Show 56 – Securing An Internet-Facing App – Part 1 – Host Hardening

An all-US cast gathers around the virtual whiteboard for a security discussion in Packet Pushers podcast show #56, recorded on August 1, 2011. Sysadmin, virtualization heavy, and blogger Bob Plankers joins Network Security Princess Mrs. Y, security industry veteran Daniel Powell, show regular and CCIE Tom Hollingsworth, and this week’s host Ethan Banks to discuss host hardening in this first of a series on securing Internet-facing applications.

First, The News:

Then, The Discussion:

  • Ancient attacks often still work.
  • Each OS has a unique hardening strategy.
  • Shutting down unneeded services is a best practice, but can impact other services.
  • Host-based firewalls – boon or bane?
  • Using a GUI to configure firewall services on a *NIX box is okay. We won’t tell if you don’t use vi.
  • Can we distinguish a host-based firewall from a network firewall appliance?
  • So…should we use both host-based firewalls and appliance firewalls at the same time?
  • Separating system privileges by user and process.
  • Security is no longer about one guy working by himself – that’s a dead idea.
  • How can you help an HTTP engine defend itself?
  • Is it possible to break out of a chrooted jailcell?
  • What impact to overall performance can host security add-ons cause?
  • Moats, walls, and guns are great…unless you leave the back door open.
  • Assuming our app will be broken into, what can we do ahead of time to keep damage to a minimum?
  • Patching: protecting against potential harm.
  • Detecting changes to hosts or applications using signatures and fingerprints.
  • How do you handle the flood of logging events that’s normal on any network?
  • Centralized syslogging: there must be only one.
  • How do you get back to normality once you’ve been pwned?
  • Does it make sense to restore to a normal state via a VMware snapshot?

Links:

Ethan Banks
Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 2M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
Ethan Banks
Ethan Banks
  • Geniesis

    What are your ideas on securing the vmware esx host itself which is in a dmz. Do you place the esx management nice (vmkernel and vm console) behind a firewall before connecting it to your internal environment. or just direct into the management subnet. I assume here that the nics for user traffic is to the management nics and not just a vlan.

  • http://twitter.com/dhanakane Dhana Kaneshayogan

    A promising topic, but I left feeling confused. I listened hoping for step by step info on the  thought process behind app hardening, All that stuck after the show were:

    – Layer your protection strategies. Nothing on in what order you should layer them, or an example.

    – Shutdown unnecessary services.

    – People still run old, unpatched code. Therefore, old vulnerabilities still exist

    Any chance you can deal with the process of app hardening in-depth, or by method on the next show?

    • Mrs. Y.

      It’s a big subject and very complex. Do you have a specific application in mind so that we could work out a scenario? I think my practice is to host harden (with vendor or open source tools), install the application with as little privilege as possible, then add local web application firewall, IPS/IDS, file integrity checker and finally add external ACLs or border firewall.
      As an example, when installing a nameserver, I would pick a *nix distro (For Linux, I’m liking Debian right now, but I usually lean towards BSD.), then host-harden using the documented standards ( from SANS, NIST, NSA, maybe use Bastille Linux). That doesn’t just mean turning off services, it means doing a bare-bones install or uninstalling things like the GUI desktop packages, X11, games, etc…. I used to have my own hardening scripts for Solaris until they came out with JASS. So if you do this often enough, you might want to write something, but you could also use VMWare templates. Then compile or install the BIND package. Don’t compile it on the host and make sure you don’t have a compiler installed there. Then follow the standards in Cricket Liu’s BIND book for chroot’ing named. You’ll want to set application restrictions on who can perform zone transfers and recursive queries. Make sure the named process doesn’t run as root. You might want a file integrity checker locally, like Tripwire. Configure IPTables or IPFilter to block access to SSH and other administrative ports, depending on your *nix distro.
      Does this help more?

      • http://twitter.com/dhanakane Dhana Kaneshayogan

        I guess I was looking for a series of network related best practices in addition to the host hardening.
        Say a small business has a server hosting all their web content. Where would the “IT Guy” start?I am a baby network engineer, so I’d start by putting it in a DMZ and restricting internal and external access via a firewall rule. E.g. Firewall rule only allowing admin and client traffic on the respective protocols and ports as a starting point. This way I know that only certain types of traffic can get in and out.Once a firewall is in place to restrict access, what should I do to make it even more secure?

  • JR

    This was a very though provoking episode and as someone in the process of rebuilding a DMZ, I’ve applied a lot of the ideas discussed here (host based firewalls in addition to the network firewall, integrity checking, centralised syslog).

  • Pingback: Show 61 – Securing an Internet-Facing App – Part 2 – Border Routers, Firewalls, IDS/IPS()

  • Pingback: Security Thoughts on a Cold Winter Night()