Uploaded by Steve Kjenner

AlienVault System Hardening

advertisement
AlienVault* System* Hardening*
Version:* 0.6*
Date:*2015/07/22*
Networking*
Firewall*
AlienVault* USM*uses*a*stateful*firewall*to*keep*access*to*the*network* services* on*the*appliance*
to*a*minimum.*
By*enabling* the*firewall*the*user*decides*to*follow*a*deny0all0policy*with*exceptions* for*
AlienVault* services.* Users*are*advised*to*further*tighten*those*exceptions* suiting*their*
environment.*
Secure0services*
AlienVault* uses*encrypted* connections* wherever* possible.* Therefore,* HTTP*access*to*the*
platform* is*redirected* to*a*secure*HTTPS* transport.* Console* access*is*possible* through* a*
secure*shell*connection.* This*ensures* integrity,* authenticity* and*confidentiality* of*data*sent*over*
those*connections.*
The*web*based*UI*can*furthermore* use*custom* certificates* that*are*signed*by*a*valid*CA*in*
order*to*prevent*manOinOtheOmiddle* attacks.*
Encrypted0connections*
All*AlienVault* services* can*optionally* use*an*encrypted* connection* to*communicate* with*each*
other.*The*encrypted* connections* between* AlienVault* USM*components* and*services* are*
encrypted* using*a*AES256* key.*
Minimal0number0of0running0services*
AlienVault* USM*does*not*run*unnecessary* network* services* to*keep*attackers* from*exploiting*
any*additional* running*service.*
Cryptographic0Operations*
Data0encryption/decryption*
AES*(256*bits)*
Cryptographic0signature*
RSA*(1024*bits)*
Cryptographic0hashing
RSAOSHA1* (160*bits)*
KeyedBhash0message0authentication*
HMACOSHA1* (256*bits)*
Random0Bit0Generation*
OpenSSL* (128*bits*/*256*bits*in*FIPS*mode)*
User0Interface*
Local0web0application0firewall*
As*the*AlienVault* USM*userOinterface* is*webObased,* this*implies*that*it*needs*to*address* known*
web*attack*patterns,* mainly*being*crossOsiteOscripting,* SQLOinjection* attacks*etc.*
AlienVault* uses*a*extra*layer*of*security* in*form*of*a*web*application* firewall*middleware* that*will*
check*and*block*known*attacks*and*also*cover*unknown* attacks*that*follow*known*patterns.*
Filesystem0Security*
HIDS0agent0on0AlienVault0components*
HIDS* agents*on*all*components* will*record*filesystem* changes* and*report*them*to*the*central*
SIEM*platform.*
HIDS*agents*will*also*report*user*and*group*changes,* logins,*excessive* webOserver* errors*etc.*
Auditing*
Audit0logging*
All*access*to*the*system,* both*console*and*graphical* userOinterface* is*logged.*
UI0access0logging*
UI*access*is*logged*and*can*be*retrieved* as*a*table*or*a*PDF/HTML* report*inside*the*platform.*
Role0based0access0control0using0central0authentication0servers*
AlienVault* can* optionally* use* a*central* authentication* server* (LDAP,* Active* Directory).*
Connections* to* the* LDAP* services* can* be* optionally* encrypted* guaranteeing* integrity,*
authenticity* and*confidentiality* of*all*user*data*sent*over*the*LDAP* channel.*
Secure0development*
Identifying0security0problems
AlienVault* uses*the*following* strategies* to*identify*security*problems* in*the*AlienVault* products:*
1** Daily*monitoring* of*news*sources* that*disclose* vulnerabilities* in*the*products* built*in*to*
the*AlienVault* solution.* This*includes* but*is*not*limited*to:*
○*** Debian*(debianOsecurityOannounce)*
○*** CVE*(RSS*feed*provided* by*NVD)*
○*** SecurityFocus*
○*** General*mailing*lists*for*included* openOsource* packages*
2** Weekly*scan*of*the*current*release*of*AlienVault* using*the*latest*rules*available* for*the*
following* security*scanners:*
a****Nessus*
b****OpenVAS*
3****Customers* submitting* issues*that*they*discover*
Patch0schedule*
Once*discovered* AlienVault* uses*the*CVSSv2* scoring*system* to*determine* the*timeline* for*
releasing* a*patch*for*the*discovered* issue.*AlienVault* follows*the*NVD*Vulnerability* Severity*
Ratings* to*categorize* the*issues.*
●*** High*–*CVSSv2* base*score*of*7.0O10.0*
●*** Medium* –*CVSSv2* base*score*of*4.0O6.9*
●*** Low*–*CVSSv2* base*score*of*0.0O3.9*
Once*categorized* AlienVault* makes*the*following* commitments* to*delivery*of*patch.*All*timelines*
shown*are*based*on*the*date*the*security* problem* is*identified:*
●*** High*–*Patch*delivered* within*7*calendar* days*
●*** Medium* –*Patch*delivered* within*8*weeks*
●*** Low*–*Patch*considered* for*delivery*within*8*months*
NOTE:*Low*severity* includes* very*minor*security* issues*such*as*disclosure* of*system*
information* and*the*value*of*fixing*such*issues*are*considered* in*the*context*of*their*impact*on*
the*system.*
Release0schedule*
AlienVault* releases* a*minor*release*for*our*software* every*month.*This*will*include*bug*fixes* and*
minor*security* issues.*
Critical*issues*will*be*covered* by*hotfixes,* which*are*released* when*serious*vulnerabilities* or*
bugs*are*discovered.*
Awareness0training0for0Engineering
AlienVault* engineers* are*regularly* spending* time*on*security* awareness* trainings.* We’re*
offering* books,*courses* and*seminars* for*our*engineers* to*educate* them*to*make*our*product*
more*secure.*
Static0Source0Code0Analysis*
Security* Analysis* (Fortify)*
Continuous* inspection* of*the*source*code*fully*focused* on*detection* (prevention)* of*source*code*
blocks*compromising* the*security* of*the*system.*
Programming* Rules*Standards* (Sonar)*
Continuous* inspection* of*the* source* code* to*detect* violations* on* coding* rules* standards.* In*
addition* to*security,* these* checks* are* intended* to*improve* other* software* health* factors* like*
reliability,* efficiency* and*maintainability.*
Best0practices*
Use0certificates0signed0by0a0known0CA*
Using*certificates* issued*by*a*browserOtrusted* CA*will*enable*you*to*make*sure*that*the*userO*
interface* provides* authenticity,* confidentiality* and*integrity* of*data*when*working*with*the*
product’s* user*interface.*
Use0the0AlienVault0USM0firewall0to0protect0your0system0against0unauthorized0
access*
The*AlienVault* USM*firewall*protects* the*system* against*unauthorized* use.*In*order*to*further*
harden*the*system* users*are*advised*to*close*down*services* to*a*absolute* minimum.*
This*includes:*
●*** Grant*SSH*access*to*the*list*of*authorized* IPs*only*
●*** Grant*HTTPS* access*to*the*list*of*authorized* IPs*only*
Use0a0split0superuser0password0in0PCI0environments0to0prevent0superuser0
console0access0to0the0system*
Currently* the*AlienVault* USM*appliance* uses*superuser* (root)*access*via*SSH.*In*order*to*
prevent*unauthorized* access*of*the*administrator* account*we*encourage* users*to*split*the*
superuser* password* into*two*parts*and*disallow* unauthorized* access*by*single*users*through*
this*method.*
*
Download