Reducing Your Target Size


At a system level, successful intrusions require access to vulnerable targets. The aim of this section is to ask a number of questions that should be asked for every system on your network. Doing this will help you reduce your overall exposure to exploits.

Several times throughout this book we have discussed the need to run the minimum number of processes possible. If a service is not available on a system, it cannot be exploited. Conceptually, you can think of all the services run on your system as targets. The services that offer up network ports are larger targets because their exposure is greater. Those that only run locally are, in theory, protected by system authentication mechanisms and represent smaller targets. If you add up all the services, the privileges the services are running under, and their exposure, you can get a measure for the total exposure of your system.

A first approach to securing a system is to look at the number of processes running at startup. In the default install of the various flavors of SUSE, great care has been taken to ensure that a full-featured environment is available. Though this provides for maximum flexibility, if not all components are configured properly, it could lead to inadvertent exposure of the system. A process review should be undertaken after a system has been tasked for a specific purpose. Applications not related to the specific tasking of the server should be removed. This reasoning does not just apply to the server environment. Workstations are just as vulnerable to attacks and should therefore be hardened as well.

The second step in reducing exposure is to ensure that your software is kept up to date. Patches and bug fixes occur constantly. It is imperative to replace known defective software as soon as possible. Sometimes, however, a specific fix to one application triggers unexpected incompatibilities in related components. The burden and cost of the development, staging, and production rollover of many fixes often delay their implementation beyond what you, as a system administrator, might deem reasonable. Other avenues should therefore be implemented as well.

NOTE

The YaST firewall configuration tool provides for a quick method for allow-deny rules on specific ports and protocols. It does not allow for more granular definitions for allowed traffic. These definitions have to be implemented directly using iptables commands. With such commands, it is possible to restrict the availability of service ports to specific machines, thus further reducing the service's exposure.


The next step in protecting your system is to properly configure the local firewall. In many cases, network-capable services are required for the proper functioning of a local application. As an example, a local database server may require a listener process. If left in the default configuration, the listener may inadvertently be listening for network connections as well as local connections on the loopback address. A properly configured firewall rejects incoming connections before the listener application has a chance to be affected by them. The firewall should not be used as an excuse for an improperly configured application. It is an extra layer of protection. The same is true for many other applications. All systems capable of running a local firewall should do so. Properly configured firewalls don't conflict with business requirements. They are part of a properly configured environment.

After these steps have been performed, they need to be reviewed. As with all aspects of security, everything is a process of continual refinement. Checking a configuration for weaknesses is just as important as, if not more so than, the original security checklist. Vulnerabilities in your defenses are visible to all those who care to look. Verifying the work described here against hardening tools such as Bastille (described in Chapter 13, "System Security") can be quite enlightening.



    SUSE LINUX Enterprise Server 9 Administrator's Handbook
    SUSE LINUX Enterprise Server 9 Administrators Handbook
    ISBN: 067232735X
    EAN: 2147483647
    Year: 2003
    Pages: 134

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net