Configuration Management

• Configuration management is the

administration of state in hosts or network
hardware
 Configuration Management
• Host state is configured by a variety of
methods:
• Configuration text file
 Configuration Management
• Host state is configured by a variety of methods:
• XML file
 Configuration Management
• Host state is configured by a variety of methods:
• Database format (e.g. registry)
 Configuration Management
• Host state is configured by a variety of methods:
• Transmitted protocol (Abstract Syntax Notation.1)
 Configuration Management

Configuration Maintenance

“Maintenance is configuration in the face of

creeping decay”

“Systems tend to a state of disorder unless a disciplined policy is maintained,

because they are exposed to random noise through contact with users”
System Configuration Policy
• Apart from analysis of networks,
policies, practices & procedures
must be in place
• Policy  clear expression of goals
& responses; prepares a site for
future trouble & documents
intent and procedure
• Policies enable every one to know
how to respond to ‘situations’
which can arise
• Policies must include issues at
network, host and user levels
System Configuration Policy
 Change Management
• Management of significant changes e.g. upgrades,
redesign & replacement is the opposite side of
configuration management
• Planning changes of infrastructure can be dealt with :
• Deconstruction followed by reconstruction
• Change of policy description followed by
convergence to a new state
• It is a fact that change management is becoming a
reconstruction of infrastructure
• When making changes, one must not forget the issue
of service provision & reliability
Change Management
• Change management can be viewed as
a problem in risk or fault management
• It is crucial to secure the system during
change; if something goes wrong during
a change, a service must continue
Policies Standards
 Human Computer Job Scheduling
• Scheduling of work, both human and automatic, can
play an important role in the smooth functioning of a
human-computer system
• The ability for an administration system to execute
jobs at predetermined times lies at the heart of
keeping control over a changing, dynamic system
• Unix has a time daemon called cron: its
chronometer
• Cron reads a configuration file called a crontab file
which contains a list of shell-commands to execute at
regular time intervals
 Human Computer Job Scheduling

• Crontab options
• -e  create, edit
• -l  list

• Format
Minutes hours day month weekday Shellcmd
0-59 0-23 1-31 1-12 Mon-Sun
• E.g.
15 3 * * Mon-Fri
/etc/script
• “ * “ = any (wildcard)

http://adminschoice.com/crontab-quick-reference
 Human Computer Job Scheduling

• Windows schedule service : similar to cron

• At host time command
• e.g.:
• At 3:00pm /next Friday,13 C:\\site\host\local\myscript

• Sys Admin should strategise scheduling efficiently

Automation of Host Configuration
• Tools for automations:
• Tivoli
• http://www.tivoli.com/
• HP OpenView
• http://www.openview.hp.com/
• Sun’s Solstice
• http://wwws.sun.com/software/solstice/sem/
• Host Factory
• http://ceu.fi.udc.es/sal/g/0/host_factory.html
Automation of Host Configuration
• Monitoring  feeding a graphical
representation of the system to a human in
order to provide an executive summary of its
state
Automation of Host Configuration
• Monitoring tools:
• SNMP tools (MRTG, RRDTool, Cricket)
• Etherfind
• Snoop
• Tcpdump
• Bro
• Network Flight Recorder
• SWATCH
 Preventive Maintenance
• Policy Decisions
• Determine the system policy
• Know what is right and wrong, and know how to respond
to a crises
• Sysadm team agreement
• The team needs to work together and must agree on the
policy and enforce on it
• Expect the worst
• Be prepared for system failure and for rules to be broken
• Educate users in good and bad practice
• Most users are not evil, just uninformed
• Special users
• Some users require special attention, extra resources or
special assistant
 Preventive Maintenance
• General provisions
• Don’t rely on vendors
• Keep valuable information about configuration
securely, but readily available
• Document all changes
• Don’t make changes before going on holiday
• Be aware of system limitations
• Work defensively
• If it ain’t broke, don’t fix it
• Duplication of data for a fallback in a crisis
 Preventive Maintenance
• Garbage collection  disk files and processes
maintenance
• Disk tidying
• Users not aware that they are building up junk files.
• Junk files are often by product of running a particular
program
• Ordinary users does not understand all the files which they
are accumulate, therefore afraid to remove it
• Process management
• Processes or running program does not always complete on
time.
• Some buggy processes go amok and consume CPU cycle by
executing infinite loops, others simply hang and fail to
disappear.
 Simple Network Management
Protocol
• Dominant protocol in network management.
• Design to be small and simple enough to be
able to run even on bridges or printer
• Designed to be an easily implemented, basic
network management tool that could be used
to meet network management needs.
• Model :Manager & Agent
 SNMP
• Agent
• is a program which communicates with the
Manager on one side and with Device or
Application on the other side.
• It forms a part of the Device or Application so
that it can know everything about the Device or
Application regularly.
• Manager
• as an entity managing one or more agents from a
remote place.
 Cfengine
• Is an environment for turning system policy
into automated action.
• High-level language – higher than Perl or shell.
• Robot for interpreting your program and
implementing them.
• General tools for structuring, organizing and
maintaining information system on network.
Basic Diagnostics
 Basic Diagnostics
IOS JUNOS

ping <address> ping <address>

show mac-address-table | show ethernet-switching table |

[string] [string]

show arp show arp | [string]

traceroute [address] traceroute [address]

show ip route [address] show route [address]

debug [string] debug [string]

 Basic Diagnostics
WINDOWS / UNIX LINUX

ping [address] ping [address]

hostname hostname

ipconfig ifconfig

nslookup nslookup

netstat [option] netstat [option]

tracert [option] Traceroute [option]

arp [option] arp [option]

telnet [address] [tcp port] telnet [address] [tcp port]

 ARP
• Displaying ARP cache
• Command : arp
 ARP
• Options available for arp :
 ifconfig
• Listing Available Interfaces
• To display all system interfaces, use the
ifconfig -a command:

• On Solaris:
 ifconfig
• On Linux
 ifconfig
• For each interface, the display includes the following fields:
• Link encap This specifies the link encapsulation protocol that the
interface will use when transmitting data link frames. Supported types
include Ethernet, Local Loopback, and Point-to-Point Protocol.
• HWaddr This is the data link address for the encapsulation.
• protocol Ethernet uses the hexadecimal notation, such as in the entry
for the eth0 interface: 00:10:5A:28:5D:7C.
• inet addr This is the IP address associated with this interface.
• Bcast This represents the network layer broadcast address.
• Mask This represents the subnet mask address.
 ifconfig
• With ifconfig, it is possible to disable an active interface
or enable a disabled interface while the system is running.
 ifconfig
• Using ifconfig, the following important
information can be changed for an interface:
• IP address
• Network mask
• Broadcast address
• Data link address
• MTU
 netstat
• short for “network status”, provides a wealth of information
regarding the present status of network connections, routing
information, and other important network related data
• use for monitoring and is one of the most popular debugging
aids available on UNIX/Linux (Windows too)
• Different command line options control the display behavior of
netstat.
• The functionality can be divided into a number of categories and
used to accomplish the following:
• List active network sessions
• Show interface information and statistics
• Display routing table information
 netstat
• Options for netstat:
 netstat
• Sample of netstat in Linux:
 netstat
• By scanning the output of netstat, the network
administrator can easily notice any service that
shouldn’t be running
• E.g. many organizations consider the finger
facility to be a security risk because it can provide
user account information to anyone requesting it
• Once detected with netstat, the finger service can
be disabled by modifying the /etc/inetd.conf
(Solaris) or /etc/xinetd.conf (Linux) network
configuration file.
 netstat
• An extremely useful feature of netstat on Linux is
the -p option, show the associated process or
program name that has run with the ports opened.
# netstat -t -p -a
 netstat
• One of the primary ways to examine routing table is
with the -r option:

In this example, the routing table includes a destination network, gateway (or
router), network mask, some status flags, two size fields, a metric value, and the
interface with which the route is associated.
 netstat
• The netstat command
can be used to display
protocol statistics.
• the supported protocols
including TCP, UDP, and
RAW.
• RAW is a combination
of both IP and ICMP
packets
 ping
• used to determine general availability of any TCP/IP device.
E.g.:
 ping
• On Linux, use the -c command-line option with an
argument of 1 and the ping command will issue a
single request to rubens:
# ping -c 1 rubens
 ping
• This network diagram
shows several devices
attached to two different
networks that are
interconnected via Router
Z.
• When a ping request is
issued from node B on
network A to node C on
network B, the request is
passed via router Z. If
router Z should stop
functioning, the requests
will never reach node C.
• As a result, node C
becomes unreachable from
the perspective of node B.
 Advanced Network Tools
• tcpdump - a general-purpose network traffic
monitor that can capture and display packets
and their contents
• traceroute - command to show network
connectivity
 tcpdump
• Used as a protocol analyzer, providing one of the best ways to
investigate communication and/or connectivity problems
among systems and networking devices
• The packets scanned will be displayed with information in
either a short or long format, depending on the command-
line options used
• Has a very powerful filtering mechanism that can search for
packets that match a specific string or criteria
tcpdump
 tcpdump
• Two primary capture modes:
• Promiscuous - every packet transmitted on the network is
captured
• Nonpromiscuous - only broadcast frames and frames
addressed to the local system will be available to the
interface
• can produce a significant amount of output,
thus, quiet option (-q ) is used
• The format of the output will include a
timestamp, source and destination hosts (or
address), the high-level network protocol,
some flags, and additional protocol
information
 tcpdump
• The output also includes a summary of the number of packets
obtained before the user terminated the command.
• The end of the output includes a count of the number of
packets captured by and the number of packets that were
dropped
• tcpdump tool provides a large number of command-line
options i.e. capture modes, control output, specify filter
specifications, and specify additional operating characteristics
 tcpdump
• These options are grouped according to their
function and include the following categories:
• Operating modes - to control how tcpdump will capture
and display network traffic
• Display options - control how tcpdump will display
packets from the network
• Packet filter options - predefined pattern that is compared
to incoming packets and consists of a series of one or
more primitives that may be combined with operators
such as and, or, and not
 tcpdump
Operating modes:
Option Description
-c Captures specified number of packets and then
quits
-F Uses file as source for filter expression
-I Captures packets using alternate network
interface
-p Disables capturing in promiscuous mode
-r Reads capture file instead of network interface
-w Saves raw packets to file
 tcpdump
To capture ten packets from the eth1 interface
 tcpdump
Display options
Option Description
-e Prints link-level header information on
each line
-v Specifies verbose mode
-q Specifies quick mode, displays short
packet
information
-t Disables printing of the timestamp
-s Limits the size of packets captured
-x Displays both hexadecimal and ASCII
format
 tcpdump
• A sample of command and output that shows a file
transfer session using FTP and ARP broadcasts
 tcpdump
• Packet Filter
• Normally, network packets
are read from the network
interface by the associated
driver on behalf of the
kernel. Next, tcpdump
requests the information
from the kernel using
system calls. The tcpdump
tool provides a large
number of predefined
expressions or primitives
that can be used to build
very powerful packet filters.
 tcpdump
• to display all packets that are greater than 56
bytes:
# tcpdump greater 56
• To display all packets that are less than 60
bytes:
# tcpdump -x less 60
 traceroute
• examines and records the path to a specified network
destination.
• uses the Time-To-Live (TTL) field contained within an IP
packet and attempts to obtain an ICMP TIME_EXCEEDED
message from each host along the route to the destination
• coupled with an attempt to attach to the destination at an
unreachable port, it will cause a systematic response from
every router along the path to the ultimate destination
 traceroute
• to display the IP path between the local system running
traceroute and the destination system called Vermeer:

• The first packet sent is an ICMP request packet with the TTL
field set to 1. With IP, any packet that reaches the router
decrements the TTL by 1, which makes it 0.
 traceroute
• When a router gets a packet and the
TTL is 0, it is supposed to discard the
packet and notify the sender. This
forces the router to respond with a
TIME_EXCEEDED message back to
monet. After this happens, traceroute
measures the amount of time
between when it sent the packet and
when it obtained the reply. This is
known as the round-trip time, or RTT,
and is displayed in milliseconds
(1,000th of a second) as shown after
the hostname and IP address
information. This implies that the RTT
of the first series of probe packets
took 4.25 milliseconds (or .004
seconds), and the third series took
2.89 milliseconds (or .028 seconds).
 traceroute
• The second line details the second
routing hop and shows that
traceroute reached the destination
system vermeer with slower RTT
times than the first. When the second
probe was sent, the router
decremented the TTL, and then
passed this packet to vermeer.
Because traceroute is attempting
• to access an unused port, vermeer
responds with the PORT
UNREACHABLE error. In fact, as a
general rule on large (and sometimes
small) networks, performance
between systems and networks can
(and will) vary a significant amount
even from one moment to the next.
Conclusion
 Security
• Security is freedom from risk or danger; safety
• Security is about protecting things of value to any party in
relation to the possible risks - incl material & intellectual
assets
• Security is huge and increasingly important problem because
computer systems are getting more and more complex
• No. of attacks & break-ins to computer systems keep on
increasing every year
 Introduction
• Anything that can cause a failure that would then result in
loss is considered a threat
• A risk is the likelihood of a threat successfully exploiting a
vulnerability and the estimated cost (or potential damage)
both in the short and long term you may incur as a result.
• Things to protect (the list is keep increasing):
• Integrity
• Confidentiality/Privacy
• Availability
• Reliability
 Introduction
• Risk is the possibility of suffering harm or losses;
danger
• Suffering harm or losses from:
• Access to data
• integrity of data
• availability of services
• reputation
• monetary loss due to any of the above
• monetary loss due to physical items of actual value
 Introduction
• “Risk Assessment”
• identify assets
• identify threats
• identify vulnerabilities
• determine likelihood of damage
• estimate cost of recovery
• estimate cost of defense
 Introduction
Access and Privilege
• A fundamental of prerequisite for security is the ability to
restrict access to data.
• This leads directly to a notion of privilege (access level) for
certain users
 Four Independent Issues
• Burgess states that there are four basic elements of
security:
• Privacy or confidentiality - restriction of access
• Authentication - verification of presumed identity
• Integrity - protection against corruption or loss
(redundancy)
• Trust - underlies every assumption
• Additional points from other authors:
• Availability - preventing disruption of a service
• Non-repudiation - preventing deniability of actions
 Security Characteristics
• A system can be compromised by:
• Physical threats - natural disasters, bombs, power failures
etc
• Human threats – hacking, cracking, stealing, trickery,
bribery, spying, sabotage, accidents
• Software (logical) threats - viruses, trojan horses, logic
bombs, denial of service etc
 Physical Security
• Remember that who has physical access to a
machine can control the machine!
• Consider:
• tamper-proof, locking cases
• door locks, window bars
• biometric identification
• security cameras, motion detectors etc.
Physical Security
• Hosts, disks, network lines (incl.
wireless) can be intercepted
• Radiation from monitor screens
can be captured and listen to
traffic
• The simplest information theft is
while a person is typing his/her
password
• …don’t forget that Kevin Mitnick
used what’ve been thrown in the
trash bin as a source of his
hacking activity
 Trust Security
• We need to understand where we need to place the trust so
that it would not be exploited by attackers
• e.g. host that share users’ home-directories trusts the
identities & personal integrity of the users on the hosts which
mount those directories
• su, files i.e. .rhosts, hosts.equiv (on unix) grant root
privileges to other hosts without the need for
authentication!!
 Types of Vulnerabilities
• Denial of Service
• Privilege Escalation
• Backdoor
• Direct Access
• Privacy Leak
• Social Engineering
 Practical System Security
• Authentication, Passwords and Permissions
• System Integrity
• Data and Network Traffic Encryption
 Practical System Security
• Encryption can help mitigate some of the risks
sometimes.
• It may provide security in the areas of:
• Secrecy or Confidentiality
• Accuracy or Integrity
• Authenticity
 Practical System Security
• All of previous system are subject to your, your users
and other peoples
• ignorance
• laziness
• malice

** malice (noun) = desire to inflict injury, harm

 Practical System Security
• Our tasks:
• Identify what we are trying to protect
• Evaluate the main sources of risk & where trust is
placed
• Work out possible or cost-effective counter-
measures to attacks
 What to do in the case of an
emergency
• As usual, this depends. Some the smarter things to do if you
detect an intrusion include:
• keep system online to monitor what the attacker does or how
she gained access,
• or
• take system offline, possible entirely into single user mode
• take a complete snapshot of the system to separate media
• keep system offline while you investigate
• reinstall
Remember that you can’t trust any data on the compromised system!
 Miscellaneous

• Things probably mentioned before, but worth

repeating:
• subscribe to your vendors security alert mailinglist
• subscribe to independent security alert mailinglists
• checksum and verify any and all packages and patches
• regularly audit the installed software
• require strong passwords
• inform your users on security issues
• guard against threats from outside as well as inside the
network
 Security Policy
• Security policy is defined as a high-level statement of
organizational beliefs, goals, and objectives and the
general means for their attainment as related to the
protection of organizational assets
• It is brief, is set at a high level, and never states
“how” to accomplish the objectives
 Security Policy
• Why Implement Security Policy?
• A security policy establishes what must be done to protect
information stored on computers.
• A well written policy contains sufficient definition of
“what” to do so that the “how” can be identified and
measured or evaluated
• Without a security policy, any organization can be left
exposed to the world
 Security Policy
• It is important to note that, in order to determine
your policy needs, a risk assessment must first be
conducted.
• This may require an organization to define levels of
sensitivity with regard to information, processes,
procedures, and systems.
 Security Policy
• What are the Components of a Security Policy?
• The components of a security policy will change by
organization based on size, services offered, technology,
and available revenue.
• However, most organizations have a guide which dictates
the makeup of all company policies.
• This guide likely contains some or all of the following:
 Security Policy
• Purpose – this section states the reason for the policy
• Scope – this section states the range of coverage for the
policy (to whom or what does the policy apply)
• Background – this section provides amplifying information
on the need for the policy
• Policy statement – this section identifies the actual guiding
principles or what is to be done. The statements are
designed to influence and determine decisions and actions
within the scope of coverage
 Security Policy
• Enforcement - this section should clearly identify how the
policy will be enforced and how security breaches and/or
misconduct will be handled
• Responsibility – this section states who is responsible for
what. Subsections might identify who will develop
additional detailed guidance and when the policy will be
reviewed and updated
• Related documents – this section lists any documents (or
other policies) that affect the contents of this policy
• Cancellation – this section identifies any existing policy that
is cancelled when this policy becomes effective.
 A Secured System
• How secure must we be?
• From outside the organization?
• From inside the organization (different host)?
• From inside the organization (same host)?
• Against the interruption of services?
• From user error?
• How much inconvenience are the users of the system
willing to endure in order to uphold this level of
security?
 A Secured System
• Work defensively - expect the worst, do your best,
preferably in advance of a problem
• Extremely sensitive data should not be placed on a
computer which is attached in any way to a public
network
 Preventing & Minimizing Failure
Modes
• Loss of data : backup & recovery
• Loss of service : UPS, contingency unit hardware,
applications (IPS, IDS e.g. snort, bro; email security
e.g. anti spam)
• Protocols : for human or machine behaviour -
standardized behavior & offers predictability: firewall
• Authentication : record in log files
• Integrity : trusted host/person?
 Some Well-known Attacks
• Buffer overflow
• Ping attacks
• DOS/DDOS attacks
• TCP/IP spoofing
• SYN flooding
• TCP sequence guessing
• IP/UDP fragmentation (teardrop)
• ICMP flooding (smurf)
• DNS cache poisoning
 Some Well-known Attacks
• Intrusion
• Laptop/mobile theft
• Telecom fraud
• Unauthorized access to info
• Financial fraud
• Insider abuse of net access
• System penetration
• sabotage
 Some Well-known Attacks
• Theft of proprietary info
• Abuse of wireless network
• Misuse of public web application
• Web (Web site defacement, cross-site scripting)
• Malicious code (virus, worm, trojan horse, adware,
spyware)
• Threats through e-mail (forging/phishing, web
beaconing, spam)
• Identity theft (spoof website, phishing, pharming via
trojan)
 Some Well-known Attacks
• Bot attack – attack to file inclusion vulnerability in
CMS (e.g. Mambo)
• Social engineering
 Cryptographic Systems
• Cryptographic Systems
• Packages of Cryptographic Protections
• Users do not have to know the details
• Defined by cryptographic system standards
• Examples of Cryptographic System Standards
• SSL/TLS
• IPsec
 Cryptographic Systems

• SSL/TLS
• Cryptographic system standard widely used in
sensitive browser–Webserver communication
• Used almost every time you buy online
• URL has https:// instead of http://
• Medium-strength security
• Easy to implement because built into every
browser and Webserver already
• Cannot protect all applications—used mostly for
the World Wide Web and e-mail
 Cryptographic Systems
• IPsec
• Protects IP packets and all of their embedded
contents
• So automatically protects all applications

• Very strong security

• Expensive to implement
 VPN
• VPN is a computer network that uses a public
telecommunication infrastructure such as the
Internet to provide a secure and private access to an
organization’s network. It basically encapsulates data
transfers to keep the data private
• Secure VPNs use cryptographic tunneling protocols
to provide confidentiality by blocking intercepts and
packet sniffing, allowing sender authentication to
block identity spoofing, and provide message
integrity by preventing message alteration
 VPN
• IPsec (Internet Protocol Security) was originally developed for
IPv6, which requires it. This standards-based security protocol is
also widely used with IPv4. Layer 2 Tunneling Protocol
frequently runs over IPsec.
• Transport Layer Security (SSL/TLS) can tunnel an entire
network's traffic, as it does in the OpenVPN project, or secure
an individual connection. A number of vendors provide remote
access VPN capabilities through SSL. An SSL VPN can connect
from locations where IPsec runs into trouble with Network
Address Translation and firewall rules.
• Datagram Transport Layer Security (DTLS), is used in Cisco's
next-generation VPN product, Cisco AnyConnect VPN, to solve
the issues SSL/TLS has with tunneling over TCP.
 VPN
• Microsoft Point-to-Point Encryption (MPPE) works with their
Point-to-Point Tunneling Protocol and in several compatible
implementations on other platforms.
• Microsoft introduced Secure Socket Tunneling Protocol (SSTP)
in Windows Server 2008 and Windows Vista Service Pack 1.
SSTP tunnels Point-to-Point Protocol (PPP) or Layer 2
Tunneling Protocol traffic through an SSL 3.0 channel.
• MPVPN (Multi Path Virtual Private Network). Ragula Systems
Development Company owns the registered trademark
"MPVPN".[2]
• Secure Shell (SSH) VPN -- OpenSSH offers VPN tunneling to
secure remote connections to a network or inter-network
links.