Re: [school-discuss] Security and Linux

[mike eschman <meschman@engima.com>]

hello,

this is a paper i wrote up for a large medical group on the gulf coast.
hope it helps some.  the stuff like squid, snort and tripwire, we've used in 
house for at least three yeats.

good luck.

mike eschman, etc ...
http://www.etc-edu.com
"Not just an afterthought ...


Optimal network security and performance metrics.


HIPAA security rules present a challenge to secure information without 
compromising care. [ They offer no real guidance on compliance. ]  The most 
fundamental level of control is going to be provided by a centralized 
solution. 


Patient Records.


Access to records should depend on certificates and other security measures
that are tied to a specific patient transaction, definerd to be a particular 
visit
and regiment of lab work, and other procedures linked to a particular doctor 
visit.


Providing Information to Remote Physicians


A remote doctor presents some risks: the information on the remote doctor's 
workstation  
is not subject to your direct control, and the VPN connection can be 
compromised.


A viewing of data held on a read-only server with ftp and all other data 
transfer mechanisms 
disabled, or a mailed dvd, offer optimal security for patient data.  
Unfortunately, some of the most 
useful diagnostic data is bulky.  That points to a local mechanism [i.e. at 
remote site] to store data 
for remote users. 


A "sealed box" queueing mechanism at the remote user site can alleviate these 
deficiencies without
imposing the burdens of a client site viewer.  In plain english, if a 
non-recoverable, non-configurable
linux server, hosting proxy, messaging and logging services, is installed to 
remote sites as an "intrinsic component" of
network access to patient data, then performance, security and recoverability 
[i.e. back-ups] can all be 
optimized. 


Review is fundamnetal to control.  Unless you can inspect and assess network 
traffic, nominal operating conditions 
cannot be confirmed - you don't know if the barn's warm and dry, or on fire.  
A master report on traffic would rationalize 
all data access to specific doctor-patient interchanges, and to routine 
scheduled patient review mechanisms.  The
legal reprecussions of security failures need to time traffic to specific 
patient records. 


So a good master report is going to throw interactions with Jane Doe's data in 
July and August into relief, showing, for instance,
variances in access [that are requested by an analyst] between the two months.


Commercial products lack a cross-reference database that can resolve an ip 
address into a personal identity.


We should consider developing a queueing and scheduling mechanism, with a user 
database to support this type of reporting.


Access Scenario : [ A "patient - medical team" episode begins. ]


Staff personnel open an access folder.  For each team member with permissible 
access, a new digital certificate is created,
and a tracking code is assigned.  The tracing code is a reference number for 
inclusion into logs.  This is analogous to what
aircraft part manufacturers do to track particular production runs of 
particular aircraft parts.


One tracking entry per permissable ip address is created.


When data access is required, the user provides a patient name from a known ip 
address, and a tracing reference number is 
identified on that ip's local "sealed proxy".  These data requests are queued.  
That is, they are accepted, a "tracking ticket" 
is generated, and a work request is issued.  Depending on the nature of the 
request, an e-mail, ftp upload and follow-up e-mail or 
"snail mailed" DVD collection is created and dispatched to complete the work 
order.


This system required determined criminal intent to breech, and creates the 
evidence required to secure a conviction.   


intrusion detection.


There are a number of security solutions available as open source.  Here are 
some tools that have achieved "production -
stable" rankings from Freshmeat :


Firestorm NIDS
Firestorm is an extremely high performance network intrusion detection system 
(NIDS). At the moment it just a sensor but 
plans are to include real support for analysis, reporting, remote console and 
on-the-fly sensor configuration. It is fully pluggable
and hence extremely flexible.


A Network Intrusion Detection System is a system which can identify suspicious 
patterns in network traffic. If a firewall is a 
doorman, a NIDS is an undercover KGB agent. He silently gathers intelligence 
and can spot an enemy even if the door security has 
already let them in (maybe the enemy can make fake identification documents).


What is integrit?


integrit is an alternative to file integrity verification programs like 
tripwire and aide. It helps you determine 
whether an intruder has modified a computer system.  Without a system like 
integrit, a sysadmin can't know whether the 
tools he/she uses to investigate a potential break in are trojan horses or 
not. e.g., If the machine has a "/tmp/. " 
directory containing a shell that's setuid root, and you want to investigate 
to determine how badly the cracker has 
compromised the machine, how do you know that the attacker hasn't replaced 
your "find" and "ls" commands with tampered 
versions that fail to report the cracker's files?


A system like integrit works by creating a database that is a snapshot of the 
most essential parts of your computer system. 
You put the database somewhere safe, and then later you can use it to make 
sure that no one has made any illicit modifications 
to the computer system. In the case of a break in, you know exactly which 
files have been modified, added, or removed.


integrit is a robust, stable piece of software designed for professional use.


SNORT - Open Source Lightweight Intrusion Detection.


Snort fills an important "ecological niche" in the the realm of network
security: a cross-platform, lightweight network intrusion detection tool that
can be deployed to monitor small TCP/IP networks and detect a wide variety of
suspicious network traffic as well as outright attacks.  It can provide
administrators with enough data to make informed decisions on the proper 
course
of action in the face of suspicious activity.  Snort can also be deployed
rapidly to fill potential holes in a network's security coverage, such as when
a new attack emerges and commercial security vendors are slow to release new
attack recognition signatures.  


        Snort is a tool for small, lightly utilized networks.  Snort is useful
when it is not cost efficient to deploy commercial NIDS sensors.  Modern 
commercial intrusion detection systems cost thousands of dollars at minimum,
tens or even hundreds of thousands in extreme cases.  Snort is available under
the GNU General Public License [GNU89], and is free for use in any 
environment,
making the employment of Snort as a network security system more of a network
management and coordination issue than one of affordability.  


What is "lightweight" intrusion detection?


        A lightweight intrusion detection system can easily be deployed on 
most
any node of a network, with minimal disruption to operations.  Lightweight 
IDS'
should be cross-platform, have a small system footprint, and be easily 
configured by system administrators who need to implement a specific security
solution in a short amount of time.  They can be any set of software tools
which can be assembled and put into action in response to evolving security
situations.  Lightweight IDS' are small, powerful, and flexible enough to be 
used as permanent elements of the network security infrastructure.


        Snort is well suited to fill these roles, weighing in at roughly 100 
kilobytes in its compressed source distribution.  On most modern architectures
Snort takes only a few minutes to compile and put into place, and perhaps 
another ten minutes to configure and activate.  Compare this with many 
commercial NIDS', which require dedicated platforms and user training to 
deploy
in a meaningful way.  Snort can be configured and left running for long 
periods of time without requiring monitoring or administrative maintenance, 
and
can therefore also be utilized as an integral part of most network security 
infrastructures.


What is Snort?


        Snort is a libpcap-based [PCAP94] packet sniffer and logger that can 
be used as a lightweight network intrusion detection system (NIDS).  It
features rules based logging to perform content pattern matching and detect 
a variety of attacks and probes, such as buffer overflows [ALE96], stealth 
port
scans, CGI attacks, SMB probes, and much more.  Snort has real-time alerting 
capability, with alerts being sent to syslog, Server Message Block (SMB) 
"WinPopup" messages,  or a separate "alert" file.  Snort is configured using 
command line switches and optional Berkeley Packet Filter [BPF93] commands. 
The detection engine is programmed using a simple language that describes per
packet tests and actions.  Ease of use simplifies and expedites the 
development
of new exploit detection rules.  For example, when the IIS Showcode [IISBT99] 
web exploits were revealed on the Bugtraq mailing list [BTQ99], Snort rules to
detect the probes were available within a few hours.


Tripwire
 

About:
Tripwire is a system integrity checker, a utility that compares properties of 
designated 
files and directories against information stored in a previously generated 
database. Any 
changes to these files are flagged and logged, including those that were added 
or deleted, 
with optional email reporting. Additionally, support files (databases, 
reports, etc.) are 
cryptographically signed. 



vendor maintenance of products (software / hardware)---> similat to VLAN?


Well, to make a long story short, VLAN has been integrated into the Linux 
kernel, and has a vibrant user base.
So, VLAN is supported.


traffic reporting for the network.


One of our significant pieces of new software that is going to emerge from 
this project, is a set of reporting tools
that rationalize detailed network statistics to "patient-encounters", for use 
by non-network personnel.


brainstorming.


Well, I guess this is my initial bet :-) Need any cards?




On Saturday 14 December 2002 09:50 pm, David Bucknell wrote:
> Dear Schoolforgers,
>
> I just got a good question from a friend in Canada and wonder if others
> might be willing to address this question as it is likely to come up again.
> I'd appreciate any help you might offer. Here goes:
>
> "We're looking at a project to put cache servers in a couple of schools
> with remote management
> from a company in British Columbia.  They would have to come through our
> district's firewall to
> replenish the servers at night.  That's not fraught with concerns, believe
> me. But, at a meeting
> yesterday, the people that we met with made a statement that I wish that I
> was more informed to
> challenge.  The comment went along the lines of "Well, it's Linux.  It's
> secure and you don't have
> to worry about hackers."  They also were unable to tell me about the
> software that would be used
> and also that this software had ways to cache dynamic content.  ASP, etc. 
> So, I'm sitting there in
> the meeting with red flags and sirens going off but not familiar enough
> with Linux to return with
> probing questions.  Can you comment or point me somewhere on the net where
> I can do some serious
> reading?  Is there a particular piece of software running on Linux that is
> a good caching software
> that you'd recommend so that I can do some research?  As for caching
> dynamic content, I'm just
> going to have to wait and see this system live because it goes against
> everything that I think I
> know about the way these pages work! "
>
>
> Best wishes to you all,
> David