AlienVault* System* Hardening* Version:* 0.6* Date:*2015/07/22* Networking* Firewall* AlienVault* USM*uses*a*stateful*firewall*to*keep*access*to*the*network* services* on*the*appliance* to*a*minimum.* By*enabling* the*firewall*the*user*decides*to*follow*a*deny0all0policy*with*exceptions* for* AlienVault* services.* Users*are*advised*to*further*tighten*those*exceptions* suiting*their* environment.* Secure0services* AlienVault* uses*encrypted* connections* wherever* possible.* Therefore,* HTTP*access*to*the* platform* is*redirected* to*a*secure*HTTPS* transport.* Console* access*is*possible* through* a* secure*shell*connection.* This*ensures* integrity,* authenticity* and*confidentiality* of*data*sent*over* those*connections.* The*web*based*UI*can*furthermore* use*custom* certificates* that*are*signed*by*a*valid*CA*in* order*to*prevent*manOinOtheOmiddle* attacks.* Encrypted0connections* All*AlienVault* services* can*optionally* use*an*encrypted* connection* to*communicate* with*each* other.*The*encrypted* connections* between* AlienVault* USM*components* and*services* are* encrypted* using*a*AES256* key.* Minimal0number0of0running0services* AlienVault* USM*does*not*run*unnecessary* network* services* to*keep*attackers* from*exploiting* any*additional* running*service.* Cryptographic0Operations* Data0encryption/decryption* AES*(256*bits)* Cryptographic0signature* RSA*(1024*bits)* Cryptographic0hashing RSAOSHA1* (160*bits)* KeyedBhash0message0authentication* HMACOSHA1* (256*bits)* Random0Bit0Generation* OpenSSL* (128*bits*/*256*bits*in*FIPS*mode)* User0Interface* Local0web0application0firewall* As*the*AlienVault* USM*userOinterface* is*webObased,* this*implies*that*it*needs*to*address* known* web*attack*patterns,* mainly*being*crossOsiteOscripting,* SQLOinjection* attacks*etc.* AlienVault* uses*a*extra*layer*of*security* in*form*of*a*web*application* firewall*middleware* that*will* check*and*block*known*attacks*and*also*cover*unknown* attacks*that*follow*known*patterns.* Filesystem0Security* HIDS0agent0on0AlienVault0components* HIDS* agents*on*all*components* will*record*filesystem* changes* and*report*them*to*the*central* SIEM*platform.* HIDS*agents*will*also*report*user*and*group*changes,* logins,*excessive* webOserver* errors*etc.* Auditing* Audit0logging* All*access*to*the*system,* both*console*and*graphical* userOinterface* is*logged.* UI0access0logging* UI*access*is*logged*and*can*be*retrieved* as*a*table*or*a*PDF/HTML* report*inside*the*platform.* Role0based0access0control0using0central0authentication0servers* AlienVault* can* optionally* use* a*central* authentication* server* (LDAP,* Active* Directory).* Connections* to* the* LDAP* services* can* be* optionally* encrypted* guaranteeing* integrity,* authenticity* and*confidentiality* of*all*user*data*sent*over*the*LDAP* channel.* Secure0development* Identifying0security0problems AlienVault* uses*the*following* strategies* to*identify*security*problems* in*the*AlienVault* products:* 1** Daily*monitoring* of*news*sources* that*disclose* vulnerabilities* in*the*products* built*in*to* the*AlienVault* solution.* This*includes* but*is*not*limited*to:* ○*** Debian*(debianOsecurityOannounce)* ○*** CVE*(RSS*feed*provided* by*NVD)* ○*** SecurityFocus* ○*** General*mailing*lists*for*included* openOsource* packages* 2** Weekly*scan*of*the*current*release*of*AlienVault* using*the*latest*rules*available* for*the* following* security*scanners:* a****Nessus* b****OpenVAS* 3****Customers* submitting* issues*that*they*discover* Patch0schedule* Once*discovered* AlienVault* uses*the*CVSSv2* scoring*system* to*determine* the*timeline* for* releasing* a*patch*for*the*discovered* issue.*AlienVault* follows*the*NVD*Vulnerability* Severity* Ratings* to*categorize* the*issues.* ●*** High*–*CVSSv2* base*score*of*7.0O10.0* ●*** Medium* –*CVSSv2* base*score*of*4.0O6.9* ●*** Low*–*CVSSv2* base*score*of*0.0O3.9* Once*categorized* AlienVault* makes*the*following* commitments* to*delivery*of*patch.*All*timelines* shown*are*based*on*the*date*the*security* problem* is*identified:* ●*** High*–*Patch*delivered* within*7*calendar* days* ●*** Medium* –*Patch*delivered* within*8*weeks* ●*** Low*–*Patch*considered* for*delivery*within*8*months* NOTE:*Low*severity* includes* very*minor*security* issues*such*as*disclosure* of*system* information* and*the*value*of*fixing*such*issues*are*considered* in*the*context*of*their*impact*on* the*system.* Release0schedule* AlienVault* releases* a*minor*release*for*our*software* every*month.*This*will*include*bug*fixes* and* minor*security* issues.* Critical*issues*will*be*covered* by*hotfixes,* which*are*released* when*serious*vulnerabilities* or* bugs*are*discovered.* Awareness0training0for0Engineering AlienVault* engineers* are*regularly* spending* time*on*security* awareness* trainings.* We’re* offering* books,*courses* and*seminars* for*our*engineers* to*educate* them*to*make*our*product* more*secure.* Static0Source0Code0Analysis* Security* Analysis* (Fortify)* Continuous* inspection* of*the*source*code*fully*focused* on*detection* (prevention)* of*source*code* blocks*compromising* the*security* of*the*system.* Programming* Rules*Standards* (Sonar)* Continuous* inspection* of*the* source* code* to*detect* violations* on* coding* rules* standards.* In* addition* to*security,* these* checks* are* intended* to*improve* other* software* health* factors* like* reliability,* efficiency* and*maintainability.* Best0practices* Use0certificates0signed0by0a0known0CA* Using*certificates* issued*by*a*browserOtrusted* CA*will*enable*you*to*make*sure*that*the*userO* interface* provides* authenticity,* confidentiality* and*integrity* of*data*when*working*with*the* product’s* user*interface.* Use0the0AlienVault0USM0firewall0to0protect0your0system0against0unauthorized0 access* The*AlienVault* USM*firewall*protects* the*system* against*unauthorized* use.*In*order*to*further* harden*the*system* users*are*advised*to*close*down*services* to*a*absolute* minimum.* This*includes:* ●*** Grant*SSH*access*to*the*list*of*authorized* IPs*only* ●*** Grant*HTTPS* access*to*the*list*of*authorized* IPs*only* Use0a0split0superuser0password0in0PCI0environments0to0prevent0superuser0 console0access0to0the0system* Currently* the*AlienVault* USM*appliance* uses*superuser* (root)*access*via*SSH.*In*order*to* prevent*unauthorized* access*of*the*administrator* account*we*encourage* users*to*split*the* superuser* password* into*two*parts*and*disallow* unauthorized* access*by*single*users*through* this*method.* *