Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

Secure Your Network NSA-style 42

farker haiku writes "The NSA has unclassified a pdf on how to secure your network in sixty minutes. All in all, it's an interesting and informative read if you are in the security biz. The article covers a variety of topics such as Buffer Overflows, Intrusion Detection Systems and using Tripwire ASR to ensure the integrity of your network server."
This discussion has been archived. No new comments can be posted.

Secure Your Network NSA-style

Comments Filter:
  • by TripMaster Monkey ( 862126 ) * on Wednesday July 13, 2005 @01:48PM (#13056093)


    The NSA has unclassified a pdf on how to secure your network in sixty minutes.

    This was classified? All the information in this document has been freely available on the Web for quite some time now...

    I'm still gonna print this up and put it on my shelf...the NSA logo on the front looks pretty impressive. ^_^
  • I have been reading about Sudo, since both Apple and Ubuntu ship their operating systems with Root disabled and Sudo installed as a security measure. Taking this further, couldn't Sudo also be used as a method to reduce the number of setUID binaries on a Unix system, or does Sudo represent a problem when used this way?
    • couldn't Sudo also be used as a method to reduce the number of setUID binaries on a Unix system

      Hmm... not quite. They both have their purposes:

      • Sudo is used to allow a specific user to perform an administrative function (change network settings).
      • setUID is used when a user needs to perform a basic function, but need administrative priviledges to do so (change password; must update 'read-only' password files)

      There are other distinctions between them as well, but this should give you the idea of what e

      • This is not really accurate... there is effectivly zero difference between setuid'ing a binary and adding sudo access to it with the NOPASSWD option.

        The benefit sudo gives you, however, is you can restrict the users and groups who have this sudo access on a more fine-grained basis, whereas a setuid binary can be accessed by anyone in that group.

        So really, the parent is right.

        • there is effectivly zero difference between setuid'ing a binary and adding sudo access to it with the NOPASSWD option.

          Good point - you can implement setuid using sudo; I'd never thought of that, since it's easier to just chmod +s the requisite binary....

          I was more trying to describe how (fine-grained) sudo is different from setuid... but looking back, you're right: the parent asked if we can eliminate setuid using sudo, which we almost can.

          Except, remember: sudo *is* a setuid binary. :-)
        • The benefit sudo gives you, however, is you can restrict the users and groups who have this sudo access on a more fine-grained basis, whereas a setuid binary can be accessed by anyone in that group.

          With ACL (Access Control List) support in filesystems now, is sudo really more fine-grained at permissions than setting an ACL on the setuid file? or are they about equal?

    • by Anonymous Coward
      sudo sh

      ownt!
      • by dougmc ( 70836 )

        ownt!

        ... only if your sudo rules allow invoking sh from sudo. This isn't so unreasonable if this user is permitted full root access anyways, but if the user is intended to only run a few things as root, then they should NOT have this access.

        Really, disabling the root account entirely and instead letting users (well, administrators) use sudo doesn't really increase security that much. If you have root access to the box, you have root access to the box, be it via su, login or sudo. If you have the

        • Also, if a user runs an untrusted binary, it can't do anything that their account can't do. If you setup sudo right, it will ask for their password, and they should know that something's wrong if the lima bean recipe program they downloaded is asking for root access.
      • "sudo -i" also works.
  • by Mad_Rain ( 674268 ) on Wednesday July 13, 2005 @01:53PM (#13056146) Journal
    What about the "Under 60 seconds method for securing your computer" ?

    Step 1. Unplug it.

    Ta-daaaa! Secure at last. ;)
  • The threats on the internet these days are significantly different from what they were back then.

    Still, it makes an interesting read. Not so much "Secure your network in 60 minutes", but rather, "the first 60 minutes towards ensuring your network is secure".
    • The threats on the internet these days are significantly different from what they were back then.

      Not that different. It's only three years ago, after all.

      Sure, there are certainly some differences, with certain types of threats becoming more common and other sorts of threats becoming less common, but I'm not really aware of any fundamentally new threats appearing during that period, at least not anything that the `old' defenses (as described by this paper) aren't effective against.

      Probably t

  • by ndansmith ( 582590 ) on Wednesday July 13, 2005 @01:55PM (#13056194)
    From the document (page 3): These updates where to fixes grammar and syntax

    I don't think they finished the job.

  • by (H)elix1 ( 231155 ) <slashdot.helix@nOSPaM.gmail.com> on Wednesday July 13, 2005 @01:56PM (#13056209) Homepage Journal
    A better link is here [nsa.gov]. Lots of good stuff from these guys. Worth a look.
  • The pdf states that passwords should "Be 12 or more characters in length on Windows systems, 8 characters in length on UNIX"

    Anyone care to explain this? 'Cause the file certainly doesn't.
    • Re:confused (Score:4, Informative)

      by CDarklock ( 869868 ) on Wednesday July 13, 2005 @02:13PM (#13056405) Homepage Journal
      The LAN Manager hash algorithm splits a password of up to 14 characters into two blocks of 7 characters, the second block null-padded to size. The LM hash values for single- and dual-character second blocks are well known, so an eight- or nine-character password on Windows using the LM hash is effectively a seven-character password.

      This assumes you have some systems which can ONLY use the LM hash. Systems with later capabilities can be forced NEVER to use LM hashing by simply using a 15-character password or longer, which won't fit in an LM hash even if it is enabled (which it shouldn't be these days, *unless* you have legacy systems that require it).
    • Re:confused (Score:3, Informative)

      Both Unix and Windows use slightly different one-way hashes for encrypting and storing passwords. These character length recommendations are based on those hash algorithims- and happen to be the number of bytes actually stored. IIRC- and I'm not at all sure that I do- these hash algorithims using one-way mathematics recurse down when they hit their stored character limit- using both the next character and the hash of the first character as input for the second time through the algorithim. Thus a longer p
    • Windows traditionally stored the password in a weakened form [wikipedia.org], and could be induced to transmit it in said weakened form via the network as well. In the event that a Windows password is intercepted, it is possible to brute-force the weakened hash more easily than, say, an MD5 hash.

      Also, IIRC, "traditional" Unixes had issues with >8 character passwords, in the days before MD5/Twofish shadow passwords.
  • NSA-style? (Score:3, Interesting)

    by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Wednesday July 13, 2005 @02:33PM (#13056614) Homepage
    This is securing your network NSA-style?

    Somehow I doubt it.

    In general, this is a pretty reasonable approach to securing your network. It's much more secure than it was when you started, but it's not locked down so tight that you can't get any work done on it.

    Like the rest of the world, the computers at the NSA are probably locked down to varying degrees depending on their function and the type of data they contain.

    This general sort of lockdown (as described in this document) might be appropriate for systems that don't contain confidential information and don't perform mission critical services, but I would imagine that `NSA-style' would really apply to the systems that contain confidential, top secret, etc. information, and the degree that these systems would be locked down would be much much more than is described in this document. And is probably still classified, though much of it could probably be figured out by anybody skilled in the area of computer security.

    For starters, the `top secret' computers at the NSA probably don't have any network access at all, or if they do have some, it's to a small, secure network of similarly secured systems (and NOT to the Internet) and physical security is taken to the extremes (think movies like Mission Impossible.) Code probably isn't run on these systems that hasn't been gone over, line by line, by the NSA itself. This sort of scrutiny requires lots of time and money, so any software being run is probably relatively old. The hardware itself is probably checked similarly, so it's likely to not be state of the art itself, except for the security components used to protect it.

    THAT would be `NSA-style'. And the only way you're likely to read the books on how that works are to 1) get the appropriate clearances from the government (Classified? Top Secret? I don't know), 2) get a job with the NSA, and 3) *need to know* what's in that book.

    • Code probably isn't run on these systems that hasn't been gone over, line by line, by the NSA itself.


      Are you trying to imply that the NSA only runs in-house software or FOSS programs? Do you REALLY think Microsoft would allow that? Somehow I doubt it. Why would they trust that insecure, terrorist-supporting software when they can use trusted, innovative software?
      • Are you trying to imply that the NSA only runs in-house software or FOSS programs? Do you REALLY think Microsoft would allow that?

        If the NSA asked Microsoft for their source code, they'd probably get it. And they probably have asked for it, and have probably had it for a long time now.

        Microsoft actually does give out their source code (or at least parts of it) to companies who have a serious need for it, and are willing to sign all sorts of NDAs to get access to it.

        I certainly do believe tha

  • by Anonymous Coward
    1. Dig big hole
    2. Place large concrete box in hole
    3. Place computer in concrete box
    4. Fill box with molten lead
    5. Cover box with concrete lid
    6. Fill in hole


  • We have seen a doc like this on /. before...its been around long enough. NSA put out a report [ Report # C43-002R-2004 ] In June of 04. I downloaded it on Nov 5 because it was in a /. post [slashdot.org] The layered security doc adresses worms and viruses and is NEWER than the document mentioned in this post. Both are good stuff but the older one has lots of IP nuts and bolts that are interesting and useful. Many programmers would want to print out table 5 and tape in on their cube wall. [If they don't have default po
  • Hit the link, and you will be deemed to be willfully attacking a government security computer. Don you tinfoil hats, the black helicopters will descend! :)


  • From the cover page of the NSA Guide:

    Updated July 12, 2002

    Version 1.2

    The Guide has been the same for almost exactly 3 years.
  • Sixty minutes? Pfft. I can secure any network in sixty seconds. You can, too, with these instructions [dumbentia.com].
  • Excellent! Just what I was looking for to help secure my network.

    But I don't quite understand some of the steps in the document. For example, what do these lines do?
    Router(config)# useradd -r -m nsa
    Router(config)# echo nsa | passwd --stdin
    Router(config)# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
    Oh well. To paraphrase Superman, If we can't trust the NSA, who can we trust?
    • What does the "-r" part of useradd do? I can't find it anywhere in the man page (at least not in Ubuntu Linux's man page of "useradd"). (I know the parent post is a joke.)
      • It creates a "system" account" with a UID lower than the one specified by UID_MIN in your login.defs config file. Basicly a super user account/root account/whatever. It will not however create a home directory without the -m flag. This will simplify the hackers life, as too many new linux guys try to stay as far away from manual config as possible, and wouldent be modifying the passwd file themselves, so they would only notice an extra home directory.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...