Establishing a Security Framework

The first step in securing your Linux system is to set up a security policy. The security policy is your guide to what you enable users (as well as visitors over the Internet) to do on the Linux system. The level of security you establish depends on how you use the Linux system and how much is at risk if someone gains unauthorized access to your system.

If you are a system administrator for Linux systems at an organization, you probably want to involve the management, as well as the users, in setting up the security policy. Obviously, you cannot create an imposing policy that prevents everyone from working on the system. On the other hand, if the users are creating or using data valuable to the organization, you have to set up a policy that protects the data from disclosure to outsiders. In other words, the security policy should strike a balance between the users' needs and the need to protect the system.

For a standalone Linux system or a home system you occasionally connect to the Internet, the security policy can be just a listing of the Internet services you want to run on the system and the user accounts you plan to set up on the system.

For a larger organization that has one or more Linux systems on a LAN connected to the Internet-preferably through a firewall (a device that controls the flow of Internet Protocol (IP) packets between the LAN and the Internet)-it is best to think of computer security across the entire organization systematically. Figure 22-1 shows the key elements of an organization-wide framework to computer security (some call this the security architecture).

Figure 22-1: An Organization-wide Framework for Computer Security.

Such an organization-wide computer security framework includes the following key elements:

Determining business requirements for security
Performing risk analysis
Establishing a security policy
Implementing security solutions to mitigate identified security risks
Managing security continuously

The next few sections explain these elements of the security framework.

Determining Business Requirements for Security

The security framework outlined in Figure 22-1 starts with the development of a security policy based on business requirements and risk analysis. The business requirements identify the security needs of the business-the computer resources and information you have to protect (including any requirements imposed by applicable laws, such as the requirement to protect the privacy of some types of data). Typical security requirements might include items such as the following:

Enable access to information by authorized users.
Implement business rules that specify who has access to what information.
Employ a strong user-authentication system.
Deny malicious or destructive actions on data.
Protect data from end to end as it moves across networks.
Implement all security and privacy requirements that applicable laws impose.

Performing Risk Analysis

Risk analysis involves determining the following and performing some analysis to establish the priority of handling the risks:

Threats-What you are protecting against
Vulnerabilities-The weaknesses that might be exploited (these are the risks)
Probability-The likelihood that a vulnerability will be exploited
Impact-The effect of exploiting a specific vulnerability
Mitigation-What to do to reduce the vulnerabilities

Before I describe risk analysis, here are some typical threats to computer security:

Denial of service-The computer and network are tied up so that legitimate users cannot make use of the systems. For businesses, denial of service can mean loss of revenue.
Unauthorized access-Use of the computer and network by someone who is not an authorized user. The unauthorized user can steal information or maliciously corrupt or destroy data. Some businesses may be hurt by the negative publicity from the mere act of an unauthorized user gaining access to the system, even if there is no explicit damage to any data.
Disclosure of information to the public-The unauthorized release of information to the public. For example, the disclosure of a password file enables potential attackers to figure out user name and password combinations for accessing a system. Exposure of other sensitive information, such as financial and medical data, might be a potential liability for a business.

These threats come from exploitation of vulnerabilities in your organization's computer and human resources. Some common vulnerabilities are the following:

People (divulging passwords, losing security cards, and so on)
Internal network connections (routers, switches)
Interconnection points (gateways-routers and firewalls-between the Internet and the internal network)
Third-party network providers (ISPs, long-distance carriers)
Operating-system security holes (potential holes in Internet servers, such as sendmail, named, bind, and so on)
Application security holes (known security holes in specific applications)

To perform risk analysis, assign a numeric value to the probability and impact of each potential vulnerability. A workable risk analysis approach is to do the following for each vulnerability or risk:

Assign subjective ratings of Low, Medium, and High for the probability of a risk. As the ratings suggest, Low means a lesser chance that the vulnerability will be exploited; High means there is a greater chance.
Assign similar ratings to the impact of a risk. What you consider impact is up to you. Businesses often assess the impact by estimating the monetary damages resulting from a risk event. If the exploitation of a vulnerability will affect your business greatly, assign it a High impact.
Assign a numeric value to the three levels-Low = 1, Medium = 2, and High = 3-for both probability and impact.
Compute a numerical risk level by multiplying the numerical values of probability and impact. Then, make a decision to develop and implement protections for vulnerabilities that exceed a specific threshold for the risk level-the product of probability and impact. For example, you may choose to handle all vulnerabilities with a probability times impact-risk level-greater than 6.
If you want to characterize the probability and impact with a finer level of granularity, pick a scale of 1 through 5, for example, and follow the same steps as before.

Establishing a Security Policy

Based on the risk analysis and any business requirements you may need to address regardless of risk level, you can craft a security policy for the organization. The security policy typically addresses the following areas:

Authentication-What method will be used to ensure that a user is the real user? Who gets access to the system? What is the minimum length and complexity of passwords? How often do users change passwords? How long can a user be idle before that user is logged out automatically?
Authorization-What can different classes of users do on the system? Who can have the root password?
Data protection-What data must be protected? Who has access to the data? Is encryption necessary for some data?
Internet access-What are the restrictions on users (from the LAN) accessing the Internet? What Internet services (such as Web, Internet Relay Chat, and so on) can users access? Are incoming emails and attachments scanned for viruses? Is there a network firewall? Are virtual private networks (VPNs) used to connect private networks across the Internet?
Internet services-What Internet services are allowed on each Linux system? Are there any file servers? Mail servers? Web servers? What services run on each type of server? What services, if any, run on Linux systems used as desktop workstations?
Security audits-Who tests whether the security is adequate? How often is the security tested? How are problems found during security testing handled?
Incident handling-What are the procedures for handling any computer security incidents? Who must be informed? What information must be gathered to help with the investigation of incidents?
Responsibilities-Who is responsible for maintaining security? Who applies patches and upgrades system software to fix security holes? Who monitors log files and audit trails for signs of unauthorized access? Who maintains the database of security policy?

Implementing Security Solutions

After you analyze the risks-vulnerabilities-and develop a security policy, you have to select the mitigation approach: how to protect against specific vulnerabilities. This is where you develop an overall security solution based on security policy, business requirements, and available technology-a solution that consists of the following:

Services (authentication, access control, encryption)
Mechanisms (user name/password, firewalls)
Objects (hardware, software)

Managing Security Continuously

In addition to implementing security solutions, you have to set up security management that continually monitors, detects, and responds to any security incidents.

The combination of the risk analysis, security policy, security solutions, and security management provides the overall security framework. Such a framework helps establish a common level of understanding of security and a common basis for the design and implementation of security solutions.

The remainder of this chapter shows you some of the ways in which you can enhance and maintain the security of your CentOS Linux system and any network.