|
How is Lastwall different from other firewalls?
Lastwall is different in that it doesn't depend on the existing software pirating
knowledge for its efficiency. Lastwall doesn't work by trying to "understand" the
nature of the attack. Instead, it establishes that an intrusion has taken place
as soon as the files it is supervising are corrupted.
The software immediately detects all file malfunctions: appended, changed or deleted data.
This gives Lastwall the enormous advantage of being able to detect all attacks,
including those not yet known.
I already have a firewall, why should I use Lastwall?
A firewall plays a precise role in network securement, that is, it
determines the type of authorized traffic by means of "rules".
For example, let's say an administrator is going to configure a
firewall to authorize server access through port 80 and refuse Telnet
access requests. In this case, the firewall works like a protective
barrier around the network by refusing access requests at certain
pre-designated points. However, the barrier is both static and limited;
static in that the firewall does not set off an alarm if the network is
attacked and limited in that the firewall will not be able to detect an
attack coming from an authorized service. For example, let's take the case
of a Web server protected by a firewall limiting services to HTTP flows
through port 80. This means that if a HTTP-format
attack comes in (for example, a security gap in a CGI program),
then the firewall will not be able to detect it. What's more, between
70% and 80% of all system file and data attacks come from inside the network.
In this case, the firewall will offer absolutely no protection. Lastwall, on the contrary,
will detect attacks in both these cases: If a pirate intruding under the cover of a corrupted
CGI tries to change a configuration file, a binary file or an executable file,
then an alarm is set off. An alarm will also be released if an attempt is made
to change a supervised file from within the system.
How is Lastwall integrated into a computer system's security?
Lastwall protects the integrity of network server and Web server files, regardless of their
roles or extensions. All file integrity changes are detected regardless of where the changes
came from, that is, attacks on the data through the network or attacks on the data from
inside the network. Lastwall can be considered as a "last-stand" defense layer to withstand
those attacks which have passed through the firewall or which haven't been detected by a
classic network defense system.
Why is it essential that file integrity be maintained? Case of rootkit.
The most dangerous attacks are those which affect system integrity. A typical case would be
a pirate changing system files and thus taking over the server without being seen. The
greatest danger of all is the installation of a rootkit. A rootkit is a set of software and
hub patch programs which enable the intruder to remain completely invisible to the system
administrator. Some system command lines are "rewritten" to heighten intruder invisibility:
the "dir" and "ls" commands will not display all the files, "netstat" will not return all
open sockets and so on. Lastwall offers protection against this kind of attack since rootkits
can't be installed unless the configuration files and some binary files are changed
beforehand. Lastwall, on its inspection run, compares the original digital signatures of
the files with their current signature and immediately alerts the administrator in case of
discrepancy.
Why is it essential that sensitive files be continually checked?
Current corporate software pirates use complete "technical kits" when attacking, some of
which are even available on the Internet. These programs are used to make exhaustive and
automatic scans for system vulnerability and configuration weaknesses.
This means that the pirate has only to isolate a weak spot to break into the system and
install a rootkit. The attacker can take over complete control of a system within a few
hours and in the case where the pirate manages to infiltrate the internal network, it is
essential that he be removed as soon as possible in order to limit the effects and prevent
the danger from spreading.
Is it possible for the administrator to define Lastwall's inspection frequencies?
Yes, Lastwall can be programmed to run simultaneous inspections at different frequencies.
For example, the administrator can decide that the directories /etc/conf/ or c:\winnt should
be checked every half-hour. The CGIs can be checked every hour, the level 2 static HTML
pages every half-day and so on.
How are the files checked for integrity?
Lastwall uses only established encrypting techniques with long keys to check for file
integrity, that is, MD5 and SHA-1 H-algorithms.
These algorithms are considered impregnable since, if a file is changed, it's H-value is
necessarily also changed. It is impossible to "manufacture" false H-values.
The Signature Dictionary (see that belonging to this site as an example) is itself signed
with a private RSA key between 1024 and 4096 bits. This ensures that an attacker cannot
change the Signature Dictionary. Lastly, the private RSA key is coded with a 128-bit
algorithm (Blowfiwh, CAST or IDEA) and protected by a passphrase.
What are the navigation and administration modes?
Lastwall offers the Administrator two navigation interfaces for maximum user-friendliness.
A HTML interface usable with any HTML 3.2
compatible browser: Windows, MacOs, Linux, light terminals.
Lastwall also features a standardized command line interface
to write scripts and/or customized batch programs under Windows NT and UNIX.
In what format are the alarms released?
The first option is to use a console which supports HTML: a looping CGI or Servlet sends the
sound and visual alarms to the console. An unlimited number of Web consoles may be used
simultaneously. The alarms are in HTML 3.2 format and routed under HTTP flow. All hardware
equipped with a navigator and a HTTP connection (Internet, Intranet) may be used as a
console.
The second option is to e-mail alarms. All alarms can be send as e-mails to an unlimited
number of recipients. Furthermore, the alarms are always signed with a private RSA key,
meaning that they can be send along insecure, unsupervised networks.
How is server resource consumption managed?
Lastwall has been designed to fit into production environments with as little overhead as possible.
The client-server architecture, which varies between the OS systems,
allows for operations to be isolated. Let's take the case of a Windows NT terminal
used as an inspection console for a Unix production server. :
- The Lastwall "Monitor" module which carries out the calculation operations
and checks the digital signatures is installed on the Windows NT terminal.
- The "Socket Server" is a basic TCP/IP communications module
and is installed on the Unix production server. The Server Socket
only reads files and so uses up very few CPU resources.
This client-server architecture is shown underneath:
What are the principals underlying the design?
1) Technical simplicity
"Complexity is Security's greatest enemy" (Bruce Schneier, US Security and Encrypting guru).
Lastwall checks only file integrity and doesn't attempt to cover the entire security chain.
This limited scope of action represents a deliberate and strategic choice since the more
complex the software, the greater the danger of bugs and security gaps getting in. From a
technical point of view, there is only one single byte code for all distributions: the
uniqueness of the byte code reduces development complexity and makes for much easier and
quicker maintenance and correction.
2) Easy administration
We wanted the installation, parameterization and operation of Lastwall to be
as simple as possible. Lastwall offers the administrator two interface types for
increased comfort: a HTML interface and a command line interface.
Also, the operating procedures remain identical regardless for all platforms, making
it easier and faster for the administrator to learn about Lastwall and get it up and
running on all platforms. Lastly, the client-server mode can be used to manage dozens
of mixed servers with one single script.
3) Modular structure
Lastwall is made up of independent modules, each of which has a precise role.
For example, the encrypting module is completely removed from the client-server communications
module and so on. This modular structure makes things simpler since changing a function in one
module has no impact on the other ones. Thanks to this principal, we will soon be able to write
an API module to directly implement the administrative functions in your interfaces and software
programs
What are the operating environments?
Lastwall has been written in Java and can be run on the vast majority of operating systems.
The environments supported by SafeLogic are:
- UNIX :
- Sun Solaris.
- Linux (All distributions).
- AIX,
- Digital Unix.
- HP UX.
- IRIX.
- OS/400.
- Windows NT.
- Java Virtual Machines Java (JVM)
How is the safelogic.com made secure?
Firstly, we should bear in mind that the specialists frown upon attempting to create a
secure computer system by means of "secrets" or "fuzziness". This means that there is no
real risk in divulging a Web configuration, all the more so since there are numerous Web
tools and services to identify most elements; IP address, OS, Web server and so on.
safelogic.com runs on a dedicated
Dell server with an
Intel
processor operating under Linux
with RedHat 6.0 distribution
and a Web Apache 1.3.6 server.
The first step in server securement is to remove all
pointless and "dangerous" services: Telnet, rlogin, rsh,
uucp, tftp, ftp, rcp, sendmail, mail, talk, etc.
This leaves only the ports 22 (SSH) and 80 (HTTP).
SSH (Secure Shell) is used to set up a coded link between
the client and the server. SSH replaces Telnet which routes unscrambled data,
including the connection password.
A network analyzer (tcpdump) has been installed as has a firewall to trace
attempted attacks.
And, course, we use Lastwall to permanently monitor the system and
application files. Visitors have unhindered access to the
Source Dictionary
which lists the files to be protected and to the
Signature Dictionary
which contains the addresses of all the files as well as their digital signatures.
|
