KernelSecuritySettings

Differences between revisions 4 and 5
Revision 4 as of 2006-08-10 06:49:55
Size: 5363
Editor: c-68-33-112-13
Comment: spec URL
Revision 5 as of 2006-08-10 08:08:11
Size: 5355
Editor: c-68-33-112-13
Comment: spec URL
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
 * '''Launchpad entry''': https://launchpad.net/distros/ubuntu/+spec/improved-networking-security-kernel  * '''Launchpad entry''': https://launchpad.net/distros/ubuntu/+spec/networking-security-sysctls

Summary

This implements networking security improvements using the sysctl interface in Linux.

Rationale

It would be best to supply the most secure environment possible within reasonable constraints.

Use cases

No particular use examples.

Scope

The scope of this spec includes kernel sysctl settings for TCP, UDP, and IP based networking.

Design

The following sysctl settings will be set:

  • net.ipv4.conf.all.rp_filter = 1. Checks our routing table against the source address of incoming packets to make sure that they're coming from the interface our routing table says that address is on. Note that this needs to be easily disabled; if some form of advanced routing or policy routing intends traffic from a host to come in one interface and traffic to that host to leave out a different interface, then legitimate packets will be dropped.

  • net.ipv4.conf.all.accept_redirects = 0. Usually we don't need redirects. In fact unless you explicitly know you need redirects, you probably really don't need redirects. Redirects let one machine tell another machine to route traffic through a node other than what's in its routing table; this is a bad idea and secure_redirects is likely spoofable.

  • net.ipv4.conf.all.accept_source_route = 0. Generally bad, may give a way to route a packet through a firewall to an unreachable IP by specifying that IP in the route.

  • net.ipv4.tcp_rfc1337 = 1. Implements RFC 1337 fix F1 to counteract hazards H1, H2, and H3. This accounts for all hazards discussed in RFC 1337.

  • net.ipv4.tcp_syncookies = 1. Implements TCP Syncookies. When the connection queue is filled, we drop back to this; we lose TCP extensions as a trade-off for any connections made as Syncookies, but we would otherwise not be making said connections at all so this is a net gain.

  • net.ipv4.icmp_echo_ignore_broadcasts = 1. Ignores broadcast pings, reducing the damage of SMURF attacks.

  • icmp_ignore_bogus_error_responses = 1. Some routers ignore RFC 1122 and send junk error responses that get logged. It may be possible to trigger this logging by spoofing; this would lead to filling up the hard disk with junk logs, causing a denial of service.

  • net.ipv4.icmp_ratelimit = 20. Default value is 100; we relax this to limit it to 5 per second.

  • net.ipv4.icmp_ratemask = 88089. Default value is 6168; we set a few ICMP masks to be rate limited:

    • 0: ICMP Echo Reply

    • 3: ICMP Destination Unreachable (default)

    • 4: ICMP Source Quench (default)

    • 11: ICMP Time Exceeded (default)

    • 12: ICMP Parameter Problem (default)

    • 14: ICMP Timestamp Reply

    • 16: ICMP Information Reply

The following sysctl settings are default at the time of this writing. We intend that they stay this way.

  • net.ipv4.conf.all.secure_redirects = 1. Prevents hijacking of routing path by only allowing redirects from gateways known in our routing table.

  • net.ipv4.conf.all.shared_media = 1. Indicates that the media is shared with different subnets; importantly, if it's off it overrides secure_redirects and turns it off as well.

The following are omitted:

  • net.ipv4.tcp_window_scaling = 0. TCP Window Scaling makes the TCP window longer; this makes TCP RST attacks a lot easier because you really only have to get a packet in with a sequence number that should appear before the next ACK for it to get accepted. For our purposes we typically don't care; we would be limited to sending 64K of data and then stopping and waiting for an ACK if we didn't use this. Our risk is a denial of service being made easier; and the DoS affects exactly one connection (source/dest host and source/dest port set) at a time.

Implementation

All of these settings can be implemented in /etc/sysctl.conf.

A graphical interface to adjust some of these settings should be created, eventually.

Code

Any graphical control program would need to be coded.

Data preservation and migration

None.

Unresolved issues

We need documentation for this; it is imperative that certain features be easy to discover because they may break extraordinary and genuinely uncommon networking configurations. It may be useful to have general security documentation, a la [:HardenedUbuntu/Doc]; the purpose of such documentation would be to have a specific "Security Manual" that is light-weight but that "everybody should read," and could expose such. (minimalism is the key to making people RTFM) --JohnMoser

There may be other security improvements. I'm the only one that's looked so far; this should be fixed. I have not considered IPv6; although there seems to be nothing useful in the sysctl area. --JohnMoser

BoF agenda and discussion

== References ==


CategorySpec

ImprovedNetworking/KernelSecuritySettings (last edited 2008-08-06 16:23:19 by localhost)