Upload
khalil-dowey
View
219
Download
5
Embed Size (px)
Citation preview
RUDI LUMANTO UNIVERSITAS BUDILUHURSemester 2 / 2007
Rudi Lumanto / Mochamad Wahyudi
Computer Networking & Security
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHURSemester 2 / 2007
Computer Networking & Security
STMIK Nusa Mandiri
Operating System Security
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Outline
OS Structure (Linux, Windows, MAC) Password Access Control Data Redudancy (Information Availibility) Usefull Tools
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
A chain is only as strong as its weakest link
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
OS Structure
A kernel connects the application software to the hardware of a computer. It is the central component of most computer operating systems (OS)
UNIX OS (1969) ------ Ms. Windows OS (1985) ------- MAC OS (1975)
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Multics project in a joint effort of Bell Labs, MIT and GE to develop a general computer operating system.
1969 AT&T Bell Laboratory by Ken Thompson
1973 recoded in C(UNIX Kernel) by Dennis Ritchie and Ken Thompson
1978 BSD by Bill Joy(UCB) 1983 System V 4.2BSD
released 1988 BSD Networking release
1 1989 System V release 4
(SVR4)
◆ History of UNIX
Bill JoyDesigner of berkeley version of UNIX,BSD=Berkeley Software DistributionCreator of vi editor.“edison of the internet”
Denis RitchieHarvard univ.1972 create C language
Ken ThompsonUC of BerkeleyCreate B lang.
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
System III(1982)
System V(1983)
SVR2(1984)SVR3(1987)SVR4(1989)
SVR4.2(1992)SVR4.2MP(1993)
UNIX95UNIX98
BSD
4.2BSD(1984)
4.3BSD(1986)
4.4BSD(1993)
4.4BSD-Lite 386BSD
Free BSD Net BSD
Open BSD
UNIX(1969)
V1(1971)
V7(1979)
SunOS
Solaris2
Solaris7
SYSTEM V BSD
Linux(1991)
◆ History of Unix
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
◆ History of Linux 1984, The concept of open source, --its
roots stem from GNU.
Mr. Richard Stallman a researcher at MIT started project called GNU, to develop a complete Unix like OS which is free software. (GNU is a recursive acronym for "GNU's Not Unix"; it is pronounced "guh-NEW".)
1987, Prof. Andrew S Tanenbaum invents Minix, an open source OS that’s a clone of Unix
1991 , Linus Torvalds, 21 year old students at university of Helsinki, began develop a Linux.
Richard Stallman
Linus torvalds
Andrew S Tanenbaum,BSc-MIT, PhD-UC Barkeleyprincipal designer of three operating systems: TSS-11, Amoeba, and MINIX. TSS-11 was an early system for the PDP-11. Amoeba is a distributed operating systems for SUN, VAX, and similar workstation computers. MINIX is a system for the IBM PC, Atari, Macintosh, Amiga, and SPARC, providing a system as simple as real UNIX (i.e. Version 7) for educational use.
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
◆ Unix/Linux Configuration
The UNIX system is functionally organized at three levels:
•The kernel, which schedules tasks and manages storage; •The shell, which connects and interprets users' commands, calls programs from memory, and executes them; and •The tools and applications that offer additional functionality to the operating system
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Kernel
Shell
Shell
Shell
◆ Shells and Kernel
KERNEL :The heart of the operating system, the kernel controls the hardware and turns part of the system on and off at the programer's command. SHELL:Intermediater between the user and the operating system kernel. It also called a command interpreter orCommand Analyzer. There are several type of shell
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Power on Power off
Session
login logout
◆ Starting and Terminating Linux
Login: Process of initiating a Linux operating system session
Logout: Process of terminating a Linux operating system session
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Windows OS Structure : Simplified
Systemsupport
processes
Serviceprocesses
Userapplications
Environmentsubsystems
Subsystem DLLs
Executive
Kernel Device drivers
Hardware Abstraction Layer (HAL)
Windowingand graphics
UserMode
KernelMode
Microsoft first introduced an operating environment named Windows in November 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces (GUIs)
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Software Software ManagementManagement
Operating System Functions
Hardware Hardware ManagementManagement
MemoryMemoryManagementManagement
DataDataManagementManagement
Operating System
Microsoft®
Windows
®
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Features of Windows ServerMultitaskingMultitasking
Memory SupportMemory SupportSMP ScalabilitySMP Scalability
Plug and PlayPlug and Play
ClusteringClustering
File SystemsFile Systems
NTFSNTFS
QoSQoS
Remote Remote Installation Installation ServicesServices
MultitaskingMemory Support
SMP Scalability
Plug and Play
Clustering
File SystemsQoS
Terminal ServicesTerminal ServicesTerminal Services
MultitaskingMultitaskingMemory SupportMemory Support
SMP ScalabilitySMP Scalability
Plug and PlayPlug and Play
ClusteringClustering
File SystemsFile Systems
NTFSNTFS
Terminal ServicesTerminal Services
QoSQoS
Operating System
Microsoft®
Windows
®
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Roles of Computers in a NetworkMail ServerMail Server
Database ServerDatabase Server
DatabaseDatabase
Fax ServerFax Server
File and Print File and Print ServerServer
Directory Services Directory Services ServerServer
Client Computer
File and Print Server
Database Server
Mail Server
Fax Server
Mail ServerMail Server
Database ServerDatabase Server
DatabaseDatabase
Fax ServerFax Server
File and Print File and Print ServerServer
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Kernel - Mode Components : Core OS
Executive
– Base operating system services,
– Memory management, process and thread management,
– Security, I/O, interprocess communication. Kernel
– Low-level operating system functions,
– Thread scheduling, interrupt and exception dispatching,
– Multiprocessor synchronization.
– Provides a set of routines and basic objects that the rest of the executive uses to implement higher-level constructs.
Both contained in file Ntoskrnl.exe
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Device drivers (*.sys)– Hardware device drivers translate user I/O function calls
into specific hardware device I/O requests – virtual devices - system volumes and network protocols
Windowing and Graphics Driver (Win32k.sys)– Graphical user interface (GUI) functions (USER and
GDI)– windows, user interface controls, and drawing
Hardware Abstraction Layer (Hal.dll) – Isolates the kernel, device drivers, and executive from
hardware– Hides platform-specific hardware differences
(motherboards)
Kernel - Mode Components : Drivers
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Key to a defense in depth of OS
Monitoring login, failed login and all network activity
UNIX OS : - sulog : Record failed attempts and switch to another user with su command- wtmp log : Record information for every account that logs in and out of a system, and also the time and duration of a system
WINDOWS OS (Event Viewer )- System log- Application log- Security log
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Password
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
The first measure of a system’s security is how effective it is in Authenticating and Identifying.
Password are used by most system as the first and usually onlymeans of identification and authentication.
System Password Attacks type :- Brute Force- Dictionary Based- Password Sniffing- Social Engineering
Three Basic Schemes for Identification & authentication :1. Something you know, example : Password, PIN2. Something you have, example : ID card, Security Token, Cell Phone3. Something you are, example : Fingerprint, Signature
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Breach systems by trying every possible combination of letter and number till a match is found that provides access to the system
Take a long time and full of memory because of exhaustive trial and error
Brute Force Attack
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
How to Prevent Brute Force Attack
1) Restricting the amount of login attempts that a user can perform
2) Banning a users IP after multiple failed login attempts
3) Keep a close eye on your log files for suspicious login attempts
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Dictionary Based Attack
Utilize a program that compare the encrypted password in the password file to encrypted words in a dictionary file
Try different passwords from a listSucceeds only with poor passwordVery fast
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Preventing Dictionary Attack Use SALT.
SALT in cryptography is random stuff you add to plaintext before encrypting. Now in the password file we store: username, rrrr, h (password + rrrr). Here rrrr is the salt.
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Password Sniffing Monitoring the network packets to obtain
passwords or IP Address
Target machine
Target machine
Targetmachine
Network Hub
192.168.0.20 192.168.0.30 192.168.0.101
Sniffermachine
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Use a network switch instead of network hubs
Employ VPN (Virtual Private Network) Use an encryption program like SSH (Secure
Shell) Use one time passwords (OTP)
Password Sniffing Countermeasuse
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Social Engineering
Countermeasure– Modifying people’s behavior by training and
education
Most people are trusting by nature and are not on-guard for this type of maneuver.
It is not amazing how easy it is to get someone to divulge a password over the telephone
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Good Password Guideline At least 8 alphanumeric and special symbol
characters in length. Avoid all number and all letters The maximum number of times any single character
can be repeated in a password should be restricted to three
Avoid using personal data such as birthday, telephone number, numberplate
System controls should be configured to limit a time of a password (ex.36 week) and also cannot re-use old password unless after 8 to 10 new password be used
Should be selected by the end user and easy to remember
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Comparative Analysis for Password Breaking(Assumption : Software can calculate 500.000 Words/Sec)
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Access ControlOnce the user is logged into the system, the user is given authorizationto access system resources, such as files. The authorization can be thought of as access privileges. The discretionary privileges can be definedby an Access Control List (ACL)
ACL is the mechanism that restricts or grants access to a system’s resources (Example : Read, Write or Delete Access )
An organization should use some method that controls employee access to Its systems and networks,
The Concepts of Permission
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
PermissionsMost computers and NOS employ the concept of permissions for Controlling access.
Most system at least have 3-4 level of permissions1. Read2. Write3. Execute4. Delete
And have 3 user level :1. Owner2. Group3. Public or Everybody
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Some Operating System use more than 4 level of access permissions. Novel, for instance, uses 8 different levels
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Group A
Group BOwner
Others
Group
A
BC
D
E
◆ Unix Access Controlling
Three types of users
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Permits the user to read the file.Permits the user to write the file.Permits the user to execute the file.Disable the r w x permissions.
rwx-
For File
For Directory
Permits the user to search for files/directory in the directory.Permits the user to create/delete the file.Permits the user to search the directory.Disable the r w x permissions.
rwx-
◆ Unix OS File Access : Types of protections
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Owner
rwx rwx rwx
Format of the protection mode
Group Others
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Data Redundancy
One of the best way to ensure availability is data redundancy. Availabilty means not only
the data be accessible but it must also be timely and accurate.
Data Redundancy can be achieved in different ways. Each Method provides a varying degree of redundancy and backup.
- Disk Mirroring- RAID (Redundancy Array of Independent Disks)- Data Streaming- Hot Backup
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Disk Mirroring
The process of duplicating data from one hard disk to another hard disk
Provides two sets of identical files on separate disks
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
RAID
A category of disk drives that employ two or more drives in combination for fault tolerance and performance. RAID disk drives are used frequently on servers but aren't generally necessary for personal computers.
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Streaming
A technique for transferring data such that it can be processed as a steady and continuous stream.
It is the process of writing transaction to another media at the same time the transaction update the data files. One common implementation is to write the transaction to tape.
Streaming process creates a lot of overhead in terms of CPU and I/O on a system
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Hot Backup
A Technique used to provide for the ongoing operation of a LAN should a file server fail. In this technique, two file servers operate in tandem. Data is duplicated on the hard disks of the two servers. This is like disk mirroring but across two servers instead of one server.
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
Useful Tools
Useful tools available in tightening Operating System security :– COPS (Computer Oracle and Password System)– SATAN (Security Administrator’s Tool for Analyzing
Network)– SAINT (Security Administrators Integrated Network
Tool)– TITAN– TIGER– TCPWrapper– Tripwire
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
COPS, SATAN & SAINT
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester 2 / 2007
TITAN, TIGER & TCPWrapper
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri
RUDI LUMANTO UNIVERSITAS BUDILUHURSemester 2 / 2007
Rudi Lumanto / Mochamad Wahyudi
Computer Networking & Security
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri