Heavy Networking | August 8, 2011
Show 56 – Securing An Internet-Facing App – Part 1 – Host Hardening
Ethan
Banks
Greg
Ferro
Listen, Subscribe & Follow:
An all-US cast gathers around the virtual whiteboard for a security discussion in Packet Pushers podcast show #56, recorded on August 1, 2011. Sysadmin, virtualization heavy, and blogger Bob Plankers joins Network Security Princess Mrs. Y, security industry veteran Daniel Powell, show regular and CCIE Tom Hollingsworth, and this week’s host Ethan Banks to discuss host hardening in this first of a series on securing Internet-facing applications.
First, The News:
- VMware vSphere 5 has been released, with some networking enhancements.
- RSA breach cost EMC $66M in Q2.
- BlackHat wartexting brings up SCADA fears.
- Google Street View data is coughing up private information.
- Conficker found on Fission External 4-in-1 Hard Drive/DVD/USB/Card Reader sold at Australian supermarket chain ALDI
- Global analysis of 10 million web attacks reveals everything old is new again.
Then, The Discussion:
- Ancient attacks often still work.
- Each OS has a unique hardening strategy.
- Shutting down unneeded services is a best practice, but can impact other services.
- Host-based firewalls – boon or bane?
- Using a GUI to configure firewall services on a *NIX box is okay. We won’t tell if you don’t use vi.
- Can we distinguish a host-based firewall from a network firewall appliance?
- So…should we use both host-based firewalls and appliance firewalls at the same time?
- Separating system privileges by user and process.
- Security is no longer about one guy working by himself – that’s a dead idea.
- How can you help an HTTP engine defend itself?
- Is it possible to break out of a chrooted jailcell?
- What impact to overall performance can host security add-ons cause?
- Moats, walls, and guns are great…unless you leave the back door open.
- Assuming our app will be broken into, what can we do ahead of time to keep damage to a minimum?
- Patching: protecting against potential harm.
- Detecting changes to hosts or applications using signatures and fingerprints.
- How do you handle the flood of logging events that’s normal on any network?
- Centralized syslogging: there must be only one.
- How do you get back to normality once you’ve been pwned?
- Does it make sense to restore to a normal state via a VMware snapshot?
Links:
- The gummy bear method of defeating fingerprint readers
- Cisco ASA identity-based firewalling (PDF)
- mod_security
- F5 Networks Application Security Module
- Open Web Application Security Project (OWASP)
- Pen testing
- Mining memcached
- TripWire (open source flavor)
- Logging, escalation, and correlation tools: Splunk, LogLogic, ArcSight, OpenNMS, SolarWinds
- Puppet
- Chef
Share this episode
Has this episode gone to the great bit bucket in the cloud?
No, it’s still alive: https://packetpushers.net/podcast/show-56-securing-an-internet-facing-app-part-1-host-hardening/