Linux Security

previous Updating Linux Applications Online

Introducing Linux Security

This chapter explains why you need to worry about security and offers a high-level view of how to get a handle on security. The idea of an overall security framework is explained and the two key aspects of security — host security and network security — are discussed. This chapter ends by introducing you to the terminology used in discussing computer security.

Why Worry about Security?

In today’s networked world, you have to worry about your Linux system’s security. For a standalone system or a system used in an isolated local area network (LAN), you have to focus on protecting the system from the users and the users from one another. In other words, you don’t want a user to modify or delete system files, whether intentionally or unintentionally, and you don’t want a user destroying another user’s files.

If your Linux system is connected to the Internet, you have to secure the system from unwanted accesses over the Internet. These intruders — or crackers, as they’re commonly known — typically impersonate a user, steal or destroy information, and even deny you access to your own system (known as a Denial of Service, or DoS, attack).

By its very nature, an Internet connection makes your system accessible to any other system on the Internet. After all, the Internet connects a huge number of networks across the globe. In fact, the client/server architecture of Internet services, such as HTTP (Web) and FTP, rely on the wide-open network access the Internet provides. Unfortunately, the easy accessibility to Internet services running on your system also means that anyone on the Net can easily access your system.

If you operate an Internet host that provides information to others, you certainly want everyone to access your system’s Internet services, such as FTP and Web servers. However, these servers often have vulnerabilities that crackers may exploit to harm your system. You need to know about the potential security risks of Internet services — and the precautions you can take to minimize the risk of someone exploiting the weaknesses of your FTP or Web server.

You also want to protect your company’s internal network from outsiders, even though your goal is to provide information to the outside world through your Web or FTP server. You can protect your internal network by setting up an Internet firewall — a controlled access point to the internal network — and placing the Web and FTP servers on a host outside the firewall.

Establishing a Security Framework

The first step in securing your Linux system is to set up a security policy — a set of guidelines that state what you enable users (as well as visitors over the Internet) to do on your Linux system. The level of security you establish depends on how you use the Linux system — and on how much is at risk if someone gains unauthorized access to your system.

If you’re a system administrator for one or more Linux systems at an organization, you probably want to involve company management, as well as the users, in setting up the security policy. Obviously, you can’t create a draconian policy that blocks all access. (That would prevent anyone from effectively working on the system.) On the other hand, if the users are creating or using data valuable to the organization, you have to set up a policy that protects the data from disclosure to outsiders. In other words, the security policy should strike a balance between the users’ needs and the need to protect the system.

For a standalone Linux system or a home system that you occasionally connect to the Internet, the security policy can be just a listing of the Internet services that you want to run on the system and the user accounts that you plan to set up on the system. For any larger organization, you probably have one or more Linux systems on a LAN connected to the Internet — preferably through a firewall. (To reiterate, a firewall is a device that controls the flow of Internet Protocol — IP — packets between the LAN and the Internet.) In such cases, thinking of computer security across the entire organization systematically is best. Figure 1-1 shows the key elements of an organizationwide framework for computer security.

Figure 1-1: Start with an organizationwide framework for computer security.

The security framework outlined in Figure 1-1 focuses on

• Determining the business requirements for security
• Performing risk assessments
• Establishing a security policy
• Implementing a cybersecurity solution that includes people, process, and technology to mitigate identified security risks
• Continuously monitoring and managing security

The following sections discuss some of the key elements of the security framework.

Determining business requirements for security

The business requirements for security identify the computer resources and information you have to protect (including any requirements imposed by applicable laws, such as the requirement to protect the privacy of some types of data). Typical security requirements may include items such as the following:

• Enabling access to information by authorized users
• Implementing business rules that specify who has access to what information
• Employing a strong user-authentication system
• Denying malicious or destructive actions on data
• Protecting data from end to end as it moves across networks
• Implementing all security and privacy requirements that applicable laws impose

Performing risk analysis

Risk analysis is all about identifying and assessing risks — potential events that can harm your Linux system. The analysis involves determining the following and performing some analysis to establish the priority for handling the risks:

• Threats: What you’re protecting against
• Vulnerabilities: Weaknesses that may be exploited by threats (these are the risks)
• Probability: The likelihood that a threat will exploit the vulnerability
• Impact: The effect of exploiting a specific vulnerability
• Mitigation: What to do to reduce vulnerabilities

Typical threats

Some typical threats to your Linux system include the following:

• Denial of Service: The computer and network are tied up so legitimate users can’t make use of the systems. For businesses, Denial of Service (DoS) can mean a loss of revenue.
• Unauthorized access: Use of the computer and network by someone who isn’t an authorized user. The unauthorized user can steal information or maliciously corrupt or destroy data. Some businesses may be hurt by the negative publicity from the mere act of an unauthorized user gaining access to the system, even if the data shows no sign of explicit damage.
• Disclosure of information to the public: The unauthorized release of information to the public. For example, the disclosure of a password file enables potential attackers to figure out username and password combinations for accessing a system. Exposure of other sensitive information, such as financial and medical data, may be a potential liability for a business.

Typical vulnerabilities

The threats to your system and network come from exploitation of vulnerabilities in your organization’s resources — both computer and people. Some common vulnerabilities follow:

• People’s foibles (divulging passwords, losing security cards, and so on)
• Internal network connections (routers, switches)
• Interconnection points (gateways — routers and firewalls — between the Internet and the internal network)
• Third-party network providers (ISPs, long-distance carriers) with looser security
• Operating system security holes (potential holes in Internet servers, such as those associated with sendmail, named, and bind)
• Application security holes (known weaknesses in specific applications)

The 1-2-3 of risk analysis (probability and effect)

To perform risk analysis, assign a numeric value to the probability and effect of each potential vulnerability. To develop a workable risk analysis, do the following for each vulnerability or risk:

1. Assign subjective ratings of low, medium, and high to the probability. As the ratings suggest, low probability means a lesser chance that the vulnerability will be exploited; high probability means a greater chance.
2. Assign similar ratings to the effect. What you consider the effect is up to you. If the exploitation of a vulnerability will affect your business greatly, assign it a high effect.
3. Assign a numeric value to the three levels — low = 1, medium = 2, and high = 3 — for both probability and effect.
4. Multiply the probability by the effect — you can think of this product as the risk level. Then make a decision to develop protections for vulnerabilities that exceed a specific threshold for the product of probability and effect. For example, you may choose to handle all vulnerabilities with a probability-times-effect greater than 6.

If you want to characterize the probability and effect with finer gradations, use a scale of 1 through 5 (for example) instead of 1 through 3, and follow the same steps as before.

Establishing a security policy

Using risk analysis and any business requirements that you may have to address (regardless of risk level) as a foundation, you can craft a security policy for the organization. Such a security policy typically addresses highlevel objectives such as ensuring the confidentiality, integrity, and availability of data and systems.

The security policy typically addresses the following areas:

• Authentication: What method is used to ensure that a user is the real user? Who gets access to the system? What is the minimum length and complexity of passwords? How often do users change passwords? How long can a user be idle before that user is logged out automatically?
• Authorization: What can different classes of users do on the system? Who can have the root password?
• Data protection: What data must be protected? Who has access to the data? Is encryption necessary for some data?
• Internet access: What are the restrictions on users (from the LAN) accessing the Internet? What Internet services (such as Web, Internet Relay Chat, and so on) can users access? Are incoming e-mails and attachments scanned for viruses? Is there a network firewall? Are virtual private networks (VPNs) used to connect private networks across the Internet?
• Internet services: What Internet services are allowed on each Linux system? Are there any file servers, mail servers, or Web servers? What services run on each type of server? What services, if any, run on Linux systems used as desktop workstations?
• Security audits: Who tests whether the security is adequate? How often is the security tested? How are problems found during security testing handled?
• Incident handling: What are the procedures for handling any computer security incidents? Who must be informed? What information must be gathered to help with the investigation of incidents?
• Responsibilities: Who is responsible for maintaining security? Who monitors log files and audit trails for signs of unauthorized access? Who maintains the security policy?

Implementing security solutions (mitigation)

After you analyze the risks — vulnerabilities — and develop a security policy, you have to select the mitigation approach: how to protect against specific vulnerabilities. This is where you develop an overall security solution based on security policy, business requirements, and available technology — a solution that makes use of people, process, and technology and includes the following:

• Services (authentication, access control, encryption)
• Mechanisms (username and password, firewalls)
• Objects (hardware, software)

Because it is impossible to protect computer systems from all attacks, solutions identified through the risk management process must support three integral concepts of a holistic security program:

• Protection: Provides countermeasures such as policies, procedures, and technical solutions to defend against attacks on the assets being protected.
• Detection: Monitors for potential breakdowns in the protective measures that could result in security breaches.
• Reaction or Response: Responds to detected breaches to thwart attacks before damage occurs; often requires human involvement

Because absolute protection from attacks is impossible to achieve, a security program that doesn’t incorporate detection and reaction is incomplete.

Managing security

In addition to implementing security solutions, you have to install security management that continually monitors, detects, and responds to any security incidents.

The combination of the risk analysis, security policy, security solutions, and security management provides the overall security framework. Such a framework helps establish a common level of understanding of security concerns — and a common basis for the design and implementation of security solutions.

next Terms in Securing Linux