Tool 1: SELinux

The setting of good access control is a first step to securing your network. The Linux operating system has been praised for its tight security out of the box which has made it the preferred platform for security-based systems and application(Jones, 2008). This is due to the open source nature of its Kernel development allowing the community to maintain the Kernel. Access controls are key in the setting up of a security environment in the network as its defines which object, user or application is permitted or denied to network files, application and or resources. The standard mode of access control in Linux distributions is the discretionary access control in which the owner of a network object such as the file is given the roles of determining who is permitted to use particular files or network resources. Access is controlled by a username, password combination. This discretionary access control has its disadvantages as it automatically limits other user and application access to the resource unless the owner of the resource explicitly adds a new permission(Fiorin et al., 2012).

It is with this regard that this report explains the new approaches that could be used to extend the default access control mode in Linux using the following tools which will be discussed and form the large part the body of this report. The report encompasses on their set up, configurations and sample usage commands to ensure a novice user can easily set up the tools and enhance their access control in the network to increase the security score.(Chen, Li and Mao, 2009)

The discretionary access control which is default in most Linux distributions set permission for users and application only, that is who is able to access the file or who is denied access to the file. This mode of access control is largely file-based and permission such as read, read and write, read, write and execute are some of the levels of access.  

Security Enhanced Linux (SELinux) developed by the NSA extends this file-based access control by introducing a new concept of policy-based access control. This extends to not only the files in the Linux platform but also the access permission on the network resources and the interprocess communications signals (Curren, 2012). The advantage of this tool is that it uses the mandatory access control mode meaning the whole procedure of assigning permission is centralized and defined by the system administrator (Li, 2008). It can restrict or permit a resource owner rights to adjust the access permission of their own files and resources. This mode follows the philosophy that all resources are owned by the organization and not a member of the organization.(Shabtai, Fledel and Elovici, 2010) The following are some of the extended permission that SELinux introduces

• Ability to unlink a file from a policy
• Permissions to move the file
• Permission extended to other resources such as network-based resources.

Setting Up SELinux

Installation of SELinux on an Ubuntu distribution, for example, requires you to run the following commands in the terminal to install the tool.

• GoTo the Terminal
• Enter the command apt-get install selinux

When you hit enter key, the tool gets downloaded from ubuntu software repository and installed on your environment.

the the configuration of SELinux requires a little learning curve. The first step is to change the mode in which the tool runs on (Ongtang, Butler and McDaniel, 2010). Typically they exist two modes, that is enforcing and permissive mode. It is always a rule of the thump to set access control based on permission rather than denial, hence the permissive mode is highly recommended. To change the mode, follow the following commands(Wang et al., 2015)

• Locate the config file at etc/selinux/config
• To set up enforcing mode enter the following command at the terminal, sudo sed -i ‘s/SELINUX=.*/SELINUX=enforcing/ etcselinux/config
• To put the mode to permissive, enter the following command at the terminal sudo sed -i ‘s/SELINUX=.*/permissive/ etcselinux/config

It is always important to reboot the system to make the changed takes effect.

Features

• Policies are separated from the enforcement
• Policy interfaces are well defined
• Give support to crond jobs
• Set up is independent of other more specific policies and or languages
• Support making changes to policies
• Control on files and other resources

The SELinx can be deployed database engines and web server to define policies on how the data is accessible and the application’s rights (Nakamura and Sameshima, 2008). This makes data secure by limiting access by various rogue daemons

IPTables are built in all the Linux distributions as a way of securing the networks by applying rules on the traffic coming into the local network or the traffic moving out of the network (Xuan and Wu, 2015). The iptables application runs in the userspace part of the Linux kernel hence can be run in the terminal by both the system administrator for centralized filtering into the internal network and or by a specific user to set up the filtering traffic the user PC (AL-Musawi, 2012). The iptables can be configured to handle both the IPv4 and IPv6 packets making it easily scalable.

The main motivation for using the IPTables is to restrict access to a server from a specific IP address or to a specific server, by a specific set of networks, this achieved by allowing different set of networks access or denied access to different network service ports and IP address(Šimon, Huraj and ?er?anský, 2015) .

By default, iptables program comes pre-built in all Linux distributions, but in case it is missing, it can be installed by running the following command. All IPTable commands require root privileges, 

• sudo apt-get update.
• sudo apt-get install iptables

The Linux IPTable can be implemented using a set of rules called chains which group the commands and can be applied to control various access controls to services, ports, and resources by closing or opening network ports based on the predefined set of rules (Marmol, Jnagal and Hockin, 2015). There exist three types of chains as explained below

Configurations

Types Of Chains

1. INPUT- This chain is used to control the traffic coming from the Internet or external networks into the internal network or a PC. (Maier et al., 2008)
2. FORWARD- This chain is used to re-route traffic that passes through the router but not destined for the internal network, here IP modifications can be done to do SNAT and DNAT (Hoque et al., 2012).
3. OUTPUT-The chains used here is to filter the traffic going out from the internal network or a PC into the Internet or external networks.

The configuration of IPTables is simply running the IPTable command in the user space of the kernel via the terminal and putting the required parameter to define the chain. The following are a common parameter.

iptables Command Parameters

-S used to put the address of the source node

-d put the address of the destination node

-p parameter for protocol

-j for inputting the desired action

-P view default setting for chain policy

-D delete a specific rule on the chain

-R overwrite rule on a chain

-F truncate the chain

-L view a listing of all rules on the chain

-A append a new rule to the end of the chain

Note, it is recommended to always add the “catch-all” command parameter to implicitly deny any other protocol not mentioned in the chain.

A good application of iptables is to allow the HTTP protocol traffic from the apache2 web server through the port 80 to allow the server service users with the web pages. The rules are defined below,

#iptables -A INPUT -j ACCEPT -p tcp –destination-port 80 -i eth0

And at the last of chain add the the catch all command as follows

#iptables -A INPUT -j DROP -o tcp -i eth0

The overall iptable execution is as shown in the figure below,

From the illustration, one the traffic arrives from the outside network, it is taken through the pre-routing chain. As the name suggests, it pre-route, it simply means before the routing decision is made. At this stage, the TCP headers can be modified to facilitate NATing (He et al., 2014).

Once the routing decision is made, the traffic goes through to the forwarding chain and then post-routing if it is not destined for internal network, otherwise, it goes through the input chain, where the filtering is done based on the iptable rules set in the chain, Any traffic from the internal network destined for another network must pass through the output chain to filter based on iptable rules defined in the chain(Vasilescu, Gheorghe and Tapus, 2014).

Application of Iptables

IP tables are applied in the following

1. Building the stateless and stateful filtering firewalls
2. Used in SNAT for source NATing
3. Used in DNAT
4. Can be used to build QoS and sophisticated routes based policies

Bro network security and analysis tool developed by the NSF is primary function is an analysis of network traffic. It scans the various communication interfaces for vulnerabilities and any potentially suspicious activities in the network (Paxson et al., 2012). Bro not only provides the most fetch security tools out of the box but also provides some general network analysis such as the performance monitoring and provide data useful for network troubleshooting purposes, which is made possible by its different set of logs used to account for various network activities.

Features

It is capable to log not only the activities across a connection link but also logs the state of the communication between various network applications such as the all the https requests. (Mairh et al., 2011)

Moreover, Bro comes with a wide range of intrusion detection application that s able to detect malware intrusions, and giving a report on the vulnerable application. This information is majorly shared by the external community that is linked to the Bro project (McParland, Peisert and Scaglione, 2014).

Bro beats the other proprietary competitors since it is tuned to run on most budget hardware as compared to its competitors which are more restricted to what they can do since most of the proprietary versions are hard-coded hence not extensible compared to Bro which is open source. Network administrators using Bro, can code scripting code to further extends the functionality of the Bro framework making it have unlimited functions it can do (Kenkre, Pai and Colaco, 2015). Big corporations and institutions are continously relying on Br to secure their cyberspace since it can accommodate high voluminous traffic in the cadre of 10GE and even 100GE links (Burks, 2012). This is made possible by the configuration of Bro cluster which enhances load balancing by running Bro instances in different network segments. The Key features of Bro framework are as follows

1. Easy to set up and deploy as it runs on opensource technologies such a Linux, FreeBSD etc
2. Give better analysis tools out of the box that supports not only end device analysis but also applies to applications
3. Support for scripting languages such as python and perl
4. Interfaces with an external database to exchange information  
5. Open source
6. It is highly stateful
7. Includes forensic modules for conducting security audits.

The figure above illustrated the architecture of the Bro Frameworks. The framework has majorly two layers namely the event engine and the script interpreting component. The even engine is tasked with monitoring activities on the network and giving feedback in some neutral policy terms that focus on what the component has capture but don’t give details why it has captured it or the kind of information in the capture (Irwin and van Riel, 2008). IP addresses and ports are majorly captured at this point.

The ability of the framework to detect malware is made possible thanks to the script interpreter component which is able to execute event handles programmed using some custom languages. Event handlers programmed are an implementation of the organization security policy that regards action to be taken in case of such intrusion are detected.The component is again able to make some comprehension of and properties of capture traffic (Li and Mohammed, 2008).

First it is best practice to update the libraries by running the following command in the terminal

sudo apt-get update 

Bro installation can be done by either installing using package manager or compiling from the source code hosted I the GitHub repository (Baskaran et al., 2017). The steps here described are for Ubuntu Linux which was used to install it. Before installation, it is important to ensure the platform ahs Libcap, Openness, Bind 8, Libz, Bash and python interpreter at least 2.6

Application

in the terminal, run the following command to install the dependencies bove

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Once the dependencies are met, Bro can now be installed from the source code by downloading it from github and compiling and installing locally (Seeber and Rodosek, 2015). The commands are as shown below,

git clone –recursive git://git.bro.org/bro

cd bro

./configure

make

sudo make install 

The above commands will successfully install Bro in the /usr/local/broThe last step in include Bro in your environment variable  export PATH=$PATH:/usr/local/bro/bin 

The Bro framework can be used to monitor traffic through an interface using the following command

bro -i en0 <scripts to be loaded>

The interface en0 indicates the interface to monitor. This can be replaced with any other interface in the network.

One can write the packets captured by Bro to a file for offline analysis. This is done using the following command,

sudo tcpdump -i en0 -s 0 -w mypackets.trace

The installation of the three tools has greatly enhanced the security of both the systems and the networks. The inner granular details of the systems are protected by the Security Enhanced Linux which has provided a system-wide method of enforcing access controls, making the privileged and unprivileged user obey policy which is either they assign to their own file or has not assigned. This added a layer of security by ensuring rogue users and application don’t take advantage of misconfigured policies and network configurations.

SELinux doesn’t prevent access to the networks by the bad guys, It is with this regard that the table has provided a chain of rules to filter out malicious traffic, preventing them from access to internal networks. This makes the users trust the internal system since already filter have been applied and that malicious application and external attackers are blocked.

The installation of Bro has provided the tool to effectively monitor the status of the network and is used to account for all activities in the network. This complements the accounting in the AAA  security triangle (Smetters and Jacobson, 2009).

The spread of Ransomware and zero-day attacks have been on the rise and both small and big companies are not spared.It is therefore for small business to employ some security mechanism to mitigate the attacks. IPTables is proposed for small business to manage the security of their networks

Small business mostly doesn’t have the financial muscles to purchase an enterprise-grade firewall for their security mechanism, but now they can protect their internal networks, thanks to the free and opensource IPTables which generally offers the services an enterprise-grade firewall is able to offer. This saves the small business a lot of money.

Tool 2: IPTables

Configuring the IPTables is relatively easier and convenient compared to SELinux which is based on policies. These policies are so complicated that an average system administrator for a small local business could not effectively decipher and configure very well. Misconfiguration of the SELinux is very disastrous since it essence, it does not keep the bad guys from entering the system, it only restricts what the bad guys can do once in the system. Contrary to the complex policies in SELinux, IP Tables rules are easier generally easier to understand for any system administrator.

IPTables will be more compatible to the systems files and services since it comes with the platform out of the box and hence better understands the Linux file system, this is contrary to the SELinux which need to be installed with its dependencies. This has potential of causing compatibility issues within the network applications(Salah, 2014).

The iptables can be configured to in the small networks to act as the logging system for analysis of inbound and outbound traffics by outputting the results in a log file for future analysis This makes the use of Bro on the small networks not feasible both economically and operationally. This makes Bro network monitoring not suitable for the small network since it provides a domain specific language and requires the business to employ an experienced programmer to write scripts for the network events. Such skillset is hard to come by and get hired by a small business. It is therefore beneficial to tune the IPTables to perform the monitoring functionality.

In addition to that, iptables can be used to implemented SNAT and DNAT which are essential for a small organization which can only afford one public IP addresses and hence relies heavily on the NATing technology to reroute and forwards packets. This source NATing and Destination NATing can be secured in the IPTables out of the box by specifying the forwarding chains ruleset.  

Conclusion

In conclusion, it is highly recommended for small business to implement IPTable to secure their networks and this can be justified by its ease of use, convenient, cost of deployment, compatibility with existing application and lastly don’t require a huge learning curve to implement the rules.

References

AL-Musawi, B.Q.M., 2012. Mitigating DoS/DDoS attacks using iptables. International Journal of Engineering & Technology, 12(3), pp.101–111.

Baskaran, M.M., Henretty, T., Ezick, J., Lethin, R. and Bruns-Smith, D., 2017. Enhancing Network Visibility and Security through Tensor Analysis. In: 4th International Workshop on Innovating the Network for Data Intensive Science (INDIS) held in conjunction with SC17.

Setting Up IPTables

Burks, D., 2012. Security Onion. nd.[Online]. Available: https://blog. securityonion. net/p/securityonion. html.[Accessed 11 May 2014].

Chen, H., Li, N. and Mao, Z., 2009. Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems. In: NDSS. pp.11–16.

Curren, E., 2012. Security Enhanced Data Platform. Google Patents.

Fiorin, L., Ferrante, A., Padarnitsas, K. and Regazzoni, F., 2012. Security enhanced linux on embedded systems: A hardware-accelerated implementation. In: Design Automation Conference (ASP-DAC), 2012 17th Asia and South Pacific. IEEE, pp.29–34.

He, X., Chomsiri, T., Nanda, P. and Tan, Z., 2014. Improving cloud network security using the Tree-Rule firewall. Future generation computer systems, 30, pp.116–126.

Hoque, M.S., Mukit, M., Bikas, M. and Naser, A., 2012. An implementation of intrusion detection system using a genetic algorithm. arXiv preprint arXiv:1204.1336.

Irwin, B. and van Riel, J.-P., 2008. Using inetvis to evaluate snort and bro scan detection on a network telescope. In: VizSEC 2007. Springer, pp.255–273.

Jones, M.T., 2008. Anatomy of Security-Enhanced Linux (SELinux). Webbsida, april.

Kenkre, P.S., Pai, A. and Colaco, L., 2015. Real time intrusion detection and prevention system. In: Proceedings of the 3rd International Conference on Frontiers of Intelligent Computing: Theory and Applications (FICTA) 2014. Springer, pp.405–411.

Li, N., 2008. How to make discretionary access control secure against trojan horses. In: Parallel and Distributed Processing, 2008. IPDPS 2008. IEEE International Symposium on. IEEE, pp.1–3.

Li, P. and Mohammed, T., 2008. Integration of virtualization technology into network security laboratory. In: Frontiers in Education Conference, 2008. FIE 2008. 38th Annual. IEEE, pp.S2A-7-S2A-12.

Maier, G., Sommer, R., Dreger, H., Feldmann, A., Paxson, V. and Schneider, F., 2008. Enriching network security analysis with time travel. In: ACM SIGCOMM Computer Communication Review. ACM, pp.183–194.

Mairh, A., Barik, D., Verma, K. and Jena, D., 2011. Honeypot in network security: a survey. In: Proceedings of the 2011 international conference on communication, computing & security. ACM, pp.600–605.

Marmol, V., Jnagal, R. and Hockin, T., 2015. Networking in containers and container clusters. Proceedings of netdev 0.1, February.

McParland, C., Peisert, S. and Scaglione, A., 2014. Monitoring Security of Networked Control Systems: It’s the Physics. IEEE Security & Privacy, 12(6), pp.32–39.

Nakamura, Y. and Sameshima, Y., 2008. SELinux for consumer electronics devices. In: 2008 Linux Symposium. pp.125–134.

Ongtang, M., Butler, K. and McDaniel, P., 2010. Porscha: Policy oriented secure content handling in Android. In: Proceedings of the 26th Annual Computer Security Applications Conference. ACM, pp.221–230.

Paxson, V., Sommer, R., Hall, S., Kreibich, C., Barlow, J., Clark, G., Maier, G., Siwek, J., Slagell, A. and Thayer, D., 2012. The bro network security monitor.

Salah, K., 2014. Harnessing the cloud for teaching cybersecurity. In: Proceedings of the 45th ACM technical symposium on Computer science education. ACM, pp.529–534.

Seeber, S. and Rodosek, G.D., 2015. Towards an adaptive and effective IDS using OpenFlow. In: IFIP International Conference on Autonomous Infrastructure, Management and Security. Springer, pp.134–139.

Shabtai, A., Fledel, Y. and Elovici, Y., 2010. Securing Android-powered mobile devices using SELinux. IEEE Security & Privacy, 8(3), pp.36–44.

Šimon, M., Huraj, L. and ?er?anský, M., 2015. Performance evaluations of IPTables firewall solutions under DDoS attacks. Journal of Applied Mathematics, Statistics and Informatics, 11(2), pp.35–45.

Smetters, D. and Jacobson, V., 2009. Securing network content. Citeseer.

Vasilescu, M., Gheorghe, L. and Tapus, N., 2014. Practical malware analysis based on sandboxing. In: RoEduNet Conference 13th Edition: Networking in Education and Research Joint Event RENAM 8th Conference, 2014. IEEE, pp.1–6.

Wang, R., Enck, W., Reeves, D.S., Zhang, X., Ning, P., Xu, D., Zhou, W. and Azab, A.M., 2015. EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning. In: USENIX Security Symposium. pp.351–366.

Xuan, L. and Wu, P., 2015. The optimization and implementation of iptables rules set on linux. In: Information Science and Control Engineering (ICISCE), 2015 2nd International Conference on. IEEE, pp.988–991.