Which of the following store settings that make up baselines?

Process Application Layer Security

Any vendors software is susceptible to harboring security vulnerabilities. Security can be seen as an arms race, with the bad guys exploiting vulnerabilities and the good guys patching them. Every day, Web sites that track security vulnerabilities, such as CERT, are reporting new vulnerability discoveries in operating systems, application software, server software, and even in security software or devices. Last year, CERT advertised an average of over six vulnerabilities a day. Figure 1.3 shows the increase in reported incidents over the years.

Patches are implemented for these known bugs, but new vulnerability discoveries continue. Sometimes patches fix one bug, only to introduce another. Even open source software that has been widely used for ten years is not immune to harboring serious vulnerabilities. In June 2000, CERT reported that MIT Kerberos had multiple buffer overflow vulnerabilities that could be used to gain root access, and in Feb of 2002, widespread vulnerabilities were announced in the fundamental ASN. 1 encoding schema common to all SNMP agents, allowing the compromise of nearly all infrastructure devices across the Internet.

Many sites do not keep up when it comes to applying patches and so leave their systems with known vulnerabilities. It is important to keep all of your software up to date. Many of the most damaging attacks have occurred in end-user software such as electronic mail clients. Attacks can be directed at any software and can seriously affect your network.

The default configuration of hosts makes them easy to get up and running, but many default services are unnecessary. These unnecessary services increase the vulnerabilities of the system. On each host, all unnecessary services should be shut down. Misconfigured hosts also increase the risk of an unauthorized access. All default passwords and community names must be changed.

Note

The SANS (System Administration, Networking, and Security) Institute in conjunction with the National Infrastructure Protection Center (NIPC) has created a list of the top 20 Internet security threats as determined by a group of security experts. The list is maintained at www.sans.org/top20.htm. This guide is an excellent list of the most urgent and critical vulnerabilities to repair on your systems. Two of the problems listed earlier—unnecessary default services and default passwords—are on this list.

This effort was started because experience has shown that a small number of vulnerabilities are used repeatedly to gain unauthorized access to many systems.

SANS has also published a list of the most common mistakes made by end users, executives, and information technology personnel. It is available at www.sans.org/mistakes.htm.

The increased complexity of systems, the shortage of well-trained administrators, and a lack of resources all contribute to reducing the security of hosts and applications. We cannot depend on hosts to protect themselves from all threats. A useful approach is to use automated scanning devices, such as Cisco Secure Scanner (formerly NetSonar) to help identify the vulnerabilities from a network perspective, and work with the information owner to apply the necessary remediation.

All is not lost, however. Application layer security can provide end-to-end security from an application running on one host through the network to the application on another host. It does not care about the underlying transport mechanism. Complete coverage of security requirements, integrity, confidentiality and non-repudiation, can be provided at this layer. Applications have a fine granularity of control over the nature and content of the transactions. However, application layer security is not a general solution, because each application and client must be adapted to provide the security services. Several examples of application security extensions are described next.

Modifying the nipper.ini File

Figure 10.25 presents the default configuration settings of Nipper. If youi want to modify some parameters, you can do that directly on the nipper.ini file. The following example contains a portion of the configuration settings:

# Password / key audit options

Minimum Password Length = 8

Passwords Must Include Uppercase = off

Passwords Must Include Lowercase = off

Passwords Must Include Lowercase or Uppercase = on

Passwords Must Include Numbers = on

Passwords Must Include Special Characters = off

Configuring Nipper can be achieved by modifying the parameters in this file, such as those listed above. For example, the minimum password length can be changed to 10. After modifying the file, save it and run Nipper using the original command line that you used, which is presented again below.

nipper ––ios-router ––input=ABC_Company_Router.txt –– output=ABC_Report.html

The report produced by Nipper is configurable. The images in Figures 10.26 and 10.27 show the default HTML report format for Nipper. Of particular benefit is the inclusion of information about how to fix the problems with detailed descriptions of the risks associated with each misconfiguration. Each of the recommendations also includes the command line or configuration change needed to fix the problem.

Changing Defaults

Nearly all devices are preconfigured with default configuration settings. These settings are well known to the public and are shared among similar devices. For example, every device has an administrator super-user logon name and password that you use to gain access to and configure your device. These administrator logon names and passwords are not secret; they are available to anyone. Changing the default administrator password on your wireless device will prevent an attacker from attempting to log on and view/change your wireless network settings. The username is often simply the word administrator and the password is typically set to empty (none), or the word administrator, admin, password, or public. The following sidebar provides examples of super-user passwords set by manufacturers by default.

Tools &Traps…

In addition to changing your default administrative logon name and password, you should disable unwanted services on your access point. Disable unwanted services, such as the Network Time Protocol (NTP), the Cisco Discovery Protocol (CDP), the Hypertext Transfer Protocol (HTTP), Telnet, and the Simple Network Management Protocol (SNMP), if you do not plan to use them. These services, when not disabled, act as doors into your wireless device. An attacker could find and use vulnerabilities in these service ports to gain unprivileged access.

Summary of Exam Objectives

Windows Server 2003 often performs reasonably well in its default configuration, but insufficient memory, CPU, disk, or network resources can reduce performance to an unacceptable level. Proper tuning and allocation of these resources will ensure adequate performance. Proper configuration of the server’s page files can improve performance. Regular use of the Disk Defragmenter utility will ensure that your file systems do not become a bottleneck for read and write operations. Use efficient and intelligent network adapters to handle some of the processing load and reduce the overall impact communications have on the system.

The System Monitor utility can be used to monitor various counters present in the system. These counters display real performance information about what is occurring in the system. Some counters can display statistics as percentages, others as cumulative counts of events, and others as immediate absolute values. System Monitor can be used to view current activity in the system or to view data from log files.

A properly developed baseline can help in planning for increased growth and in identifying resources that are being overutilized. A baseline provides a mechanism for identifying what normal operating conditions are for a server. The baseline acts as a reference for troubleshooting performance issues.

The operating system and some applications record events in numerous event log files. The events in these files are always in the same format and can be viewed, searched, and monitored to determine if a system is functioning properly. Entries in the event logs indicate the severity or nature of the events. Security auditing can be enabled and security-related events captured in the event logs. The logs themselves can be archived to create a historical record of a server’s activities.

Backing up data is a must to ensure system availability. Only user accounts with elevated user rights can perform backups or restores. Different methods (normal, differential, and incremental) for performing backups are available to accomplish different objectives. Backups can be performed to tape drives, network shares, or local disks, but not writable or read-writable CD-ROMs or DVD-ROMs.

Some services like DHCP, WINS, and DNS may have special considerations or configuration issues that need to be addressed before backups are performed. Clustered server disks also require special consideration for backups, and the new Volume Shadow Copy feature assists in creating backups of open files.

The Windows Backup Utility can be run either as a Wizard or in Advanced Mode. The Wizard works in most situations and steps you through the process of creating or restoring a backup. The Advanced Mode gives you access to the more powerful options of the utility and lets you fine-tune your backups. The Backup Utility also lets you schedule backup sessions, so that you can create a relatively simple and regular backup process.

The new ASR feature of Windows Server 2003 simplifies the process of re-creating a failed server installation. The ASR process replaces the older ERD process used in previous versions of Windows. Proper planning and preparation must be completed before ASR can be used to restore a system, and performing an ASR restore should be the last resort. An ASR restore requires a floppy diskette drive to be present in the server, but one is not required to create an ASR backup.

The proper use of fault tolerance will mean that services will continue to be provided even when something breaks down. Redundancy in hardware, software, and communications ensures a reliable environment. The use of redundant network interfaces and proxy servers will ensure reliable communications. Using disk RAID arrays for the storage of applications and data will help prevent downtime due to a hard drive failure and may also be used as a performance enhancer. Using redundant components to help cool your server and provide power when the utility power fails will ensure your server operates in adverse conditions.

Cassandra ring architecture

Figure 4.26 shows the ring architecture we described earlier. In this configuration, we can visualize how Cassandra provides for scalability and consistency.

In the ring architecture, the key is the connector to the different nodes in the ring, and the nodes are replicas. For example, A can be replicated to B and C, when N = 3. And D can be replicated to D and E or D and F when N = 2.

Suggested Vulnerabilities for Windows

The first type of vulnerability we wanted to demonstrate were default configuration issues and poorly chosen passwords. We created a number of users on the test server. Some users had no passwords, and others had simple or predictable passwords. The class was taught how to look up default passwords for various software installations, as well as how to enumerate users on servers which allow it. They were also taught how to look at the password policy to determine if it would be safe to attempt to brute force passwords. Of course on our test server brute forcing was configured to be safe so that we could demonstrate tools to perform such attacks. We also installed MS SQL server, and had the password set to blank as was the default a number of years ago. This allowed the students to both learn how to connect to such a server, as well as how to exploit a database server using SQL commands.

We also made sure that significant information was available using publicly available tools. SNMP community strings were set to public. I believe this server even displayed configuration information using the built in IIS web server with some custom ASP scripts (which had vulnerabilities in them as well).

In addition, we installed some open source software with known exploits. The goal in installing this software was to simulate a real environment which was performing useful functions. The software we chose had a buffer overflow in the portion of the application which collected data from the network. We also chose software that had “non-overflow” vulnerabilities. If a tester issued a properly formatted request, then the tester could retrieve any file on the system.

Finally, the operating system was left unpatched. We had to be careful to keep the firewall rules in place, as putting such a server on the corporate network would have been a violation of the usage guidelines, and likely would have been a victim of the occasional worm outbreaks.

8.3.2.5 Running the application

Aneka produces a considerable amount of logging information. The default configuration of the logging infrastructure creates a new log file for each activation of the Container process or as soon as the dimension of the log file goes beyond 10 MB. Therefore, by simply continuing to run an Aneka Cloud for a few days, it is quite easy to collect enough data to mine for our sample application. Moreover, this scenario also constitutes a real case study for MapReduce, since one of its most common practical applications is extracting semistructured information from logs and traces of execution.

In the execution of the test, we used a distributed infrastructure consisting of seven worker nodes and one master node interconnected through a LAN. We processed 18 log files of several sizes for a total aggregate size of 122 MB. The execution of the MapReduce job over the collected data produced the results that are stored in the loglevels.txt and components.txt files and represented graphically in Figures 8.12 and 8.13, respectively.

The two graphs show that there is a considerable amount of unstructured information in the log files produced by the Container processes. In particular, about 60% of the log content is skipped during the classification. This content is more likely due to the result of stack trace dumps into the log file, which produces—as a result of ERROR and WARN entries—a sequence of lines that are not recognized. Figure 8.13 shows the distribution among the components that use the logging APIs. This distribution is computed over the data recognized as a valid log entry, and the graph shows that just about 20% of these entries have not been recognized by the parser implemented in the map function. We can then infer that the meaningful information extracted from the log analysis constitutes about 32% (80% of 40% of the total lines parsed) of the entire log data.

Despite the simplicity of the parsing function implemented in the map task, this practical example shows how the Aneka MapReduce programming model can be used to easily perform massive data analysis tasks. The purpose of the case study was not to create a very refined parsing function but to demonstrate how to logically and programmatically approach a realistic data analysis case study with MapReduce and how to implement it on top of the Aneka APIs.

Cassandra ring architecture

Fig. 2.26 shows the ring architecture we described earlier. In this configuration, we can visualize how Cassandra provides for scalability and consistency.

In the ring architecture, the key is the connector to the different nodes in the ring, and the nodes are replicas. For example, A can be replicated to B and C, when N = 3. And D can be replicated to D and E or D and F when N = 2.