CH 15 NETWORK SECURITY REVIEW Flashcards
1
Q
NETWORK SECURITY
A
- Not all malicious attacks can be mitigated by local security practices.
- Some attack vectors must be controlled by using network security practices.
- This addresses the problem of attackers sending malicious network traffic to your system.
- This WILL happen - the way to handle it is to manage the inevitable.
- Malicious traffic includes DoS/DDoS attacks or targeted traffic to exploit weaknesses in software
2
Q
IP ADDRESSES AND PORT NUMBERS
A
- Every host on an IP-based network has at least one IP address.
- Every Linux host has a number of processes running on it at any given time.
- Each of these processes can be a network client, a network server or both.
- The fact that more than one process on a system can be running as a server means that using an IP address alone is not enough.
3
Q
IP ADDRESSES AND PORT NUMBERS
- TCP / UDP
- port number ranges
A
- TCP/IP requires that traffic not only have an IP address for the source and destination, but a port number as well – This is for TCP and UDP.
- The port numbers ranges from 0 to 65535.
- Ports 0 to 1023 are generally reserved for well-known services.
- Ports 1024 and higher are either less-common applications or are for temporary (ephemeral) connections.
4
Q
IP ADDRESSES AND PORT NUMBERS
- Well-Known ports and their port numbers
A
Well-known services and their associated ports can be found in /etc/services.
- Port 21 - FTP
- Port 22 - SSH Remote Login Protocol
- Port 23 - Telnet
- Port 25 - Simple Mail Transfer Protocol (SMTP)
- Port 53 - DNS
- Port 80 - HTTP
- Port 110 - POP3
- Port 118 - SQL Services
- Port 143 - Interim Mail Access Protocol (IMAP)
- Port 161 - SNMP
- Port 179 - Border Gateway Protocol (BGP)
- Port 389 - Lightweight Directory Access Protocol (LDAP)
- Port 443 - HTTPS
5
Q
IP ADDRESSES AND PORT NUMBERS
- Stateful Connection tracking
A
In order to identify every unique connection between hosts, Linux keeps track of four pieces of information:
- Source IP Address
- Source Port Number
- Destination IP Address
- Destination Port Number
6
Q
PORTS AND SERVICE BINDING
- Binding
- netstat command
A
- Services generally watch for traffic on a specific port - this is a process known as binding.
- Example: the apache web server works with HTTP and HTTPS traffic, therefore it will bind itself at startup to monitor and send traffic on ports 80 and 443.
- To track what ports are open on your system and the associated bindings, the netstat command is used.
- Example: run netstat –tcp –numeric
7
Q
NETSTAT COMMAND
A
- By default (no parameters/options/switches), netstat will provide connections for both network and domain sockets.
- This means you will see connections going over the network AS WELL as connections between processes (domain sockets)
- It’s a good idea to be aware of what processes are bound to what ports, and what programs are listening on the network.
- Example: if the bash shell is listening to a network port, you should be suspicious.
- Main concern is destination port of a connection.
- If they do not match or aren’t going to a standard port for a regular service, this is cause for concern.
8
Q
NETSTAT COMMAND OPTIONS
A
- -n do not resolve IP addresses
- -a show ALL ports
- -t show TCP traffic
- -u show UDP traffic
9
Q
BINDING TO AN INTERFACE
A
- One way to improve security of a service/daemon running on a server is to bind it to a specific network interface.
- Example: Interfaces
- eth0 192.168.1.4
- eth1 172.16.1.1
- lo 127.0.0.1
- IP forwarding is NOT enabled.
- Example: Interfaces
- If an application binds itself to the 172.16.0.0/16 network, there is security since traffic cannot traverse the 172. to 192. networks due to IP forwarding being off.
- You can even bind to 127.0.0.1 for applications that should only be accessed from services on the same server.
- Ex: MYSQL should only be called from internal services such as apache, and has no need to communicate with the outside world.
10
Q
SERVICE/DAEMON MANAGEMENT
A
- As Linux becomes more user-friendly, more service/daemons are being installed and configured for launch on startup during installation.
- When evaluating a system, ask three questions:
- is this service needed?
- if so, is the default setting secure?
- does the service need updates?
11
Q
XINETD
A
- xinetd - subsystem of Linux that launches services that need Internet connectivity.
- Performs acces control, logging etc.
*
- Performs acces control, logging etc.