Implementing Secure Implementing Secure Edge Devices usingEdge Devices usingOpen Source SoftwareOpen Source Software
Implementing Secure Implementing Secure Edge Devices usingEdge Devices usingOpen Source SoftwareOpen Source Software
James Duncan, LMS TechnologistSheridan Institute of Technology and Advanced Learning
Introduction to OpenBSDIntroduction to OpenBSD
What is an ‘Edge Device’What is an ‘Edge Device’Edge of the networkEdge of the network
Exposed devicesExposed devices
RoutersRouters
NIDSNIDS
FirewallFirewall
‘‘Public’ serversPublic’ servers
Internet
Router
Load Balancer
www1 www3www2
Firewall
Switch
MacNet Mobile
NIDS
Introduction to OpenBSDIntroduction to OpenBSD
““UNIX-like” Operating SystemUNIX-like” Operating System
Spun off of NetBSD and 4.4BSD in 1996 by Theo DeRaadtSpun off of NetBSD and 4.4BSD in 1996 by Theo DeRaadt
Differs from Linux in source base, and in licensingDiffers from Linux in source base, and in licensing
‘‘Free, Functional, Secure’Free, Functional, Secure’
Based in CalgaryBased in Calgary
6 Month Release Cycle / CVS Access to current source 6 Month Release Cycle / CVS Access to current source basebase
Currently in pre-release of version 3.4Currently in pre-release of version 3.4
http://www.openbsd.orghttp://www.openbsd.org
Supported ArchitecturesSupported Architectures
Currently SupportedCurrently Supported
AlphaAlpha
Hp300/HPPAHp300/HPPA
I386I386
Mac68kMac68k
MacPPCMacPPC
MVME68kMVME68k
Sparc/Sparc64Sparc/Sparc64
VaxVax
Ports in ProgressPorts in Progress
MVME88kMVME88k
AMD64AMD64
HPPA64HPPA64
ROMPROMP
SGISGI
AmigaAmiga
Sun3Sun3
Features of OpenBSDFeatures of OpenBSD
Bug ManagementBug Management““Secure by Default”Secure by Default”
Proactive source code auditingProactive source code auditing
W^X page protection / ProPolice Stack ProtectionW^X page protection / ProPolice Stack Protection
Privilege separated daemonsPrivilege separated daemons
Secure Communications & ServicesSecure Communications & ServicesIPSec using ISAKMPdIPSec using ISAKMPd
Support for NIDS (Snort)Support for NIDS (Snort)
Secure Network ServicesSecure Network Services
PF+AltQPF+AltQFirewall/Routing/Queuing using PF+AltQFirewall/Routing/Queuing using PF+AltQ
Bug ManagementBug Management
Bug PreventionBug PreventionSecure by DefaultSecure by Default
Source code auditingSource code auditing
Bug MitigationBug MitigationW^XW^X
ProPoliceProPolice
Privilege SeparationPrivilege Separation
““Secure by Default”Secure by Default”
DefinitionDefinition
Strictly configured by defaultStrictly configured by default
Firewall rejects traffic to all ports except 22 (ssh)Firewall rejects traffic to all ports except 22 (ssh)
Turn off as many services as possibleTurn off as many services as possible
Daemons configured securely with extraneous features Daemons configured securely with extraneous features turned offturned off
““One remote hole in the default One remote hole in the default install, in more than 7 years”install, in more than 7 years”
Source Code AuditsSource Code Audits
Between 6 and 12 developers devoted to thisBetween 6 and 12 developers devoted to this
Looking for basic software bugsLooking for basic software bugs
If a new class of bug is found, entire tree isIf a new class of bug is found, entire tree isre-auditedre-audited
ProactiveProactive
Bug-finding ‘Arms Race’Bug-finding ‘Arms Race’
Reduction in setuid and setgid binariesReduction in setuid and setgid binaries
What is a Stack? (Basic)What is a Stack? (Basic)
Stack
1382:0100
1382:0110
1382:0120
1382:0130
1382:0140
Section of contiguousSection of contiguousmemorymemory
Holds data, as wellHolds data, as wellas program instructionsas program instructions
Memory executed inMemory executed insequence, until a returnsequence, until a returnaddress is reachedaddress is reached
Buffer OverflowsBuffer Overflows
Overload the bounds of a data registerOverload the bounds of a data register
i.e., cram more data into a box than it wasi.e., cram more data into a box than it wasdesigned to holddesigned to hold
Lack of bounds checking is the flaw in codeLack of bounds checking is the flaw in code
Buffer overflow will write executable code intoBuffer overflow will write executable code intomemory, then modify return address to point tomemory, then modify return address to point tothis codethis code
W^X Page ProtectionW^X Page Protection
‘‘Write or Execute’Write or Execute’
Page can be either written to, or executable,Page can be either written to, or executable,but not bothbut not both
Prevents an attacker from writing code anywherePrevents an attacker from writing code anywhereinto memory where it might be executedinto memory where it might be executed
Supported on Sparc, Sparc64, Alpha, HPPA, i386Supported on Sparc, Sparc64, Alpha, HPPA, i386and PowerPCand PowerPC
Natively supported on Sparc, Sparc64, Alpha, x86-64Natively supported on Sparc, Sparc64, Alpha, x86-64
PowerPC and i386 required ugly hacksPowerPC and i386 required ugly hacks
Similar in function but different in execution to PAXSimilar in function but different in execution to PAX
ProPolice Stack ProtectionProPolice Stack Protection
Extension to GCC (GNU C Compiler)Extension to GCC (GNU C Compiler)
Available on Linux, FreeBSD, OpenBSD, others…Available on Linux, FreeBSD, OpenBSD, others…
Software compiled with GCC+ProPolice has stackSoftware compiled with GCC+ProPolice has stackprotection built in to itprotection built in to it
Makes it harder to exploit bugs such as bufferMakes it harder to exploit bugs such as bufferoverflows by modifying the way program data isoverflows by modifying the way program data isstored on the stackstored on the stack
How does this work?How does this work?
ProPolice (continued)ProPolice (continued)
Insert protective code into application at compile timeInsert protective code into application at compile time
Buffer overflow detection (concept from StackGuard)Buffer overflow detection (concept from StackGuard)
Variable reordering – reorder data and variables in suchVariable reordering – reorder data and variables in sucha way that overwriting a pointer becomes difficult whena way that overwriting a pointer becomes difficult whendata is overfloweddata is overflowed
http://www.research.ibm.com/trl/projects/security/ssp/http://www.research.ibm.com/trl/projects/security/ssp/
Privilege SeparationPrivilege Separation
Concept of Least PrivilegeConcept of Least Privilege
Separate network daemons into two levelsSeparate network daemons into two levels
One process running as root for everything thatOne process running as root for everything thatrequires that level of privilegerequires that level of privilege
Sub processes running as unprivileged userSub processes running as unprivileged user
This minimizes damage caused by remote attacksThis minimizes damage caused by remote attacks
E.g., sshd, syslogdE.g., sshd, syslogd
Privilege SeparationPrivilege Separation (cont.) (cont.)
rootroot 28740 14036 0 17:35 ?28740 14036 0 17:35 ? 00:00:00 sshd:duncajam [priv]00:00:00 sshd:duncajam [priv]
duncajamduncajam 28743 28740 0 17:35 ?28743 28740 0 17:35 ? 00:00:0000:00:00 sshd:duncajam@pts/4 sshd:duncajam@pts/4
duncajamduncajam 28744 28743 0 17:35 ?28744 28743 0 17:35 ? 00:00:00 –tcsh00:00:00 –tcsh
sshd forks off child process at root level to handlesshd forks off child process at root level to handleincoming connectionincoming connection
This process forks off an unprivileged process toThis process forks off an unprivileged process tohandle the rest of the communicationshandle the rest of the communications
Secure CommunicationsSecure Communications
‘‘Snoop the Line’ – Network Intrusion Detection SystemsSnoop the Line’ – Network Intrusion Detection Systems
IPSecurity – Secured Network ProtocolIPSecurity – Secured Network Protocol
Secured Network DaemonsSecured Network Daemons
Intrusion Detection SystemsIntrusion Detection Systems
Full support for Snort NIDS (Network IntrusionFull support for Snort NIDS (Network IntrusionDetection System)Detection System)
Topic covered in another presentation, movingTopic covered in another presentation, movingright along…right along…
IPSec using ISAKMPdIPSec using ISAKMPd
IP SecurityIP Security
AH – Authentication HeaderAH – Authentication Header
ESP – Encapsulated Security ProtocolESP – Encapsulated Security Protocol
Compatible with other IPSec implementations,Compatible with other IPSec implementations,such as those available from Linux and Windowssuch as those available from Linux and Windows
Exposed Web ServicesExposed Web ServicesPortsPorts
PackagesPackages
Apache, Sendmail, Bind, etc.Apache, Sendmail, Bind, etc.
Chroot (e.g. Apache)Chroot (e.g. Apache)
PrivSep (e.g. SSH, Syslog)PrivSep (e.g. SSH, Syslog)
AuditsAudits
Modern FirewallingModern Firewalling
What is a Firewall?What is a Firewall?
What is a Router?What is a Router?
What is Rate Limiting (Queuing?)What is Rate Limiting (Queuing?)
This is all done in OpenBSD via the PF+AltQ subsystemThis is all done in OpenBSD via the PF+AltQ subsystem
Configured from /etc/pf.confConfigured from /etc/pf.conf
Configurable via pfctl command (as root)Configurable via pfctl command (as root)
Packet Filter FeaturesPacket Filter Features
Stateful filtering, “modulate state”Stateful filtering, “modulate state”
Pass / Block / DropPass / Block / Drop
Match on address, source / destination ports, Match on address, source / destination ports, packet flagspacket flags
Easy syntax, with tables, lists, and highlyEasy syntax, with tables, lists, and highlyconfigurable optionsconfigurable options
Scrub – Packet NormalizationScrub – Packet Normalization
Packet Logging – tcpdump formatPacket Logging – tcpdump format
Block spoofed packets (antispoof)Block spoofed packets (antispoof)
Block packets with IP options set (OS fingerprinting)Block packets with IP options set (OS fingerprinting)
Anchors and sub rule setsAnchors and sub rule sets
SpamDSpamD
PF Ruleset ExamplePF Ruleset Exampleint_if = "fxp0" int_if = "fxp0"
ext_if = "ep0" ext_if = "ep0"
set block-policy returnset block-policy return
set loginterface ep0set loginterface ep0
scrub in all scrub in all
block all block all
pass quick on lo0 all pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets block drop out quick on $ext_if from any to $priv_nets
pass in inet proto icmp all icmp-type $icmp_types keep state pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep statepass out on $ext_if proto { udp, icmp } all keep state
Routing FeaturesRouting Features
Basic RoutingBasic Routing
Traffic redirectionTraffic redirection
NAT (Network Address Translation)NAT (Network Address Translation)
Round-robin load balancingRound-robin load balancing
Routing ExampleRouting Examplenat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
nat on $ext_if inet from any to any -> { 192.0.2.5, 192.0.2.10 } source-hashnat on $ext_if inet from any to any -> { 192.0.2.5, 192.0.2.10 } source-hash
rdr on $ext_if proto tcp from any to any port 80 -> \rdr on $ext_if proto tcp from any to any port 80 -> \
{10.0.0.10, 10.0.0.11, 10.0.0.13} {10.0.0.10, 10.0.0.11, 10.0.0.13}
Queuing FeaturesQueuing Features
Bandwidth Management SystemBandwidth Management System
Useful for managing outbound trafficUseful for managing outbound traffic
i.e., limiting use of some protocols or givingi.e., limiting use of some protocols or givingpriority to otherspriority to others
Queuing done in FIFO, CBQ, or PQQueuing done in FIFO, CBQ, or PQ
Based on AltQBased on AltQ
Matches functionality found in commercial productsMatches functionality found in commercial productssuch as Packeteer.such as Packeteer.
Queuing ExampleQueuing Examplealtq on fxp0 priq bandwidth 610Kb queue \altq on fxp0 priq bandwidth 610Kb queue \
{ std_out, ssh_im_out, dns_out, tcp_ack_out } { std_out, ssh_im_out, dns_out, tcp_ack_out }
queue std_out priq(default)queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5queue dns_out priority 5
queue tcp_ack_out priority 6queue tcp_ack_out priority 6
pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \
keep state queue(std_out, tcp_ack_out)keep state queue(std_out, tcp_ack_out)
SummarySummary
BenefitsBenefitsFree, Secure, OSFree, Secure, OS
Enterprise-ready featuresEnterprise-ready features
Available on many platformsAvailable on many platforms
ConsConsNot Performance TunedNot Performance Tuned
No SMP support yetNo SMP support yet
Emphasis of securityEmphasis of securityover ‘Bleeding-Edge’over ‘Bleeding-Edge’softwaresoftware
http://www.openbsd.orghttp://www.openbsd.org
Q&AQ&A