全部博文(34)
分类:
2008-04-25 10:28:27
SECURITY REVIEW
METHODOLOGY
WHITE PAPER REPORT
TCP_WRAPPERS VERSION 7.6
9 JAN 2002
EXECUTIVE
SUMMARY
Field Security Operations performed a
security evaluation of the product TCP_WRAPPERS Version 7.6. As with all DISA platforms, any system
supporting TCP_WRAPPERS Version 7.6 should have all STIG, patch, and IAVA
requirements applied. TCP_WRAPPERS
Version 7.6 did appear to function properly with all of these requirements
applied to the testing environment.
Section 1 of this paper discusses the
product TCP_WRAPPERS Version 7.6 and how it is being used. Evaluation procedures are described in
section 2, configuration requirements are outlined in section 3, and
TCP_WRAPPERS Version 7.6 security recommendations are provided in section
4.
The purpose of this evaluation was to
determine if the product, TCP_WRAPPERS Version 7.6, would function properly on
platforms meeting the security guidelines as established in applicable DISA
Security Technical Implementation Guides (STIGs). An evaluation environment was
established and a review of product documentation and verification of resources
required by TCP_WRAPPERS Version 7.6 were explored to determine the feasibility
of using the product while maintaining acceptable security risk to the DISA
environment.
TCP_WRAPPERS Version 7.6 was utilized in
this evaluation. TCP_WRAPPERS
Version 7.6 is a freely available application designed to monitor and filter
incoming requests for the SYSTAT, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK,
and other network services.
The package provides tiny daemon wrapper
programs that can be installed without any changes to existing software or to
existing configuration files. The
wrappers report the name of the client host and of the requested service; the
wrappers do not exchange information with the client or server applications,
and impose no overhead on the actual conversation between the client and server
applications.
Almost every application of the TCP/IP
protocols is based on a client-server model. For example, when a user invokes the
telnet command to connect to a system, a telnet server process is executed on
the target host. The telnet server
process connects the user to a login process.
The usual approach is to run one single
daemon process that waits for all kinds of incoming network connections. Whenever a connection is established,
this daemon (usually called inetd) runs the appropriate server program and goes
back to sleep, waiting for other connections.
The wrapper programs rely on a simple, but
powerful mechanism. Instead of
directly running the desired server program, the inetd is tricked into running
a small wrapper program. The
wrapper logs the client host name or address and performs some additional
checks. When all is well, the
wrapper executes the desired server program and goes away.
The wrapper programs have no interaction
with the client user (or with the client process); nor do the wrappers interact
with the server application. The
wrapper programs are active only when the initial contact between client and
server is established. Once a
wrapper has completed its work there is no overhead on the client-server
conversation.
The wrapper programs send their logging
information to the syslog daemon (syslogd). The disposition of the wrapper log is
determined by the syslog configuration file (usually /etc/syslog.conf). Messages are written to files, to the
console, or are forwarded to a @loghost.
Some syslogd versions can even forward messages down a |pipeline.
For the purposes of this review, TCP_WRAPPERS Version 7.6 was evaluated. TCP_WRAPPERS Version 7.6 was installed on a STIG compliant UNIX platform running Solaris 8.
To establish an evaluation baseline, Security Readiness Reviews (SRRs) were performed on the Unix platform to confirm STIG compliance. In addition, a vulnerability scan was run against the platform before the TCP_WRAPPERS Version 7.6 application was installed.
Once the secured baseline was achieved, the TCP_WRAPPERS
Version 7.6 application was installed on the Solaris 8 platform and
executed. At this point in the
process, a re-evaluation of the system was accomplished by again conducting
SRRs on the hosts and vulnerability scans against the environment. The testing
revealed no abnormal activity and the security of the system was not degraded
by installation of the product.
As with all DISA platforms, any systems supporting the TCP_WRAPPERS Version 7.6 application should have all STIG, patch, and IAVA requirements applied.
All
configuration changes for TCP_WRAPPERS are defined in the Makefile included
with the source code. Obtain the
source code from the DOD-CERT WWW server and untar it. Change the directory to the
TCP_WRAPPERS.7.6 directory, and bring the Makefile into a text editor such as vi.
·
If using a compiler other than cc, define the compiler
environment by placing a line similar to the following line after line one of
the Makefile:
CC=gcc
·
Define where the network services daemons (such as in.telnetd
and in.ftpd, or telnetd and ftpd) are normally
located. For a Solaris system it
will normally be /usr/sbin.
For a HP 10.X system it will be /usr/lbin. For instance:
REAL_DAEMON_DIR=/usr/sbin
·
Define required object libraries for the system. If this is a Solaris system, uncomment
the following line:
LIBS = -lsocket -lnsl # SysV.4 Solaris 2.x
·
If this is an HP system, uncomment the following line:
LIBS = -lsyslog -lsocket -lnsl
·
Uncomment the following line to enable banners
and other extensions:
STYLE =
-DPROCESS_OPTIONS # Enable
language extensions
·
Uncomment the following to enable username
lookups:
AUTH = -DALWAYS_RFC931
·
Uncomment the following:
PARANOID=
-DPARANOID
·
The default umask can be 022. Field Security Operations recommends
setting it to 037 for maximum protection.
UMASK =
-DDAEMON_UMASK=037
·
The following option will disconnect systems whose IP address does
not match their host name. This helps
protect against host name spoofing:
KILL_OPT = -DKILL_IP_OPTIONS
The TCP_WRAPPERS
program is now ready to be compiled.
·
Type make sunos5 or make hpux depending on the
system. When compiled, make a
directory for banners and badbanners:
mkdir /banners;mkdir
/banners/badbanners
·
Copy
the Banners.Makefile to /banners and to /banners/badbanners.
·
Copy the DOD banners file to /banners/prototype.
·
Change directory to /banners and type make.
·
Change directory to badbanners.
·
Create a short file called prototype that informs the users
they are not allowed to log on to this system.
·
Type make.
·
Change directory to /etc and create the hosts.allow
file using the following template:
ALL: 192.136.137.
198.49.192. : banners/banners
A much more
complicated access control list could be created. This file allows the indicated networks
to access any network service available on the system.
·
Create the hosts.deny file using the following template:
ALL: ALL : banners/banners/badbanners
This file will
disallow access to network services to all networks and hosts not defined in /etc/hosts.allow
file.
Since the TCP_WRAPPERS Version 7.6 application resides on a Unix platform, DISA recommends this product be installed on a STIG-compliant Unix platform. There are general security concerns and recommendations as related to the TCP_WRAPPERS Version 7.6 application that also must be met before installing this product.
In keeping with general security considerations, it is recommended that all passwords should meet DISA strong password policy. All default passwords should be changed. In addition, user permissions should be configured and controlled to ensure that users are given the minimum access necessary for them to successfully perform their duties.
The TCP_WRAPPERS Version 7.6 must be installed in an environment with appropriate physical controls applied. Physical access by unauthorized personnel poses the greatest risk associated to the UNIX platform running TCP_WRAPPERS Version 7.6. Physical access to the system should be controlled in accordance with the DISA WESTHEM Security Handbook section 3.1. In addition, and as with all systems, it is imperative that the host system be password protected with acceptable strong passwords as outlined in the DISA Security Handbook section 3.13.
