Protogate Freeway® Security Features User’s Guide (SFUG) DC 908-3004A Protogate, Inc. 12225 World Trade Drive Suite R San Diego, CA 92128 USA Web: www.protogate.com Email: sales@protogate.
Protogate Freeway® Security Features User’s Guide (SFUG): DC 908-3004A by Protogate, Inc. Published October 2013 Copyright © 2013 Protogate, Inc. This Freeway® Security Features User’s Guide (SFUG) document describes the components of the Protogate Freeway software which can be used to enhance security.
Table of Contents Preface............................................................................................................................................................................v Purpose of Document ............................................................................................................................................v Intended Audience......................................................................................................................................
List of Tables 1. Revision History ..................................................................................................................................................... viii 2-1. Referenced Documents..........................................................................................................................................11 7-1. Acronym definitions ...................................................................................................................................
Preface Purpose of Document This Freeway® Security Features User’s Guide (SFUG) document identifies the capabilities of a Freeway which can be used to enhance security. Intended Audience The contents of this document are considered to be sensitive, and dissemination of this document should be restricted; only those who are interested in improving the security level of Protogate Freeway systems should read this document.
Preface Protogate Freeway Security Features User’s Guide (SFUG) Appendix A includes a sample rc.startsra file, to show how to configure and enable many of the security features described in this document. Protogate References The following general product documentation list is provided to familiarize you with the available Protogate Freeway and embedded ICP products. Most of these documents are available on-line at Protogate’s website (http://www.protogate.com/).
Protogate Freeway Security Features User’s Guide (SFUG) Preface ICP2432 Hardware Description and Theory of Operation DC-900-1501 ICP2432 Electrical Interfaces (Addendum to DC-900-1501) ICP2432 Hardware Installation Guide DC-900-1566 DC-900-1502 ICP2432B Hardware Installation Guide DC-900-2009 Freeway Software Installation and Configuration Support Documents Freeway User Guide DC-900-1333 Freeway Loopback Test Procedures Freeway Release Addendum: Client Platforms DC-900-1533 DC-900-1555 Freeway M
Preface Protogate Freeway Security Features User’s Guide (SFUG) OS/Impact Programmer Guide DC-900-1030 Freeway OS/Protogate Programmer’s Guide Protocol Software Toolkit Programmer Guide DC-900-2008 DC-900-1338 Protocol Software Toolkit Programmer’s Guide (ICP2432B) DC-900-2007 Protocol Support Documents ADCCP NRM Programmer Guide DC-900-1317 Asynchronous Wire Service (AWS) Programmer Guide AUTODIN Programmer Guide DC-900-1324 DC-908-1558 Bit-Stream Protocol Programmer Guide BSC Programmer Guide
Protogate Freeway Security Features User’s Guide (SFUG) Preface Customer Support If you are having trouble with any Protogate product, call us at 1-858-451-0865 (U.S.) Monday through Friday between 8 a.m. and 5 p.m. Pacific time. You can also fax your questions to us at (858) 451-2865 or (877) 473-0190 any time. Please include a cover sheet addressed to "Customer Service." We are always interested in suggestions for improving our products.
Chapter 1. Scope 1.1. Identification This document describes the capabilities of a Protogate Freeway® which can be used to enhance security. 1.2. System Overview The Protogate Freeway is a data communication system which connects one or more serial-link channels (Wide-Area-Network, or WAN channels) of various types to one or more IP (Internet Protocol) networks. The Freeway acts as a gateway, providing WAN channel access to clients on the IP network.
Chapter 2. Reference Documents A full list of Protogate documents is in the Preface Section of this document. Documents referenced by this Freeway Security Features User’s Guide (SFUG) document are listed in Table 2-1. Table 2-1.
Chapter 3. Logs This chapter describes how to setup and use logging on a Freeway . Logging is useful to keep security high because it allows a system administrator to examine the past history of the Freeway system, to see if the Freeway is being attacked or used in an inapproriate way, if some errors have occurred or resources are being over-utilized, which users have logged in, etc. 3.1. Configuring Logging The Freeway uses the syslogd daemon to log system events, and the /etc/syslog.
Protogate Freeway Security Features User’s Guide (SFUG) Chapter 3. Logs (generally once per day) by the cron daemon. Figure 3-2 shows lines which could be added to a Freeway’s /usr/local/freeway/boot.src/rc.startsra file to rotate and maintain the syslog logs: Figure 3-2. Rotate the Log Files echo "# logfilename echo "${LOG_DIR}/all.
Chapter 4. Firewall This chapter describes how to setup and use the firewall on a Freeway . The firewall can protect the Freeway from unwanted connections, either by service (IP port number) or by source (IP address), or any combination of those. 4.1. Configuring the Firewall The Freeway uses the ipfw daemon to configure and control the firewall.
Chapter 5. Auditing This chapter describes how to setup and use system-level event auditing on a Freeway. Auditing is useful to keep security high because it allows a system administrator to examine the past history of the Freeway system, to see which users have logged in and exactly what they have been doing, in complete detail, all the way down to what system calls they have made and which files they have accessed. 5.1.
Chapter 5. Auditing Protogate Freeway Security Features User’s Guide (SFUG) echo "#" fi >> /etc/security/audit_user # Start the kernel-level audit daemon. /usr/sbin/auditd # Add posixrules file to prevent creating unnecessary audit records if [ -f /usr/share/zoneinfo/posixrules ]; then echo "posixrules file exists.
Protogate Freeway Security Features User’s Guide (SFUG) Chapter 5. Auditing echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo "# Added by /usr/local/freeway/boot.src/rc.startsra:" >> /etc/security/audit_warn "#" >> /etc/security/audit_warn "# Compress and move audit trail files when they are full.
Chapter 6. Hardening a Freeway This chapter shows how to use some of the capabilities of a Freeway to increase security. Many of the examples are taken from the sample rc.startsra file shown in (Section A.1. The techniques used to enhance security can be grouped into these categories: • sysctl settings (Section 6.1 below) • Firewall settings (Section 6.1 below) • Turn off unnecessary services (Section 6.2 and Section 6.3) • Setup NTP (Network Time Daemon) (Section 6.
Protogate Freeway Security Features User’s Guide (SFUG) Chapter 6. Hardening a Freeway 6.2. Unnecessary Services One of the simplest ways to enhance security on a Freeway is to turn off (disallow) all services which are not required. Access methods such as telnet and rlogin are never required on any Freeway, since users can always login via the secure shell (SSH), which provides all of the same capabilities as telnet or rlogin, but is more secure.
Chapter 6. Hardening a Freeway Protogate Freeway Security Features User’s Guide (SFUG) cp -p /ro/etc/ssh/sshd_config /etc/ssh/ # sample banner echo "WARNING WARNING WARNING" echo "" echo " You are accessing an information system that" echo " is for authorized users only. If you are not" echo " authorized, log off now." echo "" echo "WARNING WARNING WARNING" if [ -f /read_only_mounts ]; then mount -u -o ro / 2>/dev/null fi /bin/kill -HUP ‘head -1 /var/run/sshd.
Protogate Freeway Security Features User’s Guide (SFUG) Chapter 6. Hardening a Freeway Figure 6-5. Disabling SNMP # For security: prevent snmp from running on this Freeway if [ -x /usr/local/sbin/snmpd ]; then if [ -f /read_only_mounts ]; then mount -u -o rw /usr 2>/dev/null fi chmod ugo-x /usr/local/sbin/snmpd if [ -f /read_only_mounts ]; then mount -u -o ro /usr 2>/dev/null fi fi 6.6. Secure the Webserver Figure 6-6 shows some adjustments to make the Freeway webserver more secure.
Chapter 6. Hardening a Freeway Protogate Freeway Security Features User’s Guide (SFUG) # For security: # Add "TraceEnable Off" line to Apache config, if not already there export AP_SCMD3="‘sed -e \"/^[Tt][Rr][Aa][Cc][Ee][Ee][Nn][Aa][Bb][Ll][Ee] *[Oo][Ff][Ff]/!d\" \ /usr/local/etc/apache22/httpd.conf |sed -e \"2,//d\"‘" if [ "${AP_SCMD3}X" = "X" ]; then if [ -f /read_only_mounts ]; then mount -u -o rw /usr 2>/dev/null fi echo "TraceEnable Off" >> /usr/local/etc/apache22/httpd.
Protogate Freeway Security Features User’s Guide (SFUG) Chapter 6. Hardening a Freeway 6.8. Rotate Log Files Figure 6-8 shows a method for rotating and maintaining the system logs, including the webserver logs. This method uses the /usr/sbin/cron daemon to periodically check the log files, and rotate them if necessary. See Chapter 3 for more details. Figure 6-8.
Chapter 6.
Protogate Freeway Security Features User’s Guide (SFUG) echo echo echo echo echo echo echo echo fi Chapter 6. Hardening a Freeway "# See the echo statements near the end of" "# /usr/local/freeway/boot.src/rc.startsra for examples." "#" "# All users which should be audited must be added here.
Chapter 6. Hardening a Freeway Protogate Freeway Security Features User’s Guide (SFUG) chmod 755 /usr/share/zoneinfo touch /usr/share/zoneinfo/posixrules chmod 444 /usr/share/zoneinfo/posixrules if [ -f /read_only_mounts ]; then mount -u -o ro /usr 2>/dev/null fi fi # Add line to force close/reset of audit file now and every midnight /usr/sbin/audit -n if /usr/bin/grep -- "^[^#]*bin\/audit -n" /etc/crontab >/dev/null; then echo "Audit file refresh command exists -- will not add again...
Chapter 7. Notes This chapter contains general information to aid in understanding this document. Table 7-1.
Appendix A. Sample rc.startsra File This appendix shows a sample rc.startsra file which configures and enables several of the security-tightening capabililities which are described in other parts of this document. Note that some of the command lines in this example are broken by "backslash-return" characters at the end of one line, followed by the remainder of the command on the next line.
Protogate Freeway Security Features User’s Guide (SFUG) Appendix A. Sample rc.startsra File # export TARGET2=192.168.1.2 export NTP_SERVER=192.168.1.1 export NTP_SERVERB=192.168.1.2 # setup to write any core files to the read-write /var/ partition sysctl kern.corefile=/var/%N_%P.core # sysctl net.inet.tcp.keepidle=300000 # sysctl net.inet.tcp.keepintvl=60000 # sysctl net.inet.tcp.
Appendix A. Sample rc.startsra File Protogate Freeway Security Features User’s Guide (SFUG) cp -p /ro/etc/ssh/sshd_config /etc/ssh/ # sample banner echo "WARNING WARNING WARNING" echo "" echo " You are accessing an information system that" echo " is for authorized users only. If you are not" echo " authorized, you must log off now." echo "" echo "WARNING WARNING WARNING" if [ -f /read_only_mounts ]; then mount -u -o ro / 2>/dev/null fi /bin/kill -HUP ‘head -1 /var/run/sshd.
Protogate Freeway Security Features User’s Guide (SFUG) Appendix A. Sample rc.startsra File echo "ServerTokens Prod" >> /usr/local/etc/apache22/httpd.conf if [ -f /read_only_mounts ]; then mount -u -o ro /usr 2>/dev/null fi fi # For security: # Change any "ServerSignature On" line in Apache config to # "ServerSignature Off" export AP_SCMD2="‘sed -e \"/^[Ss][Ee][Rr][Vv][Ee][Rr][Ss][Ii][Gg][Nn][Aa][Tt][Uu][Rr][Ee] *[Oo][Nn]/!d\" \ /usr/local/etc/apache22/httpd.
Appendix A. Sample rc.startsra File echo echo echo echo echo echo "*.* "local0.err "local0.notice "local0.* "local1.err "local1.* Protogate Freeway Security Features User’s Guide (SFUG) ${LOG_DIR}/all.log" ${LOG_DIR}/sra_err.log" ${LOG_DIR}/sra_notice.log" ${LOG_DIR}/sra_all.log" ${LOG_DIR}/sraweb_err.log" ${LOG_DIR}/sraweb_all.log" > >> >> >> >> >> /etc/syslog.conf /etc/syslog.conf /etc/syslog.conf /etc/syslog.conf /etc/syslog.conf /etc/syslog.
Protogate Freeway Security Features User’s Guide (SFUG) echo "${LOG_DIR}/sraweb_all.log echo echo echo echo echo echo echo echo echo echo echo 644 31 * "SHELL=/bin/sh" "PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin" "HOME=/var/log" "B_FWY_SERVERNAME=${B_FWY_SERVERNAME}" "MAILTO=\"\"" "TZ=\"\"" "#" "#minute hour mday month wday who "#" "0 root * * * * "0 5 root * * * Appendix A. Sample rc.startsra File @T05 WZ" >> /etc/newsyslog.
Appendix A. Sample rc.startsra File echo echo echo echo echo echo echo echo Protogate Freeway Security Features User’s Guide (SFUG) " " " "" " " " " ping -n -o -t 10 ${TARGET2} > /dev/null ; do" >> /tmp/ipfailover.sh sleep 10" >> /tmp/ipfailover.sh done" >> /tmp/ipfailover.sh >> /tmp/ipfailover.sh # echo resetting to use ${ETH_DEV}1" >> /tmp/ipfailover.sh ifconfig ${ETH_DEV}0 down" >> /tmp/ipfailover.sh ifconfig ${ETH_DEV}1 up" >> /tmp/ipfailover.sh logger -p local0.
Protogate Freeway Security Features User’s Guide (SFUG) Appendix A. Sample rc.startsra File echo "host line already in audit file -- will not tamper with it..." else echo "host:${B_FWY_SERVERNAME}" >> /etc/security/audit_control fi # If audit_user file has not been altered by any user, then # add default settings for the 2 initial login accounts. if [ 5 = ‘cat /etc/security/audit_user |wc -l‘ ]; then echo "#" >> echo "# These lines have been added to this file by the" >> echo "# /usr/local/freeway/boot.
Appendix A. Sample rc.startsra File ## echo " /usr/local/bin/zip -r ## echo " /sbin/rm -f \$2.txt" # echo "fi" # # fi Protogate Freeway Security Features User’s Guide (SFUG) /var/save/\${DATEDIR}.audit_records.zip \$2.txt" \ >> /etc/security/audit_warn >> /etc/security/audit_warn >> /etc/security/audit_warn # Start the kernel-level audit daemon.
Index F firewall, 14, 18 A Acronyms, 27 ICP (Intelligent Communications Processor) (see ICP) IP (Internet Protocol) (see IP) NTP (Network Time Protocol) (see NTP) SFUG (Security Features User’s Guide) (see SFUG) I ICP, 10, 27 Identification, 10 Intelligent Communications Processor (see ICP) Internet Protocol (see IP) IP, 10, 27 ipfw (firewall), 14 SSH (Secure Shell) (see SSH) TCP/IP (Transmission Control Protocol) L (see TCP/IP) UDP (User Datagram Protocol) logging, 22 (see UDP) WAN (Wide Area Netwo
Protogate Freeway Security Features User’s Guide (SFUG) S Secure Shell (see SSH) Security Features User’s Guide (see SFUG) SFUG, 27 SNMP, 20 SSAOD, 27 SSH, 19, 19, 27 Support, product, ix syslog, 12, 22 T TCP/IP, 27 Technical support, ix telnet, 19 Transmission Control Protocol (see TCP/IP) U UDP, 27 unnecessary services, 19 User Datagram Protocol (see UDP) W WAN, 10, 27 Wide Area Network (see WAN) 38 Protogate DC-908-3004A
Customer Report Form Customer Report Form We at Protogate are constantly striving to improve our products. If you have any suggestions or problems you would like to report regarding our hardware, software, or documentation, please complete the following form and mail it to us at Protogate, Inc., 12225 World Trade Drive, Suite R, San Diego, CA, 92128, USA. Or contact us via email: , voice: (858) 451-0865, or fax: (877) 473-0190.
