Security Technology Implementation
Part A – 3. Security Technology Implementation
In this document, we are going to discuss the security technology implementation and provide a complete design for the recommended controls. Here are the details of each component:
Data Backup and Recovery Technology: Data Backup and its Recovery is very crucial for any organization. If proper data backup and recovery option are set in the process, then one may reduce the cost penalty (regarding monetary and business), when there is some disaster comes in the way. There are several backup repository models available with several different software solutions, like:
Full Backup.
Incremental Backup.
Differential Backup.
Unstructured Backup.
Depending upon the criticalness of service, we need to choose the backup repository model. This also decides the frequency of backups. There are several technological solutions which may fulfill the requirements, in which some of them are as follows:
AMANDA [1] (Advanced Maryland Automatic Network Disk Archiver): Amanda is an Open Source technology which allows the IT administrators to setup a master backup server to take backup of multiple nodes on the network. It can use with the thousands of workstations and servers. Amanda also comes with a commercial license, provided by Zmanda [2]. Zmanda gives cloud backup as well.
Bacula [3]: Bacula is one of the Open Source backup systems which supports the enterprise scale for heterogeneous systems. It automates the complex process of backing up and recovery when needed. It supports several platforms. Also, it stores the backup information as a catalog in real databases, like MySQL. Bacula is by far most popular backup solution. It uses the standard TCP/IP stack, to backup over the network. It provides an User-friendly interface.
IBM Tivoli Storage Manager [4]: IBM Spectrum Protect, formerly known as Tivoli Storage Manager provides an enterprise data protection platform. It gives the administrators a single point of control. It provides reliable and intelligent backups with fast recovery for all kind of cloud environments. This product needs the proprietary license.
The summary of the technologies that may be used is as follows:
Product
Encryption Support
Platform(s)
Current Stable Version
License
User Interface
AMANDA
Yes.
Linux, UNIX and Microsoft Windows
3.4.3
#. Open Source
#. Commercial
Yes.
Bacula
Yes.
Linux, UNIX, MacOS and Microsoft Windows
7.4.7
#. Open Source
#. Enterprise Support.
Yes.
IBM Tivoli Storage Manager
Yes.
Linux, MacOS and Microsoft Windows
–
#. Proprietary
Yes.
Authentication and Authorisation System: The authentication and authorization system is the most important component of any infrastructure, from a security point of view.
Authentication defines, the person is the same, what s/he is trying to be. For example, using the username and password to login into some system or communicating with SSH using the user’s private key.
Protocols, like LDAP (Lightweight Directory Access Protocol) [5], provides a central authentication mechanism for all the users across the platform. It may be integrated with the cross-platform authentication systems, to make it more robust and scalable technological solution.
Authorisation system defines, what resources an user can access. For example, all the users are not supposed to access the critical resources any system/server, like restarting the web services or changing the system’s firewall rules. The authorization system provides such functionality.
There are several different solutions which may be used to achieve the end goals, but the most popular ones are as follows:
FreeIPA [6]: FreeIPA is the Open Source implementation of the authentication and authorization system. It is a combination of both kinds of systems. It is bundled with several individual components such as:
389 Directory Service.
MIT Kerberos.
NTP
DNS
Dogtag Certificate System
SSSD
FreeIPA client: The FreeIPA client is responsible for enforcing the policies from the central server to each of the client nodes. All the policies may be configured using the web graphical user interface provided by the FreeIPA server, or they may be automated using different scripts.
389 Directory Service is responsible for the centralized authentication for all the nodes. All the users and other computing resources are authenticated against this central system.
MIT Kerberos provides the ticketing mechanism to authorize the users and services to access the other computing resources in the infrastructure.
DNS and NTP are used to provide the Domain Name Service and Network Time Protocol respectively, to synchronize the events.
SSSD (System Security Services Daemon), is used to keep the authentication and authorization data in encrypted format on the client nodes. It is very useful in situations when the client lost the connection to the central FreeIPA server, or the FreeIPA server is down.
FreeIPA is a scalable solution as it supports the clustering mechanism. Also, the features may be extended by integrating it with the other authentication mechanism, such as Active Directory.
Product
Platform
Current Stable Version
License
FreeIPA
Linux, Microsoft Windows may use it by integrating the Active Directory.
4.5.0
Open Source, under the GPLv3 [7].
The Application Services: As the infrastructure grows, the services also need to be scaled. Here are the services which are going to be used for different purposes, like serving the web content or media content or managing the files centrally or managing the DNS/DHCP servers, etc. The application architecture may be a three-tier architecture, in which there is one part called frontend, the second one is the backend, and the third one is the database. The front end is where the request hits first; then it is forwarded to the backend application logic where it is processed and stored in the database. The infrastructure may contain the following components:
Web Server: Web Server is one of the most important components of our infrastructure. There are many technical solutions to this, such as:
Apache HTTP Server [8]: Apache HTTP Server is the most widely used web server in the world. It is completely Open Source solution and in the mature state. It may be used in any architecture. To deal with the heavy load, one may load balance the incoming traffic among multiple Apache HTTP servers which may be further horizontally scaled up by adding more replica servers.
The following figure depicts one possible architecture for scalable web services. Here we are dividing the traffic among multiple Apache servers. The fleet of these Apache web server may be further horizontally scaled up and down on-demand.
The auto-scaling of the web servers may be provided by the cloud provider if we are using the public cloud platforms.
Figure: 01, The Apache HTTP Server architecture.
The number of servers running behind a load balancer depends upon the volume of incoming traffic. It may be increased or decreased on-demand.
The Apache HTTP Server supports the SSL/TLS support to handle the encrypted incoming traffic. This is to mitigate the MITM (Man In The Middle) attack by creating a secure encrypted tunnel.
Load Balancing: For load balancing purposes, we may consider using the HAProxy [9] load balancer. It supports the load balancing for TCP and HTTP protocol. It may be further scalable by putting the multiple instances of HAProxy. It supports several load balancing algorithm, like Round-Robin, least congested, etc. The choice of the algorithm depends upon the application requirements.
DNS (Domain Name Service): Domain Name Service is an important part of the infrastructure. It provides an easy way to access the resources by using user-friendly web addresses, rather than using IP addresses.
BIND [10]: Berkeley Internet Name Domain is the Open Source de-facto standard service used world-wide. It is the most popular domain service used on the Internet. It may include the DNS and DHCP features. It may be used on many platforms such as Linux, BSD, and Windows.
DHCP – Dynamic Host Configuration Protocol service is responsible for dynamically allocating the IP-addresses on any local network. Whenever a new network joins the network, it is assigned a local IP address. There are many solutions to this as well, but the most widely used one is:
Dnsmasq [11]: It is an Open Source solution which may be used on many numbers of different Operating System platforms. It may be easily integrated with the existing DNS service to provide more flexibility in network infrastructure.
Product
Platform
Current Stable Version
License
Apache HTTP Server
Linux, Windows, UNIX.
4.5.0
Open Source.
HAProxy
Linux and UNIX
1.7.3
Open Source.
BIND
Linux, UNIX, and Windows
9.10.4
Open Source
Dnsmasq
Linux, UNIX, Android and Mac OS
2.76
Open Source
Hardening the Servers: Server hardening is the process of securing the server before going into production. Server hardening includes many steps required, such as starting from the hardware security to Operating System security to the application level security.
In the case of hardware hardening, we try to ensure that the physical server is secure on the network. Proper authentication and authorization are in place. The default authentication and authorization credentials have been revoked. The server is placed at the somewhere secure place physically. All the known vulnerability in the server hardware and the support sub-systems are patched.
In the case of Operating System hardening, we need to remove all the unnecessary device drivers and user-space applications. The default settings should be changed to the custom ones. It is because an attacker may use the vulnerability in other sub-systems and then escalate the privileges to the main target services. There are several standards for this purpose but the standard from the NIST [12]. NIST provides a checklist [13] which may be followed by any organization.
Apart from these, if we are running the infrastructure on the public/private cloud, we may create a hardened base image of the Operating system. Such image can be used while launching the new instances/nodes. The benefit of this approach is that we only need to harden the common services ones and use the snapshot of those changes, in the rest of the infrastructure. Public cloud computing platform removes the possibility of the hardware hardening because the hardening part is managed by the cloud provider.
Network Security: Network security is very complicated, challenging and important domain. Networking provides the routes for the legitimate traffic, as well as the attacker. To secure the networks, we need to put different security systems in different places, such as using the proxy server for all outbound connections from the services in the internal subnet or using intrusion detection/prevention systems or using firewalls.
Intrusion Detections/Prevention Systems: When there is any malicious activity takes place inside the infrastructure, the first thing is to identify it in time. Because we can not solve the problem until we know there is one. To keep an eye on any suspicious activity, we need to put the IDS systems in place. The IDS systems are divided into two categories:
Host-based Intrusion Detection Systems, the IDS which is responsible for the internal system (including the operating system and user programs) of any node.Network-based Intrusion Detection Systems, the IDS which does the packet sniffing and finds out any suspicious activity.
OSSEC [14] : OSSEC is an HIDS (Host-based Intrusion Detection System). OSSEC watches the events happening inside the system, like, if some process or user is trying to change the content of a critical file. It also supports the alerting mechanism, which may be used to send the alerts to the responsible parties, in a case of any suspicious activity. OSSEC supports the distributed architecture where we may deploy the OSSEC server at the centralized location and then use OSSEC-client to send the data from all the nodes on the network. OSSEC uses a database to store the information in its backend. The architecture for OSSEC may be used, as shown in the following Figure:
Snort: Snort is a Network-based Intrusion Detection System, which may be used to filter out the traffic on the nodes directly connected to the public network. For snort, we may define the rules, on what basis it needs to take the appropriate decision. Snort is the highly scalable technical solution which can handle millions of packets every second. Snort is very useful in identifying the attacking scenarios, like DoS attacks. Snort may also be used as Intrusion Prevention System where one can define, what to do in a specific situation (either alert the responsible person or take a predefined action).
All the data from OSSEC and Snort may be kept at the same place; There are many frontends to these services, which provide the easier management of these services via web-based user interfaces. These interfaces may be accessed from anywhere. Further, these user interfaces can be integrated with the existing authentication and authorization services.
Firewalls: Firewalls are one of the important parts of our network infrastructure. They are the gatekeepers for any infrastructure. Different types of firewalls are available out there. There are two major types of Firewalls: Hardware and Software.
Hardware firewalls consist of the dedicated and optimized hardware to filter the packets. Hardware firewalls are costly and hence its not practical to use them everywhere. They are mainly used in DMZ. There are many vendors who provide the hardware firewalls, mainly Cisco, Juniper, Fortinet, etc.
Software firewalls are computer programs which do the packet filtering and take the appropriate decisions. Software firewalls, mainly reside inside the Operating System. Netfilter [16], is the software firewall framework used on UNIX and like systems, such as Linux.
Software firewalls are way cheaper than the hardware counterpart. These software firewalls can run no cheap commodity hardware whereas the hardware firewalls are vendor specific. Software firewalls are used inside each system inside the infrastructure.
Product
Platform
Current Stable Version
License
OSSEC
Linux, Windows, UNIX.
2.8.3
Open Source.
Snort
Linux and UNIX
2.9.9.0
Open Source.
BIND
Linux, UNIX, and Windows
9.10.4
Open Source
Dnsmasq
Linux, UNIX, Android and Mac OS
2.76
Open Source
Netfilter/tables
Linux, UNIX.
1.6.0
Open Source
References:
AMANDA (Advanced Maryland Automatic Network Disk Archiver). http://www.amanda.org/
Zmanda. http://www.zmanda.com/
Bacula. http://blog.bacula.org
IBM Spectrum Protect. http://www-03.ibm.com/software/products/en/spectrum-protect
Lightweight Directory Access Protocol. https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
FreeIPA. https://www.freeipa.org/
FreeIPA License. https://www.freeipa.org/page/License
Apache Web Server. http://httpd.apache.org/
HAProxy Load Balancer. http://www.haproxy.org
Berkeley Internet Name Domain (BIND). https://www.isc.org/downloads/bind
DNS mask. http://www.thekelleys.org.uk/dnsmasq/doc.html
NIST. http://csrc.nist.gov
NIST checklists. http://csrc.nist.gov/groups/SNS/checklists/
OSSEC. https://ossec.github.io/index.html
Snort. https://www.snort.org/
Netfilter. https://netfilter.org/