A basic explanation of design principles is always a good start in any security discussion. Design starts with requirements analysis, so the first step for getting security right on Mac OS X Server is to understand requirements. You should talk to users, managers, and technical staff to find out what security concerns must be addressed. Before implementing security mechanisms, you need to know if you are securing services that run on the server, protecting internal servers on a private network connected to the server, controlling which outside services your internal users can reach, or all of these. One basic aspect of requirements analysis is to find out who the users are, where they are located, and what resources they use. Designers sometimes use the concept of a user community to help them recognize requirements. A user community is a set of users with similar application and security requirements. This can be a corporate department, a set of outside users, a set of business partners, or a single user who has unique requirements. You should document user-community names, sizes, locations, and applications. Also document the names and addresses of servers, their locations and applications, and which user communities depend on them. With that documentation in hand, you can begin to understand what needs to be secured. Next, to ensure system and data availability, you must understand the direction of network traffic flow to and from services. Talk to your users, examine network diagrams, study network traffic with a protocol analyzer, and review network logs to help you understand the direction of network traffic flow and how your security measures can filter this flow to implement user requirements. Analyzing Network Security ThreatsAn important step in network security design is analyzing threats, their likelihood and severity, and the dangers associated with not taking action to prevent and mitigate these threats. Network devicessuch as servers, routers, and firewallsare attractive targets for attackers. If an attacker undermines the security of a network device, the following problems arise:
Tools for intercepting and analyzing data on a network are readily available. Ethereal, for example, is a free and easy-to-use protocol analysis tool that runs on almost every platform. Ethereal captures network traffic and displays each packet in human-readable format, which makes it a useful network management tool as well as a powerful tool for network attackers. The following output from Ethereal shows a Telnet packet. Notice that the output is helpful for analyzing packet headers while troubleshooting a problem, but it's also helpful for attackers, who can easily see in the Telnet data section at the end of the output that the user typed co followed by a carriage return (\r). Frame 27 (58 bytes on wire, 58 bytes captured) Ethernet II Destination: 00:00:0c:00:2e:75 (Cisco_00:2e:75) Source: 00:0d:93:28:c9:f6 (AppleCom_28:c9:f6) Type: IP (0x0800) Internet Protocol Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 Total Length: 44 Identification: 0x22fe (8958) Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x02d8 (correct) Source: 10.10.0.209 (10.10.0.209) Destination: 10.10.0.2 (10.10.0.2) Transmission Control Protocol Source port: 51854 (51854) Destination port: telnet (23) Sequence number: 2722440935 Acknowledgement number: 3672130357 Header length: 20 bytes Flags 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 65535 Checksum: 0x788a (correct) Telnet Data: co\r From output such as this, an attacker can gain information about Ethernet addresses (in the Ethernet II section of the example, see Destination: 00:00:0c:00:2e:75 (Cisco_00:2e:75) and Source: 00:0d:93:28:c9:f6 (AppleCom_28:c9:f6)) and IP addresses (in the Internet Protocol section, see Source: 10.10.0.209 (10.10.0.209) and Destination: 10.10.0.2 (10.10.0.2)). This knowledge of addresses helps an attacker find targets. An attacker can also gain information about the identifiers used for IP datagrams and the sequence numbers used for Transport Control Protocol (TCP) segments. (In the Internet Protocol section, see Identification: 0x22fe (8958); in the Transmission Control Protocol section, see Sequence number: 2722440935.) This type of information could be used to craft an attack packet. Finally, as mentioned, the attacker can see that the user typed co followed by a carriage return. These were the last two characters in the Telnet password, which was Cisco. Reconnaissance AttacksAn attacker launches a reconnaissance attack to learn about potential targets and their weaknesses in preparation for a more focused attack. Reconnaissance attackers use tools to discover the reachability of computers, networks, services, and applications. While on a reconnaissance mission, an attacker might try to gather the following information:
One tool that attackers use to test the reachability and vulnerabilities of a network server is the UNIX nmap utility. nmap sends traffic to the target for numerous TCP and User Datagram Protocol (UDP) ports and examines the results to discover open ports, application and operating system versions, and vulnerabilities. By default, Mac OS X Server has very few ports open. In this example using nmap on the Mac OS X Server with the IP address of 192.168.3.1, some default ports have been closed while others have been opened: Pretendcos-Computer:~ Pretendco$ nmap 192.168.3.1 Starting nmap V. 3.00 (www.insecure.org/nmap/) Interesting ports on (192.168.3.1): (The 1592 ports scanned but not shown below are in state: closed) Port State Service 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 311/tcp open asip-webadmin 407/tcp open timbuktu 427/tcp open svrloc 548/tcp open afpovertcp 625/tcp open unknown Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds Note The nmap utility has nefarious as well as reputable qualities. You can use it to test the security of your own network devices, for example. This testing method should be used sparingly and with caution, however. nmap sends a huge number of packets to the target in a short period of time. Denial of Service AttacksDenial of Service (DoS) attacks target networks, servers, or applications, making it impossible for legitimate users to gain access. DoS attacks usually result from the inability of a network, computer, or application to handle a huge load, which crashes the system or halts the system's services. These attacks pose a significant risk because they can interrupt business processes and are reasonably easy to conduct, even by an unskilled attacker. DoS attacks include:
Preventing DoS attacks is best handled by dedicated hardware firewalls and intrusion detection systems (IDSs) that have built-in software that recognizes and mitigates attacks. For example, some dedicated firewalls have advanced software that can recognize and deflect a flood of TCP connection requests, also known as a TCP SYN flood attack. Dealing with DoS attacks may also require help from network administrators of upstream networks. For example, if the Internet pipe into your company is being flooded with huge amounts of traffic, consuming all available bandwidth, this must be stopped at your Internet service provider (ISP). In the case of Mac OS X Server, simple DoS attacks are stoppable by disallowing Internet Control Message Protocol (ICMP) echoes (pings) and echo replies, and by disallowing all traffic from a known attackerboth of which are relatively easy to do with Mac OS X Server firewall service. |