8.5 Preventing attacks

To detect and prevent attacks on your system, you need to use firewalls, intrusion detection tools, and anti-virus tools.

Firewalls block certain traffic from entering your environment and examine network traffic. Intrusion detection tools examine network behavior behind the firewall for abnormal patterns. Anti-virus tools examine data content for suspicious modifications and virus signatures.

8.5.1 Firewall considerations for Linux on the mainframe

One of the threats you need to assess in any environment, including a Linux-on-the-mainframe environment, is the denial-of-service attack. One part of the defense against denial-of-service attacks is using firewall techniques.

A firewall is a secure and trusted system that acts as a barrier between private and public networks. A firewall, when combined with a VPN, can provide secure, encrypted communications with sites outside the firewall.

Firewall techniques include:

  • Establishing a demilitarized zone (DMZ), illustrated in Figure 8-8.

    Figure 8-8. Standard firewall implementation with demilitarized zone. The Web server is protected first by one firewall that has connectivity to the Internet. If users are legitimate, they are redirected by a proxy server through the second firewall.


  • IP packet filtering, static and dynamic (state-dependent)

  • IP datagrams are inspected; the filter decides if a datagram needs to be processed or discarded. Filtering can be done on protocol type, port, datagram type, IP address, and so on.

  • Application gateway (or proxy)

    The proxy understands the application protocol, performs logging, and can provide authentication and caching capabilities. An example of a proxy caching server is squid (http://www.squid-cache.org/), which provides access control lists for ports, URLs, and subnets.

DMZ considerations

Where does your Web server reside within the infrastructure? Traditionally, a Web server is located between filtering devices, such as firewalls and routers. This places it in a "demilitarized" zone (DMZ), which offers some protection from Internet intrusions, as illustrated in Figure 8-8.

The internal network receives protection from the Web server. Outbound filtering devices permit, for example, only ports 80 and 443 to reach the Web server; other potentially dangerous traffic is inhibited. The inside filtering device is important, because the Web server itself should not rely on other hosts within the secure LAN. Although you must allow potentially dangerous parties access to your Web server, careful measures should be taken to prevent unwanted entry. (There are many reference books that address the different DMZ methods in more detail, such as Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky and Linux Firewalls by Robert L. Ziegler.)

An example of when a DMZ is needed is to separate Web applications from the Web server, as StoreCompany does for its Web catalog.

With Linux on the mainframe, it is possible to consolidate firewalls on the mainframe. The network firewall can be outside the mainframe to save mainframe resources and the other DMZ firewall can be on a separate image. A firewall can be implemented either on an LPAR or under z/VM (Figure 8-9). This consolidation makes administration of the firewall easier and eliminates the need for separate hardware.

Figure 8-9. Using a firewall in a Linux-on-the-mainframe environment


Linux firewall capabilities

Some firewall capabilities have been integrated into the Linux kernel. These include:

  • IP packet filtering, which either accepts or rejects network packets based on the information in the packet header. Packet filtering can be used through the newer iptable tool (kernel version 2.4).

    In a Linux-on-the-mainframe environment, you can use IP filtering. On the mainframe, data that never go outside the machine can never be physically compromised.

  • Network address translation (NAT), which modifies the network address in a datagram, thus "hiding" the internal network addresses.

  • IP masquerading, which is a special form of NAT, can be used in a hot standby takeover process. When a hot standby image takes over a failing image, it can also take over the IP address. The standby server thus masquerades as the server it replaces.

Using only these capabilities and Open Source tools, you can implement firewalls on Linux. Most distributions deliver some sort of firewall support.

You can also turn to commercial firewalls. For information about firewalls for Linux on the mainframe, refer to IBM's ISV support for mainframe servers Web site: http://www.ibm.com/servers/eserver/zseries/solutions/s390da/.

While a firewall blocks certain traffic from entering the company network, intrusion detection recognizes strange behavior within the network.

8.5.2 Intrusion detection

The goal of intrusion detection is to detect malicious attacks on your infrastructure, such as denial-of-service attacks.

Denial-of-service attacks can occur in different ways. For example, a compromised image could try to use all the CPU resources or all the network resources. Although the damage that a compromised Linux image can cause could be limited by z/VM definitions, the better solution is to detect an intrusion before damage is caused.

Intrusion detection systems (IDS) can be designed for network-based and host-based systems.

  • Network-based IDS are attached to the network. They detect attacks by analyzing the content of network packets sent over the wire. An unusually high number of TCP, UDP, or ICMP packets sent to a single destination can easily be detected. IDS are configured to determine if these packets should be considered attacks or normal traffic.

  • Host-based IDS are software components that attempt to detect attacks against the computers on which the IDS is installed. Host-based IDS can analyze the network packets received on the network interface, as well as the log files written by the operating system or by applications running on the computer. Typically, a host-based IDS can detect denial-of-service attacks against a Web server by analyzing its log in real-time.

Sites should install both network-based and host-based detection systems. Network analyzers should be available to help determine the nature of an incident and to help formulate possible filtering and rate-limiting responses in the event of an actual denial-of-service attack.

The Linux community and ISVs have developed some sophisticated, useful tools for Linux that work on Linux on the mainframe as well. The leading Open Source intrusion detection solutions include Tripwire and Snort. It is important to note, however, that IDS systems come in different flavors. For instance, Snort (available with SuSE SLES8) is more of a network IDS, while Linux Intrusion Detection System (LIDS) is targeted more to the protection of, and the intrusion detection in, the Linux image.

Tripwire detects and reports file and directory modifications. This can help to detect Trojan horses[11] and modified software (for example, for sniffing out passwords).

[11] A Trojan horse is a program that cannot operate unless it is invoked (unintentionally) by a user.

IBM offers a Tivoli IDS solution. Tivoli Risk Manager is a network-based IDS that can recognize basic attacks and prevent denial-of-service incidents.

8.5.3 Anti-virus protection

With access control in place and isolation of power between root and user, Linux is not so susceptible to common viruses. (A virus is a program that actively operates, independently of a user, to attack various system resources.) It is reportedly unusual for UNIX-based operating systems to suffer system-level damage from a virus, because most viral code cannot get access to low-level system functions. However, it is possible for a Linux server to host an infected file or e-mail and send it to a Windows user. For this reason, it is still a good idea to routinely check incoming e-mail and downloaded files for viruses.

It is important to note that the commercial definition of "anti-virus" includes not only viruses, but also Trojan horses, worms, and other similar threats. Although it is not technically or semantically accurate, this discussion includes these other threats as part of the "virus" context. The threat of virus can be broken down into three basic areas:

  • Viruses targeted at other platforms stored on Linux on the mainframe in an e-mail server.

    The application of most interest to hackers is e-mail clients running on popular software on common platforms. This type of threat can be neutralized by anti-virus applications running on the target platform. A filtering anti-virus tool to neutralize these types of threats while stored in a mainframe e-mail server would be a plus.

  • Viruses written in interpretative languages (like Java, HTML, and PERL).

    These are dangerous because they can be executed on any platform that has an interpreter.

  • Linux viruses that run on the mainframe.

    Viruses that actually execute on a zSeries server could be a concern. This type of threat would require that the code be placed on an image and be executed, either manually or through some misdirection. This type of exposure would be contained by developing and managing good security policy, limiting the access to production images via a firewall, and monitoring the network access with current intrusion detection techniques.

Careful use of standard Linux features can reduce the risk of virus attacks. If a system is serving static files (non-writeable), the file system can be mounted as read-only.

When considering anti-virus protection on a server platform, you need to identify the work that is going to be done and what needs to be protected. If the customer is running a mail server on Linux on zSeries, his or her definition of anti-virus protection is likely to be a mail-scanning anti-virus tool that can be integrated with his or her mail server of choice. The mail clients are likely to be PC-based, so the security manager should check for viruses in the customer's stored mail prior to distribution or delivery. This would be necessary to prevent the zSeries server from spreading a virus.

Commercial anti-virus tools are available for Linux on the mainframe. For information about anti-virus tools, refer to IBM's ISV support for mainframe servers Web site: http://www.ibm.com/servers/eserver/zseries/solutions/s390da/.

Linux on the Mainframe
Linux on the Mainframe
ISBN: 0131014153
EAN: 2147483647
Year: 2005
Pages: 199

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net