 5 62 10 gmp 4 0 14901 rrdtool 1 0 39 5701 des 4 04b 5180 rsync 2 5 5 1340 hdparm 5 2 330 freetype2 2 0 9 8701 libxm12 2 5 11 121 xmlwrapp 0 4 1 13 libxslt 1 0 26 12 apache2 2 0 49 31 syslog ng 1 6 0rc4 21 ez ipupdate 3 0 5 perl Mail SpamAssassin 2 63 6 spamassassin 2 63 6 smbclient 3 0 1 4 sarg 1 4 1 2 pomcia cs 3 2 7
28. 5 50 0 12 5 Low edge Bind 1 0 0 5 50 0 25 0 Low RPC 1 0 0 5 50 0 25 0 Low Apache Firewall could 1 0 0 5 50 0 25 0 Low crash User accounts GE See periodically 1 0 0 5 50 0 25 0 Low Ds eca affecting Clear text availability of e 1 0 0 5 50 0 25 0 Low services services Sendmail 1 0 0 5 50 0 25 0 Low SNMP 1 0 0 5 50 0 25 0 Low NIS NFS 1 0 0 5 50 0 25 0 Low OpenSSL 1 0 0 5 50 0 25 0 Low Firewall or a subset of its rules could impede services Lack of that should be Change Unscheduled allowed to Management Downtime function This 10 15 20 0 50 0 Med procedures would affect the availability of some or all services through the firewall 1n O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Current State of Practice There are many resources available on the Internet that can help in a firewall implementation and audit Below are listed several of these that were used in preparing and performing this audit These are some general sites for systems security NIST The National Institute for Standards and Technology has a vast collection of Special Publications that can be found at http csrc nist gov publications nistpubs index html These include several on securing IT systems in addition to those dealing with security policy and procedure NSA The National Security Agency has published several guides on securing systems These can be found at http ww
29. C practical repository Author retains full rights 31 Astaro User manual URL http docs astaro org ACM_manuals 32 Neohapsis Exim Buffer Overflow URL http archives neohapsis com archives secunia 2004 q2 0284 html n O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Last Updated April 28th 2014 Upcoming SANS IT Audit Training Security Leadership Summit SANS Security West 2014 Community SANS Albany Community SANS Washington University of Massachusetts SEC566 Implementing and Auditing the Twenty Critical Security Controls In Depth ANS Rocky Mountain 2014 SANSFIRE 2014 SANS Canberra 2014 SANS Capital City 2014 SANS San Francisco 2014 SANS London Summer 2014 SANS DHS Continuous Diagnostics and Mitigation Workshop with Training SANS vLive AUD507 Auditing Networks Perimeters and Systems SANS vLive SEC566 Implementing and Auditing the Twenty Critical Security Controls In Depth vLive MA CA E o C ium r CO MD DC Canberra Australia Jun 30 2014 Jul 12 2014 London United Kingdom ive Event Emirates AA AA Dubai United Arab Live
30. FORWARD AUTO INPUT prot opt source all anywhere all anywhere all anywhere KS all anywhere all anywhere all anywhere all anywhere 1 references prot opt source icmp anywhere 1 prot opt tcp references source 10 10 0 0 24 tcp anywhere tcp anywhere tcp anywhere tcp 10 10 0 0 24 udp 10 10 0 0 24 tcp t icmp astaro mycompany com anywhere As part of GIAC practical repository destination anywhere anywhere anywhere anywhere anywhere anywhere anywhere state RELATED ESTABLISHED destination anywhere destination anywhere tcp spts tcpmux 65535 anywhere tcp spts tcpmux 65535 anywhere tcp spts 1024 65535 anywhere tcp spts 1024 65535 anywhere tcp spts domain 65535 anywhere udp spts domain 65535 anywhere tcp spts tcpmux 65535 anywhere 42 Author retains full rights LOGDROP tcp anywhere anywhere pts tcpmux 65535 pt smtp ACCEPT udp 10 10 0 10 anywhere pts 1024 65535 dpt snmp hain AUTO_OUTPUT 1 references et prot opt source destination PT tcp anywhere 10 1 0 10 tcp spts domain 65535 domain OWNER CMD match named PT udp anywhere 10 1 0 10 OWNER CMD match named udp domain 65535 dpt domain PT tcp anywhere anywhere tcp spts 1024 65535 dpt http CMD match squidf tcp anywhere anywhere tcp spts 265535 dpt http CMD match hyperdyper tcp anywhere anywhere tcp spts 265535 OWNE match squidf tcp anywhere anywhere tcp s
31. HE HE HE HEH options group log log_fifo_size 1000 long_hostnames off owner root perm 0640 stats 43200 sync 0 y HERE HH FE TE FE HE HE HH FE FE FE FE FE E TE FE TE FE FE FE E FE HE TE FE E FE E E EE E E section 1 astaro mycompany com EE AE FE HH FE TE FE HE HE FE FE FE HE FE FE E HEE HH HE FE E HE HE E E EE E E source s_local_asl unix dgram dev log internal pipe proc kmsg log_p refix kernel unix stream var chroot dhcps dev log unix stream var chroot dhcp c dev 1log unix stream var chroot ipsec dev log unix stream var chroot pop3 dev log unix stream var chroot pppoe dev log unix stream var chroot snor t dev log unix stream var chroot pptpc dev log unix stream var chroot weed dev log unix stream var chroot snmp dev log unix stream var chroot socks dev log unix stream var chroot squid dev log unix stream var chroot iden t dev log unix stream var chroot pptp dev log unix stream var chroot ppp d ev log unix stream var chroot bind dev log unix stream var chroot smtp dev log unix stream var chroot http dev log y destination and log statemens for astaro mycompany com filter f_astaro match X INFO WARN CRIT DEBUG 0 9 1 X 1 filter f_ainfo level info filter f ainfo notif level notice filter f_awarn level warning filter f_awarn_notif l
32. IAC practical repository Author retains full rights Description of the Environment The firewall to be audited is slated to replace an existing packet screen firewall router and will become the primary perimeter defense for the corporate network It should be noted however that the packet screening router should remain in place in order to maintain defense in depth The figure below depicts the new environment while also displaying the devices to be used in the audit internal Simplified Network Diagram NMS PCs 10 10 0 128 25 10 10 0 10 10 100 30 10 10 0 30 The audit will be performed on a test segment using test hardware The following table lists the devices used in this audit MakeMode Processor RAM Drive os Firewall Dell GX1 Pentium Ill 128 MB Astaro Linux 5 0 14 Sniffer Dell GX50 128MB 15GB Fedora Core 2 Dell GX1 128 MB Fedora Core 2 Attacker Mac PowerBook 60 GB Mac OS X 10 3 4 A O SANS Institute 2004 As part of GIAC practical repository Author retains full rights The firewall should be placed behind the packet screening router but would still be the primary perimeter defense Because of its role it is critical that the firewall performs as expected i e that itis configured to match the firewall policy Purpose of the Audit Generally a firewall should control the only entry point or choke point into a private network Its role must be not only to control what
33. Ka SANS IT Audit Mill Tanya Baccam IT Audit Security Beyond the Checklist Copyright SANS Institute Author Retains Full Rights This paper is from the SANS IT Audit site Reposting is not permited without express written permission Interested in learning more Check out the list of upcoming events offering Critical Security Controls Planning Implementing and Auditing SEC440 at http it audit sans orghttp it audit sans org events GIAC GSNA Certification Auditing Networks Perimeters and Systems GSNA Practical Assignment Version 3 2 Option 1 Auditing the Astaro Secure Linux Firewall An Evaluation for Commercial Use Jeff Groman January 9 2005 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Table of Contents INTRODUCTION ceci is ib 3 ADS TACA A EE 3 Description of the Environment esses eterne tetne treni tr eret e eene 4 Purpose of the Audit aliit ies ei cie inline ali t n een eti eite 2 Scope of the Audit i i tet ee ie etie tee eie eee teri ia 5 VULNERABILITIES THREATS IMPACTS AND RISKS enne 6 CURRENT STATE OF PRACTICE nie ttd ed ed duet MA eee ER Behn NASA 11 AUDIT CHECKLIST O d ed 12 ADDIPSTBPS2 C e ti 2 12 Hands off Phase a eee ont ee te ntes EA SS eres re RE te Regards 12 Hands on Phase en AA 14 CONDUCTING THE AUDIT neoc 5 ec vetere ie esper
34. NS Institute 2004 As part of GIAC practical repository Author retains full rights From the outside nmap sT O 10 1 0 2 This will map the ports in use by the firewall and try to fingerprint the OS from the outside An attacker would likely probe similarly It is important to see what an attacker would see From the inside nmap 10 10 0 1 It is necessary to know which ports are open or in use on the inside of the firewall Nessus will be run using all applicable plugins Note The nessus plugins change frequently and those applicable to a Linux firewall can be found in several of the plugin categories Therefore it is recommended to manually go through all applicable categories and check the individual plugins before starting a scan Evidence Findings STEP 4 V3 Firewall configuration doesn t match corporate firewall policy Reference Netfilter Organization Documentation found at http www netfilter org documentation index html Jones Alan Netfilter and IPTables A Structural Examination GSEC Practical Feb 2004 Nemeth Snyder Hein Linux Administration Handbook Prentice Hall PTR 2002 Pages 679 683 Zwicky Simon and Chapman Building Internet Firewalls 2 Edition O reilly and Associates June 2000 Page 746 Risk After the initial firewall configuration is completed it is imperative that the rule set be compared with the corporate policy to verify that they match Furth
35. Source s local asl Source s Local asl mycompany com logging0 L L logging0 L L com L local asl n d astaro mycompany com logging0 L flags final flags final logging0 flags final filter f syslog facility syslog destination d astaro mycompany com systemO0 file var log system log template SYEAR MONTH DAY S HOUR MIN SEC SHOST MSGAn source s_local_as log m_system0 Jj filter log _system0 source y filter filter CP_PACKET y destination d astaro mycompany com packetfi og template SYEAR SMONT 0 Nh destination d astaro mycompany com packetfi ate SYEAR SMONTH DAY S HOUR SMIN SEC Source s local asl destination d astaro mycompany ycompany com packetfilterl log Feis filter log f_crond s_local_as _kernel _iptbl L L f synlim match SY source s local asl L facility cron facility kern program usr local TH DAY HOUR SMIN SEC HOST SMSG n program usr local OUR MIN SEC HOST MSGAn program usr local OUR MIN SEC HOST MSG n program usr local HOS program usr local HOS program usr local HOS N SEC HOST MSG Win filter f astaro filter f astaro destination d notif filter f astaro filter f astaro destination d notif filter f astaro filter f
36. a Linux astaro mycompany com 2 4 21 21503 default 1 Wed May 5 15 40 13 UTC 2004 i686 usr bin perl usr local bin reporter admin reporter unknown Figure 3 Output from uname a Terminal bash Riis 4 top 11 56 26 up 3113 usrz Long gveroge 6 28 0 27 B T Tata 116 total 2 ruming 143 sleping B stopped 1 zombie Chute U HX user ZK System B HX nice HT amp 6X idle Hen 120934 total 1140 E usec HU free ZIL buffers Swap LAA total SA ued Ib free Hk coched PID USER z I ES SHR 5 APU XHEH E J rook 17 811115 iBm 13988 5 7 2 B 21 8 confd SS root 15 B 4963 1936 8 2 6 1 5 2 35 64 selfnorng pl FHI jeff 15 8 Da TAE 2 3 HD BR top 1 rost if B B S 445 B B DI 8986 43 mit z Foot 18 9 B8 DS 6 8 6 9 BbB keventd 3 root 34 13 A AS 68 8 6 8 8986 60 ksoftirqd CP 4 root 15 B H H BS 606 6 0 4101 43 kapd 5 Foot 15 B 8 B DS DD 8 9 8200 18 Fit lush 6 root if 4 DS 6 8 6 9 BBG kupdated 7 root JE 9 B a 485 B B 6 8 BrBB IB kinoded 17 root i5 9 a DS 6 8 8 8 8288 44 kjourna ld Be root 16 B a DS 6 8 68 9 856088 kjournald 63 root 15 B 65 6 6 B d 8500 06 kjournald amp 4 root 15 B B B as 6 8 B 6 88 08 kjournold 65 root i5 0 DS 5 0 8 0 8586 82 kjournald 66 root 15 9 B HS DD 68 BeBe JE kjournald 67 ront 15 8 B 685 DP D 8 08 66 kjournald Figure 4 Output from top 32 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights
37. a e rere aQ E 32 AUDIT REPORT ehre tr tte e ee teat eot ts 56 EXECUTIVE SUMMARY 5 st eoe Ee RA ecco U ee ee EIE DE desto Ee 56 AUDIT HIR e A Re eed 56 AUDIT RECOMMENDATIONS isis A na enne inneren h tinens inns MA S S E E ran nan E EREE EE 58 REFERENCES dm iia 59 3 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Introduction Abstract Historically it has not been cost effective for the small office to employ a stateful firewall the only options being high end firewall packages or appliances Lately however products have been introduced that are priced not only for the small business but are even aimed at the consumer market Moreover with the advent of the Linux 2 4 kernel and IPTables which replaced the venerable ipchains this functionality comes bundled with any Linux distribution With that backdrop this audit addresses a firewall replacement project in a smaller environment where the current firewall consists of packet filtering on a Cisco 2621 router The organization has determined that the Astaro firewall package is a good fit since it runs on inexpensive Intel based hardware and comes with many add ons such as virus protection spam filtering and VPN termination as well as commercial support However before purchasing this product they want a comprehensive audit done of both the firewall features and the underlying OS A O SANS Institute 2004 As part of G
38. ape n templ template escape no destination d pck destination d astaro m l destination d_a staro mycompany com_packetfilter0 destination d_astaro mycompany com_packetfil terl flags final filter y f portscan match Portscan detected destination d astaro mycompany com portscanO late SYEAR SMONTH SDAY SHOUR MIN SEC HOST SMSG n source s local as1 log ipsrr SANS Institute 2004 filter f kernel destination d astaro mycompany com portscan0 52 filter f_portscan file var log portscan log temp template_escape no destination d_ y flags final As part of GIAC practical repository Author retains full rights destination d_astaro mycompany com_kernel0 file var log kernel log template SYEAR SMONTH DAY SHOUR SMIN SEC SHOST log source s_local_asl m_kernel0 filter f auth facility auth filter f sshd program sshd destination d_astaro mycompany com_sshd0 EAR SMONTH SDAY SHOUR SMIN SEC SHOST MSG n log source s filter f_auth r local asl filter f sulogin program su destination d astaro mycompany com loginO SYEAR SMONTH SDAY SHOUR MIN SEC SHOST MSGAn log source s filter f auth inrr local asl filter log source s local staro mycompany com filter f auth flags final _asl login0 filter filter f_pluto program plut
39. are not Certain accounts including uucp and nuucp are almost never used anymore UUCP is the Unix to Unix Copy Protocol and was originally used in dial up networks to retrieve mail and news Furthermore many accounts that are required for services to run do not require a login These include bin Sys daemon and nobody 2n O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Compliance is based on disabling unnecessary accounts and verifying passwords comply with rules of strong passwords Test Nature Objective Evidence Findings STEP 10 V9 Clear text services Reference SANS Top 10 Unix vulnerabilities URL http www sans org top20 u5 Personal Experience Risk Clear text services are a high risk because they send login credentials unencrypted Thus if someone were sniffing the network using a tool like dsniff they could obtain the credentials to compromise the firewall and access the internal network Since this is a firewall there is no need to run services such as ftp and telnet All of these types of services can be shut off without affecting the service of the firewall itself Testing and Compliance Since the auditor has already verified that RPC services are shut off see V9 the focus will shift to ftp telnet http and smtp The only service that the firewall may run is the latter and that only to send notification alerts to the firewall administrators It jus
40. aro home jeff gt ps ax grep named 4763 pts 0 R 0 00 grep named jeff astaro home jeff gt Figure 19 Is bind running Named is not running but found in var chroot bind usr bin named Furthermore when nslookup was pointed to use the firewall as its server it just times out This is confirmed by the nmap output above which shows that the port was closed see figure 11 In addition nessus found no vulnerabilities see figure 12 above AR SANS Institute 2004 As part of GIAC practical repository Author retains full rights dere is running BIND version 8 4 4 which is a compliant version in the version 8 code train PASS Step 8 V7 Apache Evidence jeff astaro home jeff gt usr sbin httpd v Server version Apache 2 0 49 Figure 20 Apache version jefflastaro home jeff ps axu grep http root 408 0 0 0 5300 240 i usr sbin httpd f etc httpd httpd conf wwwrun 766 0 0 0 5300 436 T usr sbin fcgi f etc httpd httpd conf root 970 0 0 0 0 5184 92 E usr sbin localhttpd f etc httpd httpd loopback conf wwwrun 982 0 0 0 0 5196 4 7 3 i usr sbin localhttpd f etc httpd httpd loopback conf wwwrun 983 0 0 0 0 5196 4 7 1 usr sbin localhttpd f etc httpd httpd loopback conf wwwrun 985 0 0 0 0 5196 4 7 usr sbin localhttpd f etc httpd httpd loopback conf wwwrun 4511 0 8 1 9 5544 i usr sbin httpd f etc httpd httpd conf wwwrun 4514 0 5 1 8 5544 usr sbin httpd f e
41. based on sendmail running 8 12 10 or later Preferably sendmail would not be installed on the firewall Test Nature Objective Evidence Findings STEP 12 V11 SNMP vulnerabilities Reference SANS Top 10 Unix vulnerabilities URL http www sans org top20 u7 CERT SNMP Advisory URL http www cert org advisories CA 2002 03 html Risk SNMP agents have become notorious over the last couple of years for being vulnerable to several types of attacks Many devices use these agents for network management purposes especially for alerting administrators when certain events occur The concern here is that these vulnerabilities could be used as an attack vector in order to compromise the firewall Testing and Compliance Since the Astaro firewall uses SNMP for administrative alerts it needs to be verified that the firewall isn t listening for SNMP messages but rather only sending traps periodically The auditor needs to scan from both interfaces to verify this condition The nmap scan performed above can 24 SANS Institute 2004 As part of GIAC practical repository Author retains full rights be referenced The nessus scan will also be referenced to determine if default or easily guessed community strings are being used It must also be determined if snmp traps are being sent using a default community string The only way to determine this is to capture the snmp trap packets A network sniffer such as dsniff can be used for
42. browser based interface Another area of concern involves the current configuration of the firewall Some less critical features have not been configured properly and should be addressed These include the use of the network time protocol ntp which is used to synchronize log entries and the lack of log file rotation Aside from the technical aspects of the audit other procedural issues also came up These include the lack of a comprehensive firewall policy A firewall policy is used to outline in plain language the firewall rules Furthermore a firewall policy should outline the procedure for updating the policy and consequently for making changes to the firewall itself It is also crucial that the firewall administrators get the required training in order to be proficient at configuring the firewall As cited above studies have shown that a large portion of outages result from misconfiguration This last point cannot be emphasized strongly enough Overall a few issues came to light from this audit However none of them should be construed as reasons to change the project plan for the implementation of the firewall Certain steps that have been outlined in this section need to be taken but aside from these the implementation plan is sound R O SANS Institute 2004 As part of GIAC practical repository Author retains full rights References O SANS Institute 2004 13 14 15 16 17 18 19 20 21 22 2
43. but simply deny all others lpd foo bar com spawn bin echo h printer access mail s tcp wrappers on H root Example 2 grant access from local net reject with message from elsewhere in telnetd ALL EXCEPT LOCAL ALLOW in telnetd ALL twist bin echo e n raccess from h declined n rGo away sleep 2 Example 3 run a different instance of rsyncd if the connection comes from network 172 20 0 0 24 but regular for others rsyncd 172 20 0 0 255 255 255 0 twist usr local sbin my rsyncd script rsyncd ALL ALLOW jeff astaro home jeff gt Figure 8 Contents of etc hosts allow jeff astaro home jeff gt rpm qa filesystem 2002 9 2 5608 glibce 2 2 5 21301 atbr 2 4 2 5501 acl 2 0 19 7601 fileutils 4 1 11 10701 ncurses 5 2 40202 readline 4 3 5301 bash 2 05b 5301 fillup 1 10 3201 gdbm 1 8 0 68901 binutils 2 12 90 0 15 5001 Dzip2 1 0 2 5101 popt 1 6 35601 zlib 1 1 4 510 diffutils 2 8 1 4901 e2fsprogs 1 34 38 file 3 37 2060 findutils 4 1 7 43501 gawk 3 1 1 32701 grep 2 5 1 840 iputils ss020124 45701 iptables 1 2 9 7 joe 2 9 8 1300 1ess 376 3101 modutils 2 4 25 5301 net tools 1 60 45501 nacctd 0 71 4 netcat 1 10 61201 netdiag 20010114 13901 recode 3 6 2400 sash 3 4 50401 sed 3 02 80 530 devs 2002 10 4 901 sysvinit 2 82 36401 tar 1 13 25 460 textutils 2 1 3901 25 O SANS Institute 200
44. ctical repository Author retains full rights STEP 19 V18 Exim buffer overflow Reference Neohapsis Exim Buffer Overflow URL http archives neohapsis com archives secunia 2004 q2 0284 html Risk The firewall should not be accepting smtp connections from the outside rather it should only use the mail server to send messages to the administrators This fact alone limits the exposure of any vulnerabilities in the mail transport agent mta However since this is a firewall server it is better not to rely solely on the configuration the firewall should be secure even if the mail application is misconfigured Testing and Compliance As of version 4 32 the vulnerability has been fixed Therefore the first step is to ascertain which version our firewall is running exim bV Furthermore header syntax checking should also be disabled First locate the configuration file find name exim conf Once found check two lines to see if they have been changed from default values There are actually two vulnerabilities that have been found in versions prior to 4 32 grep i sender verify exim conf The value should be false grep i headers check syntax exim conf If the value is header syntax then this is exploitable It also needs to be determined that exim is only configured to send mail and not to listen for incoming mail Generally if it is configured to receive mail it will with the bd option Compliance is based on
45. d 5d 21 28 SSHv2 host key fingerprint 5c c7 8d 7e 87 00 6f 3b 0f 22 Nessus ID 10881 For your information here is the traceroute to 10 10 0 1 10 10 0 100 10 10 0 1 Nessus ID 10287 Remote OS guess Linux Kernel 2 4 0 2 5 20 CVE CAN 1999 0454 Nessus ID 11268 This file was generated by Nessus the open sourced security scanner O SANS Institute 2004 41 As part of GIAC practical repository Author retains full rights Figure 12 Results of nessus scan Findings Many packages have been installed in a chroot environment and tcp wrappers is installed as well But the most significant find is an ssh vulnerability found by nessus This will be expanded upon below STEP 4 V3 Firewall configuration does not match corporate firewall policy While working with the client it was learned that no firewall policy exists The auditor came up with a boiler plate policy that the client could take and customize later The following list shows the generic firewall policy Ports allowed o Inside network Outbound WWW ICMP echo request FTP DNS NTP for 2 servers SMTP from the mail server o Inside network Inbound SMTP to the mail server o Packet filtering done at edge router Block Inbound RFC 1918 Multicast Bogon NetBios SNMP spoofed private addresses destination of firewall DMZ interface IP Block Outbound RFC 1918 NetBios SNMP source of firewall DMZ interface IP Firewa
46. e 9 June 22 Squid Cache Buffer Overflow High Linux Kernel Vulnerability High Syslog ng not configured for log rotations etc High Exim buffer overflow High NTP not being used for logging synchronization Med amp O SANS Institute 2004 As part of GIAC practical repository Author retains full rights The following list shows the possible threats and the likelihood of them occurring However the values do not indicate any possible impacts just the likelihood of the threats occurring Threats Value Environmental Fire flood or other disaster Low Unauthorized access High Firewall hardware failure Low Operational Firewall can be breached allows traffic through that it should not High Firewall overtaxed relative to hardware and traffic loads Low DoS attack directed at firewall Low Administrator error High Unscheduled downtime High Attacks being ignored no one is monitoring the logs High Logs can not be synchronized so forensic data will be lost High Underlying Linux OS Attacker compromises OS Low DoS attack directed at OS Low In order to calculate the risk associated with each vulnerability threat pair the NIST Risk Management Guide was referenced Each risk value was obtained by multiplying the values for vulnerability threat and impact together The following table shows the values used in the calculation Low Medium High Vulnerability 0 1 0 5 1
47. e not completely cryptographically An As part of GIAC practical repository Author retains full rights Warning ssh 22 tcp Informational ssh 22 tcp Informational ssh 22 tcp Informational ssh 22 tcp Informational general udp Informational general tcp safe so they should not be used Solution If you use OpenSSH set the option Protocol to 2 If you use SSH com s set the option Ssh1Compatibility to Risk factor Low Nessus ID 10882 You are running OpenSSH portable 3 6 1 or older There is a flaw in this version which may allow an attacker bypass the access controls set by the administrator of this OpenSSH features a mechanism which can restrict the list hosts a given user can log from by specifying a pattern in the user key file ie mynetwork com would let a user connect only from the local network However there is a flaw in the way OpenSSH does reverse If an attacker configures his DNS server to send a numeric when a reverse lookup is performed he may be able to circ this mechanism Solution Upgrade to OpenSSH 3 6 2 when it comes out Risk Factor Low CVE CAN 2003 0386 BID 7831 Nessus ID 11712 An ssh server is running on this port Nessus ID 10330 Remote SSH version SSH 1 99 OpenSSH_3 4p1 Nessus ID 10267 The remote SSH daemon supports the following versions of SSH protocol SSHv1 host key fingerprint 92 36 49 b5 ec c6 bd 39 a9 39 3e e6 d
48. ermore before any future changes are made to the firewall the policy needs to be updated If the firewall rule set does not match the policy then one of two outcomes will result either the firewall will be blocking that which it should not resulting in lack of availability or the firewall will not be blocking what it should risking one or more compromised systems on the inside which could result in a lack of confidentiality integrity and or availability Testing and Compliance By issuing the following command a dump of the firewall configuration is redirected into a text file The L or list parameter lists all chains regardless of interface iptables L gt fwconfig txt 14 SANS Institute 2004 As part of GIAC practical repository Author retains full rights This file can then be compared with the firewall policy line by line to verify that implementation matches policy Compliance is based on the output actually matching both what the policy allows and what the policy denies However the auditor cannot merely trust the output of the firewall application He needs to test the firewall policy as well This can be accomplished by placing an attacking PC on the outside and victim and sniffing PCs on the inside The auditor can then test by scanning across the firewall and then trying to connect to the victim PC on different ports The first step will be to probe across the firewall This will be used as
49. es of tests need to be performed here The first is scanning of the web server for cgi vulnerabilities The second test is to try and brute force attack the login page to verify that strong passwords are being used for the admin account s The cgi scanners used for this test are nessus and nikto These were chosen because of their reputations ease of use and functionality Nessus will be used to check the general configuration of the web server while nikto will be utilized with its SSL capabilities to delve further For brute force attacking the passwords themselves the auditor can use something like Brutus with stunnel LOphtcrack or authforce The auditor will concentrate his efforts on the inside interface He will refer back to the nmap output obtained in step V3 to determine whether an attack from the outside interface is warranted The auditor will also refer back to the nessus scan made earlier Compliance is based on nessus nat finding any known vulnerabilities that can be exploited Only notices and possibly warnings should result All of these will be listed with the findings Nikto will be used as follows nikto h 10 10 0 1 port 443 ssl 443 verbose Compliance is based on nikto not finding any critical vulnerabilities Anything found will be listed in the findings The auditor will forgo the brute force attack on the passwords This is due to the use of weak passwords in the test environment However these passwords need to be
50. evel err filter f_acrit level crit or level alert filter f_acrit_notif level emerg destination d_notif program usr local bin notifier pl template YEAR SMONTH SDAY SHOUR SMIN SEC HOST MSG n template escape no destination d_adminrr program usr local bin reporter admin reporter pl te mplate SYEAR MONTH SDAY SHOUR SMIN SEC SHOST SMSG n template escape no y destination d_smtprr program usr local bin reporter smtp reporter pl tem plate SYEAR SMONTH SDAY HOUR MIN SEC HOST SMSG n template_escape no K 4 SANS Institute 2004 As part of GIAC practical repository Author retains full rights destination d_socksrr mplate SYEAR SMO y destination d_pcktrr template SYEAR J destination d_cfrr template SYEAR MN destination d ipsrr late SYEAR SMONTH destination d_vpnrr late SYEAR SMONTH destination d_sarg_a late SYEAR SMONTH DAY SHOUR destination d sarg b plate SYEAR SMONTH SDAY ONTH S DAY SH ONTH S DAY SH SDAY SHOUR SDAY SHOUR SMIN SSEC SMIN SSEC SMIN SSEC destination d astaro mycompany com loggingO te SYEAR SMONTH SDAY SHOUR M local asl mycompany com logging0 log source s taro log source s log taro log source s n d astaro mycompany local asl n d astaro mycompany com Source s local asl nycompany com loggingO0
51. ewall passed and how the percentages broke down between low medium and high Audit Steps Fail The important fact to note is that the firewall did not fail any high vulnerability tests Most of the tests that the firewall failed were based on the use of older versions of software packages This issue will be elaborated upon in the next section 57 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Audit Recommendations Since several software packages which make up the firewall are out of date the first step in mitigation must be to update the firewall to its latest version Ideally those audit steps that failed should be retried at that point Moreover a plan or routine should be put into place whereby new patches are periodically installed on the firewall The Astaro firewall also features an auto update function Either method is reasonable manual or automatic as long as it is agreed upon and documented In addition to these steps the packet filtering router can be used to protect the firewall against would be outside attackers Since the routing hardware exists and the router sits between the Internet and the firewall this would be a zero cost option which could tremendously increase network security from outside attacks To protect against inside attacks ACLs should be configured either on the firewall or on an internal router to allow only distinct hosts access to ssh and to the
52. example Subject C DE ST BW L Karlsruhe O Astaro AG CN firewall doma in example emailAddress firewall domain example Start Time Sun Sep 19 13 15 55 2004 Scan is dependent on Server string which can be faked use g to override Server Apache No CGI Directories found use C all to force check all possible dirs Checking for CGI in Server category identified as apache if this is not correct please use force a generic scan 1832 server checks loaded 200 for GET 404 for GET zentrack index php 1832 items checked 1 item s found on remote host s End Time Sun Sep 19 13 22 04 2004 369 seconds Figure 17 Output from nikto Findings As mentioned above the brute force attack against the administrator s password was not attempted This step is critical and needs to be performed later That being said the output from nikto showed no vulnerabilities or issues with the web application As mentioned above the firewall web interface is accessible via the outside interface refer to figure 10 above This needs to be turned off in the firewall configuration PASS STEP 6 V5 Bind Evidence The bind binary named was not found in a usual location sbin or usr sbin It appears that it has been placed in a chroot ed jail jeff astaro home jeff gt var chroot bind usr sbin named v named 8 4 4 Wed Mar 31 18 47 49 CEST 2004 Figure 18 Output from named V The firewall is running bind 8 4 4 jeff ast
53. igure 30 Sample logs to verify that logging is taking place Findings Logging is currently set for log files to be retained forever and this was confirmed through the web gui The firewall seems to have a separate disk partition just for the logs Depending on the size of the drives on the production firewall platform this may not be practical Therefore this should be revisited once the production hardware is acquired The firewall also supports remote log archival which would be a good practice regardless of disk sizes PASS STEP 20 V19 NTP Evidence astaro var storage chroot smtp bin 4 ps ax grep ntp 5709 pts 0 R 0 00 grep ntp astaro var storage chroot smtp bin 4 Figure 31 NTP is not running astaro var storage chroot smtp bin 4 cat etc ntp conf FE HEHE TE E FE FE EFE FE HE FE FE E E TE HE E TE AE FE TE AE FE TE AE FE TE AE FE TE AE AE TE AE E E E E E E E E E E E EE E E E EE E E E E EE E EEE EEE EEEE EEEE EEEH EH etc ntp conf Sample NTP configuration file See package xntp doc for documentation Mini HOWTO and FAQ Copyright c 1998 S u S E GmbH Fuerth Germany driftfile var lib ntp ntp drift path for drift file logfile var log ntp alternate log file logconfig syncstatus sysevents keys etc ntp keys path for keys file trustedkey 1 2 3 4 5 6 14 15 define trusted keys Figure 32 NTP is not configured Findings It is clear that ntp is not running nor is it configured either as a
54. ion Test Nature Subjective Evidence Findings STEP 2 V2 Evaluate administrator knowledge and training level Reference Personal Experience Risk Since many service outages are the result of different types of administrator error it is critical to ascertain the level of experience and knowledge of the firewall administrator This shouldn t be taken as a personal affront it is commonplace for a person to be responsible for many distinct platforms while not being properly trained on all of them Indeed it is this auditor s experience for example that a truly proficient network engineer might not understand how to manage a Linux firewall Compliance Testing This can only be accomplished by interviewing the individual s responsible for maintaining the firewall platform The following is a short list of questions that need to be asked Have you received any training on the firewall platform What is your background in firewall and ACL configuration Who has access to read or modify the firewall configuration What is your current procedure for making changes to the firewall rule set 13 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights o Is there a procedure for changing the firewall policy before making changes to the firewall o What are the criteria for deciding if the change should be made How often are changes made to the firewall Test Nature Subjective Evidence
55. irewalls Todd Bennett http www itsecurity com papers p5 htm o Auditing Your Firewall Setup Lance Spitzner http www spitzner net audit html o Auditing a Checkpoint Firewall http www giac org practical GSNA Kevin Liston GSNA pdf o Auditing an Internet Firewall from an ISO17799 perspective http www giac org practical GSNA Richard Seiersen GSNA pdf More references are mentioned below at each audit step These include web sites that pertain to specific vulnerabilities and technical books that address the topics SANS Institute 2004 11 As part of GIAC practical repository Author retains full rights Audit Checklist The following is a subset of the vulnerabilities listed above They were chosen based on the scope of the audit and the level of risk and significance Vulnerabilities Reference No Physical access V1 Administrator knowledge and training V2 Firewall configuration does not match corporate firewall policy V3 Firewall management interface web passwords weak can be brute forced V4 Bind named V5 RPC V6 Apache httpd V7 Unnecessary user accounts weak or no password V8 Clear Text Services V9 Sendmail V10 SNMP V11 SSH V12 Misconfiguration of NIS NFS V13 OpenSSL V14 Squid Cache buffer overflow V15 Linux kernel vulnerability V16 Syslog ng not configured for log rotations etc V17 Exim buffer overflow V18 NTP not being used fo
56. is to verify the version of squid running squid v If this is a vulnerable version the next step is to determine if the vulnerable ntlm binary is being used This can be determined by checking the squid conf file find name squid conf grep ntlm squid conf Squid version 2 5 STABLE5 and earlier are vulnerable The squid conf file needs to be checked for the string ntlm auth If it is not being referenced in squid conf then the installation is not vulnerable Compliance is based on the firewall running neither a vulnerable version of squid nor the ntlm auth binary Test Nature Objective Evidence Findings STEP 17 V16 Linux kernel vulnerabilities Reference Security Focus Multiple Linux Kernel Vulnerabilities URL http www securityfocus com bid 9985 CERT Linux Kernel Vulnerability URL http www kb cert org vuls id 301156 Risk It goes without saying that if the kernel is vulnerable at the very least the firewall could suffer a DoS attack or it could be compromised altogether Thus this becomes a critical issue Testing and Compliance The only action is to determine which kernel is running uname a This issue has been resolved as of the 2 4 23 kernel Compliance is based on running a kernel version of 2 4 23 or later 27 SANS Institute 2004 As part of GIAC practical repository Author retains full rights Test Nature Objective Evidence Findings STEP 18 V17 Syslog ng not configu
57. ist Note that several distribution patched this hole without cha the version number of OpenSSH Since Nessus solely relied banner of the remote SSH server to perform this check this be a false positive If you are running a RedHat host make sure that the com rpm q openssh server Returns openssh server 3 1p1 13 RedHat 7 x openssh server 3 4p1 7 RedHat 8 0 openssh server 3 5p1 11 RedHat 9 Solution Upgrade to OpenSSH 3 7 1 See also http marc theaimsgroup com l openbsd misc amp m 106375452423794 amp w 2 http marc theaimsgroup com l openbsd misc amp m 1063 Risk factor High CVE CAN 2003 0682 CAN 2003 0693 CAN 2003 0695 BID 8628 Nessus ID 11837 You are running OpenSSH portable 3 6 1p1 or older If PAM support is enabled an attacker may use a flaw in th to determine the existence or a given login name by compa the remote sshd daemon takes to refuse a bad password fo login compared to the time it takes to refuse a bad passwo valid login An attacker may use this flaw to set up a brute force attack the remote host Nessus did not check whether the remote SSH daemon using PAM or not so this might be a false positive Solution Upgrade to OpenSSH portable 3 6 1p2 or newer Risk Factor Low CVE CAN 2003 0190 BID 7342 7467 7482 Nessus ID 11574 The remote SSH daemon supports connections made using the version 1 33 and or 1 5 of the SSH protocol These protocols ar
58. it is configured IR SANS Institute 2004 As part of GIAC practical repository Author retains full rights Lg Ren 311 r r 2 Drawer Wack Fonward Page of 354 Page Up Page Down Oeing the Security Bieren Tha wie Mines you din cbr Pa uehsanon c ma local log Ma paaien The Gaam fire piap Ee ue de face 5 PE ei seal am th g kzs nm of Esa parti PA In t e imee mido collect rom Ia depen Trau L hos tha gegiern ham to get Hoa wpecfu pam di et Geen H rica wh ka f es Tees levait a dare actions can La iech Bara C onfigering The Log Files Lowel For sach ewe Tras Gr it eani ee ar ber conf agunt When Wenge rachas Corfu here mp moih grikrafexc E pesci Of h do pario Op aT vit Da da de iia Configure rg acrior in THS kasacha mem Tha hiring actora can ba configured Dabekz chdask Log Fles T a cias bop fas web mutermaticaily bs asii by Tha ec system The MATA Gegen recaen Hus WAAN TII nobcalian a rrumil a fend Heobicaben Os tha HFG 110 route mt mihi Er Teper warning el ba wri tn the schrerewirmecr See der eeben The secerty aea wel ewhormatice y nhi dmm Thus mriruragiranar recpepg tna CRIT TLT motion pre beira w Hiking ho binoni sf he irail ALO Figure 1 Log rotation section of Astaro manual Compliance is based on utilizing any means of achieving log rotations and log retention Test Nature Objective Evidence Findings 20 O SANS Institute 2004 As part of GIAC pra
59. itory Author retains full rights whether the version is free of vulnerabilities the references above should be checked Generally the latest version of OpenSSH is preferred Test Nature Objective Evidence Findings STEP 14 V13 Misconfiguration of NIS NFS Reference SANS Top 10 Unix vulnerabilities URL http www sans org top20 u9 Nemeth Snyder Hein Linux Administration Handbook Prentice Hall PTR 2002 Chapters 17 and 18 Risk Many vulnerabilities in these services have come out over the years including buffer overflows DoS and weak authentication Any of these could be targeted and exploited by an internal host In fact it could even happen by a misconfigured Unix like server Since the firewall has no need to run either of these services it needs to be verified that they are turned off and if possible not even installed on the device Testing and Compliance Verify that NIS is off ps ax grep ypbind ps ax grep ypserv ps ax grep nscd Verify that NFS is off ps ax grep nfsd Compliance is based on neither NFS nor NIS running Test Nature Objective Evidence Findings 25 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights STEP 15 V14 OpenSSL vulnerabilities Reference e CERT OpenSSL Multiple Vulnerabilities URL http www cert org advisories CA 2002 23 html e OpenSSL Security Advisory URL http www openssl org news secadv 20040317
60. k 19 10 9 121 PSG131 Bet P ei Ai Se ol So O0 c d 2T 42 amp OB On 4b Jo OU Er TW aged d A Da 0 OO O5 a a UO La dh 43 00 13 dB 43 o 00 00 D a j P Bj amp OU On O7 O4 05 bi OX D DO p o cm Zi ac D OO mi Esseg Appa Fue aaa pal Figure 16 Ethereal packet capture Findings The output from iptables indicates that the firewall is configured correctly However this had to be tested empirically as well The output from nmap and hping correlated with our sniffing box running ethereal proves that at least for the tests that were run the firewall is behaving as expected Referring back to the nmap scan ran above the web interface is listening on both Ethernet interfaces This should be shut off on the external interface The Astaro firewall web interface provides a method for doing just that It also provides a feature to block an IP that tries to brute force attack the password to login PASS STEP 5 V4 Firewall management interface Evidence Nikto 1 32 1 27 www cirt net Testing open ports for web servers Checking for HTTP on port 10 10 0 1 443 Checking for HTTPS on port 10 10 0 1 443 Target IP 10 10 0 1 Target Hostname 10 10 0 1 Target Port SSL Info Ciphers EDH RSA DES CBC3 SHA Info C DE ST BW L Karlsruhe O Astaro AG CN firewall doma A7 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights in example emailAddress firewall domain
61. l Unix and Internet Security O reilly and Associates February 2003 Chapters 13 and 15 Apache Security version 1 3 URL http www apacheweek com features security 13 Apache Security version 2 0 URL http www apacheweek com features security 20 Costales Bryan and Allman Eric sendmail O reilly and Associates November 1997 CERT SNMP Adivisory URL http www cert org advisories CA 2002 03 html CERT OpenSSH Challenge Response Handling Vulnerability URL http www cert org advisories CA 2002 18 html CERT OpenSSH Buffer Management Vulnerability URL http www cert org advisories CA 2003 24 html OpenSSH Security Page URL www openssh org security html CERT OpenSSL Multiple Vulnerabilities URL http www cert org advisories CA 2002 23 html OpenSSL Security Advisory URL http www openssl org news secadv 20040317 txt CIAC Squid NTLM Buffer Overflow URL http www ciac org ciac bulletins o 168 shtml Squid Security Advisory URL http www squid cache org Advisories SQUID 2004 2 txt Security Focus Multiple Linux Kernel Vulnerabilities URL http www securityfocus com bid 9985 CERT Linux Kernel Vulnerability URL http Awww kb cert org vuls id 301156 Syslog ng Home Page URL http www balabit com products syslog ng Syslog ng FAQ URL http Awww campin net syslog ng fag html compression Configuring syslog ng URL http sial org howto logging syslog ng 50 As part of GIA
62. l be done from the inside interface The nessus scan will be referred to in order to determine if there were any bind vulnerabilities Compliance is based on running version 8 3 7 or later or 8 4 3 or later and that internal devices cannot connect to our firewall for the purpose of name resolution Compliance is not necessarily based on chroot being used but this is still recommended Test Nature Objective Evidence Findings STEP 7 V6 RPC vulnerabilities Reference SANS Top 10 Unix vulnerabilities URL http www sans org top20 Zu2 e Garfinkel Spafford and Schwartz Practical Unix and Internet Security O reilly and Associates February 2003 Chapters 13 and 15 Risk Many vulnerabilities exist both in the RPC functions themselves and in those applications that use RPC If one of these vulnerabilities were combined with a threat the firewall would be compromised Moreover there is no reason for a firewall to run RPC Its services are not required for the basic functionality Therefore it should be verified that RPC is not running 18 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Testing and Compliance To verify that no RPC services are running the first step is to check the processes that are running using ps and netstat ps ax grep rpc ps ax grep portmap netstat a grep portmap ps ax grep nfs Next check that inetd or xinetd don t start RPC services
63. ll not accessible to internet only DMZ interface may have public address Procedures for updating the firewall rules and moving them into production Procedures for updating firewall software A O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Firewall rules translated to the client s network Any Any Evidence astaro home jeff Chain INPUT policy target prot opt ACCEPT all ACCEPT all SPOOFING PROTECTION HA all SANITY CHECKS all iptables L DROP source anywhere anywhere all anywhere anywhere destination anywhere anywhere anywhere anywhere anywhere anywhere state RELATED ESTABLISHED AUTO INPUT al USR INPUT all LOGDROP all anywhere anywhere anywhere Chain FORWARD policy DROP target prot opt source anywhere anywhere anywhere destination ACCEPT all SPOOFING PROTECTION SANITY CHECKS all AUTO FORWARD all USR FORWARD all LOGDROP all anywhere all anywhere anywhere anywhere anywhere anywhere anywhere anywhere anywhere anywhere anywhere anywhere Chain OUTPUT policy DROP state RELATED ESTABLISHED target ACCEPT ACCEPT HA SANITY CHEC AUTO OUTPUT USR OUTPUT LOGDROP target ACCEPT Chain target ACCEPT dpt ssh LOGDROP dpt ssh ACCEPT dpt https LOGDROP dpt https ACCEPT dpt domain ACCEPT dpt domain ACCEPT http al EPT SANS Institute 2004 Chain AUTO
64. o destination d astaro mycompany com ipsecO SYEAR MONTH DAY S HOUR MIN SEC HOST MSGAn filter f authpriv destination d astaro mycompany com ipsecO source s log pnrr local asl log source s local asl astaro mycompany com login0 flags final filter filter f mail f spamd facility mail program spamd destination d astaro mycompany com contentfilterO log template SYEAR SMONTH SDAY SHOUR MIN no log source s local asl filter f mail ro mycompany com contentfilter0 filter f smtp program exim destination d astaro mycompany com smtpO EAR SMONTH SDAY S HOUR MIN SSEC HOST MSGAn log source s local asl filter f mail destination d astaro mycompany com smtp0 Figure 29 Output from syslog ng conf filter f kernel destination d astaro mycompany com sshd0 destination d astaro mycompany com login0 filter f authpriv SMSG n template escape no destination d astaro mycompany co PON file var log sshd log template Y template escape no filter f sshd destination d adminr flags final P OH file var log login log template template escape no filter f sulogin destination d adm flags final f mingetty program mingetty filter f mingetty destination d a i f authpriv facility authpriv M file var log ipsec log template template
65. orts 80 8000 8080 etc and the Apache configuration file will be checked directly The nmap scan performed earlier can be referenced grep i listen etc httpd conf If httpd is listening for http in addition to https this needs to be turned off in the httpd conf file Note that httpd conf may be located in another location e g usr local httpd etc Exim needs to be verified that it is configured to only send mail and not to receive it see V18 below Compliance is based on ftp telnet and http not running on this system Test Nature Objective Evidence Findings STEP 11 V10 Sendmail vulnerabilities Reference SANS Top 10 Unix vulnerabilities URL http Awww sans org top20 u6 Costales Bryan and Allman Eric sendmail O reilly and Associates November 1997 99 SANS Institute 2004 As part of GIAC practical repository Author retains full rights Risk The Astaro firewall should not be running sendmail since it uses exim but this needs to be verified If it is running it can be a source of additional exposures Testing and Compliance First it needs to be determined if sendmail is running ps ax grep sendmail If sendmail is not running it needs to be determined whether sendmail is even installed on the firewall rpm qa grep sendmail find name sendmail If itis in fact installed on the server which version is it sendmail d0 1 dev null grep i version Compliance is
66. pport package name daemon path ssh openssh usr sbin sshd sshd sshd fwd x11 sshd fwd lt port gt quota usr sbin rpc rquotad rquotad tftpd usr sbin in tftpd in tftpd portmap sbin portmap portmap The portmapper does not verify against hostnames to prevent hangs It only checks non local addresses kernel nfs server nfs utils usr sbin rpc mountd mountd nfs utils sbin rpc statd statd unfsd userspace nfs server nfs server usr sbin rpc mountd rpc mountd nfs server usr sbin rpc ugidd rpc ugidd printing services lprng usr sbin lpd lpd cups usr sbin cupsd cupsd The cupsd server daemon reports to the cups aA O SANS Institute 2004 As part of GIAC practical repository Author retains full rights error logs not to the syslog 3 facility All of the other network servers such as samba apache or X have their own access control scheme that should be used instead In addition to the services above the services that are started on request by inetd or xinetd use tcpd to wrap the network connection tcpd uses the last component of the server pathname as a token to match a service in etc hosts fallow deny See the file etc inetd conf for the token names The following examples work when uncommented Example 1 Fire up a mail to the admin if a connection to the printer daemon has been made from host foo bar com
67. pts 2659535 OWNE match hyperdyper tcp anywhere anywhere tcp spts 265535 match squidf tcp anywhere anywhere tcp spts 265535 match hyperdyper PT tcp anywhere anywhere tcp spts 265535 http alt OWNER CMD match squidf EPT tcp anywhere anywhere tcp spts 2655935 http alt OWNER CMD match hyperdyper PT tcp anywhere anywhere tcp spts 265535 R CMD match squidf PT tcp anywhere anywhere tcp spts 765535 R CMD match hyperdyper T tcp anywhere anywhere tcp spts 1024 65535 R CMD match weed PT udp anywhere anywhere OWNER CMD match net ct udp spts 1024 65535 dpts 33000 34000 PT icmp anywhere anywhere icmp type 8 code 0 PT tcp anywhere anywhere tcp spts tcpmux 65535 smtp OWNER CMD match exim EPT udp anywhere astaro mycompany com OWNER CMD match syslog ng Spts 1024 65535 dpt syslog tcp anywhere anywhere tcp spts tcpmux 65535 ER CMD match aus anywhere anywhere tcp spts tcpmux 65535 R CMD match aus anywhere anywhere tcp spts tcpmux 65535 ER CMD match pattern aus anywhere anywhere tcp spts tcpmux 65535 http OWNER CMD match pattern aus PT udp anywhere anywhere OWNER CMD match net ct udp spts 1024 65535 dpts 33000 34000 ACCEPT udp anywhere 10 1 0 10 udp spts 1024 65535 dpt ntp Hu te Do Pi PS vie PS Z EI e D Ed Ed EH pd pd D D pd pd O ct A d A u A d A d A d A d SO Or CHIC ELE CF EI EZE CTF Er CH oo D we D ve np oa CO Chain HA
68. r logging synchronization V19 Audit Steps Hands Off Phase While all steps in the audit are technical in nature these first two steps are administrative and operational These steps are not actually part of the scope of the audit but are mentioned here for completeness STEP 1 V1 Verify physical access is controlled Reference e Hansche Susan Berti John and Hare Chris Official ISC 2 Guide to the CISSP Exam Boca Raton Auerbach 2004 Chapter 7 gives a great overview of what items should exist on a checklist Personal Experience 19 SANS Institute 2004 As part of GIAC practical repository Author retains full rights Risk In a computing environment physical access is tantamount to ownership Operating systems allow a user with physical access to shutdown and reset the system gain access to the operating system and sometimes even reset passwords Thus it is imperative to maintain strict procedures for who can access these devices Moreover the physical environment must be secured Testing and Compliance Compliance is based on a checklist including the following Fire suppression Surveillance Door locks with procedures for handing out and collecting keys Door codes with procedures for handing out and changing of codes Badge access with procedures for obtaining activating and deactivating badges From physical inspection and interviews the auditor may find other unique critical items needing attent
69. red for log rotations etc Reference Syslog ng Home Page URL http www balabit com products syslog ng Syslog ng FAQ URL http www campin net syslog ng faq html compression e Configuring syslog ng URL http sial org howto logging syslog ng e Astaro User manual URL http docs astaro org ACM_manuals Personal experience Risk Log rotation is a double edged sword On the one hand as log files get large they are difficult to manage extract data from and can even fill up the file system On the other hand if the log rotation overwrites files after a certain period older logs can get lost A good policy is one that keeps the files to 10MB or so and deposits older log files into a separate file system without overwriting older log files Since this is a firewall those old logs are needed it may be necessary to refer back to them sometime in the future Note that 10MB is a general rule of thumb derived from personal experience Perl and other script languages can take a long time to chug through files much larger than 10MB Testing and Compliance Since there are several ways to configure syslog ng and log rotation in general it will be necessary to check the GUI to see how logs are configured and look at the configuration files on the server This can be documented after the fact Check the syslog ng conf file It should have a directive that rotates logs periodically Also check the user interface and see how
70. s that it is nearly impossible for a vendor to be at the latest version of Apache since new versions come out frequently While there is no strict requirement for running httpd as a non root user if it is running as root this will be noted Test Nature Objective Evidence Findings STEP 9 V8 Unnecessary user accounts weak or no password Reference SANS Top 10 Unix vulnerabilities URL http Awww sans org top20 u4 e Garfinkel Spafford and Schwartz Practical Unix and Internet Security O reilly and Associates February 2003 Chapter 19 Personal experience Risk User accounts that have either default or no passwords are potentially a direct attack vector Thus all of the accounts that are not being used should be either disabled or deleted or if they are required they should be given strong passwords and no login access Testing and Compliance The first step is to verify which accounts are required and to identify those that need to be locked down cat etc passwd This will also indicate if shadow passwords are being used If so the second field in each entry should only have an asterisk or some other character rather than a hash value Those accounts that are required but should never be logged in to should be login disabled by setting their login shells to bin false All login accounts should have strong passwords The difficult part is determining which accounts are required and which
71. sing en0 addr 10 1 0 5 MTU 1500 HPING 10 10 0 50 en0 10 10 0 50 NO FLAGS are set 40 headers 500 data bytes 10 10 0 50 hping statistic 1 packets tramitted 0 packets received 100 packet round trip min avg max 0 0 0 0 0 0 ms sudo hping 10 10 0 20 ec l J V 8 25 p ZE 50 0 using en0 addr 10 1 0 5 MTU 1500 HPING 10 10 0 20 en0 10 10 0 20 NO FLAGS are set 40 headers 500 data bytes 10 10 0 20 hping statistic 1 packets tramitted 0 packets received 100 packet round trip min avg max 0 0 0 0 0 0 ms Figure 15 Output from hping It is not clear whether these packets actually got through or not True there was no response but that does not tell the entire story Below is a portion of the packet capture which shows that the smtp packets did go through However the other hping attempts do not show up on the sniff Therefore the firewall seems to be acting as it is expected to AR O SANS Institute 2004 As part of GIAC practical repository Author retains full rights ics Lar aea i Seq E mad ET werd Fi E Vue Cape nepe Hop eg 1 d47z4E 3 Neen Sestig L Str SYR See m fe 1 mip 96 aert Sch 10 160 0 20 iF ELH gt mbp OTM Seet cd A nam IATA Breaks P Mba ham PD ql a dad DR A fei Heep Seg za r 10 10 0260 sa ab Wert ehg 1 4 4 tp gt mbp HE feed Setz gett ENG Seet A W map fv fem WEGHETm w E 1014 ALA D ghi DE 1 Ha PE s P eat but Gec
72. t needs to be verified that this is the case First inetd and xinetd must be checked to see if they are running telnet or ftp grep telnet etc inetd conf grep disable etc xinetd d telnet grep ftp etc inetd conf grep disable etc xinetd d ftp Second it must be verified that these daemons are not running independently of the inet services ps ax grep ftp ps ax grep telnet ps ax grep rexecd ps ax grep rlogind ps ax grep rshd If any of these tests yielded positive results the appropriate lines in the inet configuration file s need to be commented out or the daemons disabled directly in the rc d directory 21 SANS Institute 2004 As part of GIAC practical repository Author retains full rights As an example here are two lines from a sample inetd conf file ftp stream tcp nowait root usr sbin ftpd ftpd ftp stream tcp nowait root usr sbin tcpd in ftpd The first line is without tcp wrapper support and the second is with tcp wrapper support In order to disable ftp in this example just insert a ff at the beginning of the line to form a comment Below is an example from an xinetd implementation service ftp disable yes socket type stream wait no user root server usr libexec ftpd Server args groups yes flags REUSE IPv6 In this example ftp is disabled from the disable line In order to test for http the host will be scanned to verify it is not listening on those p
73. tc httpd httpd conf jeff 5365 0 0 0 3 1364 grep http jeff astaro home jeff gt Figure 21 httpd processes The web server seems to be running as the user wwwrun the important thing is that this is not root Note that the httpd binary and localhttpd file are the same the latter is merely a soft link to the former Findings The firewall is not running the latest version of Apache but no vulnerabilities were found Still the firewall should be brought up to the latest patch level PASS 40 O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Step 13 V12 SSH Evidence 0 00 usr sbin sshd 4 f etc ssh sshd config 0 00 usr sbin sshd 4 f etc ssh sshd config 0 00 usr sbin sshd 4 f etc ssh sshd config Figure 22 sshd is running jeff astaro home jeff gt usr sbin sshd V sshd option requires an argument V sshd version OpenSSH 3 4pl Usage sshd options Options f file Configuration file default etc ssh sshd config d Debugging mode multiple d means more debugging Figure 23 Version of sshd Findings As shown above nessus found that our version of ssh has a known vulnerability and a possible exploit This needs to be updated before the firewall can be ready for production FAIL STEP 15 V14 OpenSSL Evidence openssi 0 9 6g 11401 Figure 24 openssl version taken from the rpm package jeff astaro home jeff gt
74. traffic enters the internal network but also what traffic leaves the network That being said the focus of this audit is to verify that this implementation will do just that A firewall s ability to control the choke point is based on how it is configured Therefore the main area that this audit focuses on is verifying that the firewall configuration is correct Additionally it is critical that the firewall OS is secure and that will be verified as well Though it is reasonable to expect the firewall to perform as advertised its performance will also be verified in this audit Scope of the Audit This audit addresses only the firewall configuration not the antivirus antispam vpn or other features of the Astaro firewall and the underlying OS of the platform Process policy and procedure will be mentioned but these can be separate audit projects in themselves Specifically the audit will examine the firewall configuration to assess whether it matches the firewall policy and determine if the firewall performs as expected The Astaro firewall offers a robust set of features but these same features can potentially introduce new vulnerabilities Therefore the audit must examine the individual processes running and determine if these processes introduce any additional exposures A O SANS Institute 2004 As part of GIAC practical repository Author retains full rights Vulnerabilities Threats Impacts and Risks The following table
75. w nsa gov snac CIAC The Department of Energy maintains an excellent site for its Computer Incident Advisory Capability Information can be found regarding new vulnerabilities bulletins and the like Their home page is found at http ciac org ciac index html The German Federal Office for Information Security has published a Baseline Protection Manual which contains a lot of information about securing common IT platforms It can be found at http www bsi de gshb english etc index htm These are some specific sites for auditing OSSTMM The Institute for Security and Open Methodologies hosts the Open Source Security Testing Methodology Manual written by Pete Herzog This can be found at http www isecom org osstmm ISACA The Information Systems Audit and Control Association published the IS Auditing Procedure Firewalls Document 6 which is a comprehensive checklist for auditing a firewall and can be found at http www isaca org standard procedure7 pdf For this audit the Astaro Security Linux WebAdmin User Manual was invaluable The documentation can be found at http docs astaro org ACM manuals Avishai Wool an assistant professor at Tel Aviv University published an interesting paper describing the ways that firewalls are typically misconfigured This paper can be found at http www eng tau ac il yash computer2004 pdf There are many examples of firewall audits as well Some are listed below o Auditing F
Download Pdf Manuals
Related Search