This document will show how to secure Solaris OS.
Introduction:
The Solaris™ Operating Environment is a general purpose operating system with many configurable, low-level network options that are applicable to security. Some of these should be adjusted to strengthen the security posture of a Solaris system.This paper includes descriptions of various known attack methods, not as a step-by-step guide for attackers, but to show system and network administrators the need toset or change a particular network option.
Various trade-offs must be made when enhancing Solaris security. A balance is needed between system manageability and security. The trade-offs are discussed in this paper. Not all network security configurations mentioned can be used in allenvironments. Where changing a particular network setting adversely affects the default system operation, the side effects are discussed.
This paper does not discuss high-level network security. High-level network security involves configuring inetd, NFS, NIS/NIS+, RPC, DNS, and other application-level services.
Some investigation will be needed prior to using the settings.
ARP Attacks:
Several ARP problems can affect a system’s expected operation. The TCP/IP network protocol suite requires correct hardware address information to ensure proper deliver of data. An Ethernet frame with an incorrect hardware address will not be processed by the intended system. All hardware address information is collected by the ARP layer. It gathers this information as it is needed and accepts information sent to it.
Defending against ARP attacks is difficult. Changing the protocol in significant ways would break compatibility with all TCP/IP based systems on a network. Attempting to eliminate the dynamic nature of the protocol makes network administration a nightmare. However, there are some things that can be done to improve security on the local area network.
Load the contents of this using arp -f file. These entries are now marked as permanent entries in the cache and cannot be deleted by timeout nor overridden by unsolicited information. They can be deleted by using the arp -d host_entry command. If the network interface card is replaced on one of the systems in the static ARP listings, the ARP cache on all systems using static ARP entries must be updated or further communication will not be possible. This solution may not be appropriate in environments which frequently change equipment.
The Internet Protocol (IP) is the lower level protocol that provides bulk data transport. It is connectionless and makes no provisions for reliable delivery. The configuration parameters discussed in this paper are controlled by the Solaris IP driver.
IP forwarding is the process of routing packets between network interfaces on one system. A packet that arrives on one network interface and is addressed to a host on a different network is forwarded to the appropriate interface. Routers handle a majority of this work, but a computer with multiple network interfaces can do this as well.
An argument of 1 instead of 0 will enable IP forwarding. An attacker may attempt to compromise the system just to enable packet forwarding to gain access to normally inaccessible systems. This is another reason to make sure all servers are secure.
Introduction:
The Solaris™ Operating Environment is a general purpose operating system with many configurable, low-level network options that are applicable to security. Some of these should be adjusted to strengthen the security posture of a Solaris system.This paper includes descriptions of various known attack methods, not as a step-by-step guide for attackers, but to show system and network administrators the need toset or change a particular network option.
Various trade-offs must be made when enhancing Solaris security. A balance is needed between system manageability and security. The trade-offs are discussed in this paper. Not all network security configurations mentioned can be used in allenvironments. Where changing a particular network setting adversely affects the default system operation, the side effects are discussed.
This paper does not discuss high-level network security. High-level network security involves configuring inetd, NFS, NIS/NIS+, RPC, DNS, and other application-level services.
Some investigation will be needed prior to using the settings.
ARP Attacks:
Several ARP problems can affect a system’s expected operation. The TCP/IP network protocol suite requires correct hardware address information to ensure proper deliver of data. An Ethernet frame with an incorrect hardware address will not be processed by the intended system. All hardware address information is collected by the ARP layer. It gathers this information as it is needed and accepts information sent to it.
The protocol is also stateless. The problems lie in the fact that the protocol allows any host to provide its own address information (correct or not). One system may provide information on the behalf of another system. Address information received by the ARP layer is processed whether it was directly requested or not. Additionally and more importantly, all address information received by a system is believed to be accurate.
There are two basic types of attacks possible with ARP:
denial of service and
spoofing.
These attacks can prevent normal operations and can be used to compromise other systems on the local network. A denial of service attack will prevent one system from exchanging packets with another on the same network. This makes the system appear to be “off the network”. A spoofing attack allows one
system to masquerade as another system. These attacks take advantage of the dynamic nature of the protocol. The simplest attack is denial of service. There are two forms to this attack: local and remote.
system to masquerade as another system. These attacks take advantage of the dynamic nature of the protocol. The simplest attack is denial of service. There are two forms to this attack: local and remote.
Locally, an attacker that has root privilege can insert bogus address information in the ARP cache. Packets destined for systems with bogus hardware addresses will not be received by the intended system. An attacker can feed a remote system incorrect address information as well. This is known as cache poisoning.
Since the ARP layer always trusts the information it receives, wrong information can be inserted and current ARP entries can be corrupted. An attacker may use the “publish” feature of the ARP layer to broadcast incorrect information about other systems. If two ARP replies are received, at least one reply will be used. It may be the correct one, or it may not. This situation can spread discord throughout the local network and can be difficult to diagnose.
ARP packet tools may be used to generate bogus gratuitous ARP requests or send ARP replies to systems to corrupt address information. The second type of attack is more serious because it can be used to compromise remote systems on the local network. By masquerading as another system, it is
possible for an attacker to exploit a trust relationship to gain entry to a target system using a method calling “ARP spoofing”. If one system trusts another (for example, through a “.rhosts” file configuration), then it is possible for an attacker to feed false hardware address information to the trusting system and convince it that packets from the attacking system are from the trusted system.
possible for an attacker to exploit a trust relationship to gain entry to a target system using a method calling “ARP spoofing”. If one system trusts another (for example, through a “.rhosts” file configuration), then it is possible for an attacker to feed false hardware address information to the trusting system and convince it that packets from the attacking system are from the trusted system.
For example, host A trusts host B. An attacker on host C wants to log into host A. First, the attacker must
disable host B to prevent it from responding to ARP requests. The attacker then configures host C’s IP address on a logical network interface and sends an ARP reply to host A containing host B’s IP address and host C’s hardware address. As discussed previously, host A will update the address information from the ARP reply. Host C now acts as host B, and the attacker can now log into host A.
disable host B to prevent it from responding to ARP requests. The attacker then configures host C’s IP address on a logical network interface and sends an ARP reply to host A containing host B’s IP address and host C’s hardware address. As discussed previously, host A will update the address information from the ARP reply. Host C now acts as host B, and the attacker can now log into host A.
Defenses:
Defending against ARP attacks is difficult. Changing the protocol in significant ways would break compatibility with all TCP/IP based systems on a network. Attempting to eliminate the dynamic nature of the protocol makes network administration a nightmare. However, there are some things that can be done to improve security on the local area network.
If false entries are inserted into the ARP and IP routing tables, there are two ways they can be deleted:
n Entries can be deleted manually using the arp -d host_entry command. n The entries will also timeout and be deleted by the system. RFC 826, which defines ARP, specifies that ARP cache entries should be deleted
automatically after a reasonable period of time. The default timeout values for unsolicited ARP cache entries is five minutes. IP routing table entries timeout after 20 minutes.
n Entries can be deleted manually using the arp -d host_entry command. n The entries will also timeout and be deleted by the system. RFC 826, which defines ARP, specifies that ARP cache entries should be deleted
automatically after a reasonable period of time. The default timeout values for unsolicited ARP cache entries is five minutes. IP routing table entries timeout after 20 minutes.
In Solaris software, these timeout intervals can be altered. The timeout interval is specified in milliseconds. 60000 milliseconds is one minute. Both these commands reduce the timeout period for the ARP cache and IP routing table. Entries will be deleted at a faster rate. This may slow down an ARP attack since bogus entries do not remain as long. The major side effect of this change is a greater number of ARP requests and replies. Do not use on congested networks.
Another alternative is to create static hardware address entries in the ARP cache. This solution is effective but breaks the dynamic nature of ARP, can increase maintenance costs, and may not be effective in most environments. A static entry in the ARP cache is a permanent mapping of an IP address to hardware address. These entries can be loaded at system boot time. Create a file containing IP addresses and the corresponding hardware addresses, similar to the following:
# ndd -set /dev/arp arp_cleanup_interval 60000
# ndd -set /dev/ip ip_ire_flush_interval 60000
# ndd -set /dev/ip ip_ire_flush_interval 60000
gort.eng.sun.com 08:00:20:ba:a3:c5
olympics.eng.sun.com 08:00:20:4d:6d:30
switchblade.eng.sun.com 08:00:20:b3:48:57
olympics.eng.sun.com 08:00:20:4d:6d:30
switchblade.eng.sun.com 08:00:20:b3:48:57
Load the contents of this using arp -f file. These entries are now marked as permanent entries in the cache and cannot be deleted by timeout nor overridden by unsolicited information. They can be deleted by using the arp -d host_entry command. If the network interface card is replaced on one of the systems in the static ARP listings, the ARP cache on all systems using static ARP entries must be updated or further communication will not be possible. This solution may not be appropriate in environments which frequently change equipment.
It is also possible to disable ARP completely for an interface. This means that the network interface will no longer send ARP requests nor process ARP replies. To disable ARP processing, use the ifconfig interface -arp command. Every system that disables ARP must have static ARP entries. Also, any system that might need to communicate with systems without ARP will need static ARP entries (such as routers).
This solution is not recommended for most environments because of the high administrative costs. It may be effective with a small number of machines that need to communicate with each other and do not interact with other systems on the local network.
IP:
The Internet Protocol (IP) is the lower level protocol that provides bulk data transport. It is connectionless and makes no provisions for reliable delivery. The configuration parameters discussed in this paper are controlled by the Solaris IP driver.
IP Forwarding:
IP forwarding is the process of routing packets between network interfaces on one system. A packet that arrives on one network interface and is addressed to a host on a different network is forwarded to the appropriate interface. Routers handle a majority of this work, but a computer with multiple network interfaces can do this as well.
A Solaris system with more than one configured network interface forwards IP datagrams between network interfaces. It functions as a router. This is the default action in Solaris Operating Environment to allow quick system configuration. Systems with multiple interfaces can be configured to function as “multihomed” servers.
A multihomed system has several network interfaces, each with a separate IP address. It is not intended to route or forward packets but handles network requests from multiple, directly-attached networks. For example, NFS operates quickly when the server is connected to the same network as its clients. A large NFS server may serve clients on several networks. The server response is faster and the throughput is greater when the NFS server is directly attached to each client network it serves.
Systems that allow packet forwarding are targets for attackers as they provide access to other systems and networks. Some of these may not normally be accessible through routers. Private, non-routed networks can be served by a multihomed server. If IP forwarding is enabled on the server, this network is now reachable.
Internal firewalls that protect access to a small set of systems can be bypassed by forwarding packets through a multihomed server that is directly attached to the protected internal network. Packet forwarding is easily be disabled on a Solaris system. Simply creating a file named /etc/notrouter will disable IP forwarding at boot time. IP forwarding can also be switched on or off while the system is operating, using the ndd command.
Use this command to disable IP forwarding:
An argument of 1 instead of 0 will enable IP forwarding. An attacker may attempt to compromise the system just to enable packet forwarding to gain access to normally inaccessible systems. This is another reason to make sure all servers are secure.
---------- to be Continued in Part 2
0 comments:
Post a Comment