Professional Documents
Culture Documents
Secure Systems
1. Security policy
– What needs to be protected
– Kinds / level of protection
3. Security mechanisms
– Responsibilities
– cryptography
– Auditing policy
– authentication
– security protocols
2. Security environment
– Physical environment 4. Monitoring and auditing
– Physical security procedures
– Hardware, operating system – monitor access
– firewalls, etc – audit trails
– feedback on failures,
security breaches
– containment & recovery
Module Code and Module Title Title of Slides
Topics
• This week:
• Simpler tools that can be used together
• iptables
• tcpwrap
• SASL
• PAM
• Next week:
• More complete AAA systems
– SELinux, Kerberos, RADIUS
Monitoring
Unique user ID
Identification
Something you know (password, pin) Authentication
Something you have (card, certificate)
Something you are (fingerprint, retina) Access Controls
• Packet filters
– only pass certain traffic, based on any observable
characteristic of each packet.
– IP addresses, port, packet type or sequence, etc.
• Stateful firewalls
– “circuit-level” rules pertaining to connections rather
than individual packets
• Packet Filter
– Accept or Reject packets by Source + Destination IP address
– Access Control Lists (ACLs) can be implemented in a router as
well as a separate server
Module Code and Module Title Title of Slides
Packet Filters
DMZ Internet
Enterprise Service
Network Provider
ACLs on router and Web, File, DNS, Mail DMZ: demilitarized zone
individual servers Servers (uncontrolled access)
Internet
Service
Enterprise
Provider
Network
Using the except option, the hosts on the left hand side of the word "except"
are denied access, but the hosts in the right hand list after the word "except"
are allowed
The dot (".") before apu.edu.my is a wild card and means
all hosts ending with apu.edu.my
Note:
hostnames can be forged , so using IP addresses or the keyword ALL
when specifying hosts in hosts.allow or hosts.deny is more secure, BUT
addresses allocated using DHCP may change.
What’s the solution? (hint: take a look at the DHCP config files)
Standard Warning:
•You can lock yourself out of your own system if
you are not careful!
• firehol-1.273
• An easy to use but powerful iptables stateful firewall. The default
configuration file will allow only client traffic on all interfaces.
• shorewall-4.4.7.5
• Shorewall is an open source firewall tool for Linux that makes it
easier to manage more complex configuration schemes by working
with "zones", such as the DMZ or a 'net' zone. Each zone would
then have different rules, making it easy to have for example
relaxed rules on the company intranet, yet clamp down on traffic
coming in from the internet.