BLUG MEET - 25th June 2004

Hi Everyone,

Here are the minutes for the June BLUG Meet written by yours truly, Surjo Das. The Meet was held on Friday, 25th June at the usual place - Shantala Hall, Hotel Ashraya International, Infantry Road. Totally 56 people turned up for the meet. The BLUG Meet attendance came back to its usual numbers considering that only 28 people turned up for the previous month's meet. About 30 people turned up by 6:15 pm and more people started trickling in slowly and eventually we had 56 people for this meet. Mahendra arrived with his laptop, which was intended to be used for presenting the first talk. It was an Acer laptop running on Mandrake. At 6:30 the BLUG Co-ordinator, Kartik kicked off the meet with a brief welcome address and an expression of happiness that the BLUG Meet attendance came back to its original numbers. He then introduced the first speaker of the meet, Devdas Bhagat whose talk was on Securing Linux Systems and the Secure Sysadmin.

Devdas' talk was very systematic with a good explanation of each point under every topic on each on his slides. BTW, his slides were a PDF document being run on Mahendra's Mandrake laptop. Devdas started off with his talk first by explaining the meaning of security, which in his words, is the process of increasing the difficulty of unauthorized access of data and making the task of authorized users easier. We need to be paranoid perhaps to be security experts. Security does not entail having a firewall, and Intrusion Detection System (IDS) or fancy GUI. Its more about knowing about the business. Devdas then moved on to explaining the sysadmin virtues, which include people management skills, understanding business requirements, technologies used, being lazy at times and suggested using scripts. Only the paranoid people survive as the better security sysadmins. Some of the security paradigms are that total security is not always secure, always dependent on the sysadmin and bad sysadmins are worse than having none at all. According to Devdas, designing secure systems is not adding patches. It is designed for a system from Day 1 of the business itself. Merely good design is not enough. It is always important to change the security design regularly and its important to always have the support of the management. While implementing a security system, its important to perform a risk analysis, analyse the minimum requirements for a security system, and most importantly to get the management to write a security policy that can be practically implementable and after that, it's a walk in the park. Then coming to the technologies used, Devdas explained that specific implementations are not relevant during design. It is better to choose the best implementation that matches the security policy. Its important to always perform a cost benefit analysis and harden all systems from the desktops to the servers. Airgap firewall is a cheap implementation that provides separate subnets for different network segments.

Devdas then went on to explain about the Firewalls. A firewall must be designed to limit unwanted traffic and its always better to use default deny option for all services. Drawing the traffic matrix with the different services, source, destination, input and output traffic is another important task of a security sysadmin. Then going into defence in depth, Devdas suggests physically securing the systems, implement 802.1 q on any network. Implement DHCP on any non trivial network. Lock down switch ports and avoid using vulnerable applications like Internet Explorer, Outlook Express and Outlook. We just couldn't resist the temptation of mentioning this ! Then moving on to patch management, Devdas recommends testing the patches first, and to patch systems fast enough. Nowadays, the window between patch and released exploits is decreasing. Its important to ensure that all machines are patched. Its ideal to automate it for desktops. Going into more defence in depth, Devdas then mentioned about locking down the network from edge to edge. The router is the first firewall. Its also important to lock down the network at the core. Edge security is also not enough. If we have a walnut like security where the border is secure, but the core is not, it's a bad security design. Use strong passwords and not ordinary ones. Devdas suggests using TLS as much as possible. And moving on to wireless LANs, Devdas recommends avoid using wireless networks if possible. They must be separate from regular networks. Laptops that go out of office must be on separate networks. Get the laptops to VPN in over wireless and it is better to limit access to resources for wireless networks than wired networks.

Devdas then went on another important aspect of security - Logging. Often neglected but comes in very handy for a security sysadmin. Its important to always log information, analyse the logs. Automation of logs is better. In some networks, dedicated servers are allocated for this purpose. Regular audits are also important. When discussing about intrusion detection systems, Devdas warned that any system can be broken. The attacker always has more time. The IDS must automate the job of watching network for break-ins. Using HIDs & NIDs in combination is suggested. Co-relating the events and all logs is important. Finally, moving on to backups, it's a security design to keep a business running. Regular backups and verifying the same is important. Securing the backup tapes is important as well as the active data. With this, Devdas ended his talk and threw open the meet for a Q & A session. A good Q & A session followed about using wireless LANs, SSL connections, blocking incoming SPAM using amavis, physical security of systems which involve even using a security guard to guard the server room, OSS data correlation software, analyzing rules to check iptables, the commonly available commercial firewalls like Checkpoint, Cisco PIX. On a question about securing the Home PC, Devdas once again recommended not using Internet Explorer, Outlook Express and Outlook. Answering a question about SE Linux, Devdas mentioned that it's a kernel patch merged with Kernel 2.6, which is a fine granular security implementation, and Devdas answered a final question on LIDS before ending his talk. After Devdas' excellent talk came to an end, Kartik announced the 2nd talk, which was on PGP & GPG by Senthil.

Senthil took a while to start of with his talk as he was trying to adjust the display settings on his laptop with the projector. For some reason, the projector decided to secure itself and allow only Mahendra's laptop to be projected. Anyway, Senthil's slides were copied on Mahendra's laptop and could be projected with ease. Mahendra, the Super Hero to the rescue of the innocent and users of Free and Open Source Software ! Senthil began his talk with the meaning of privacy in communication between 2 individuals using GNUPG, GPG with Mutt, Idea, etc. Senthil went on to explain the reasons behind the usage of privacy and security. GNU Privacy Guard is a free software implementation of PGP. It doesn't use the patented IDEA algorithm. The German Ministry of Economics and Commerce supports it. Its available on all Linux distros and commercial UNIX flavours as well. The recent version of GPG is 1.2.1. The supported algorithms are public key, cipher, hash and compression. After a quick explanation of the public key and private key, Senthil went into the details of getting started with GNUPG. A small demo followed on creating a public key with inputs and suggestions from Devdas Bhagat. He didn't seem to have finished with his contribution at the Meet ! After the demo, Senthil continued with his talk about the current bit-encyrption supported which is 1024-bit encryption. Senthil then went to explain the process of getting started with GPG which involves generating a key, generating a revocation certificate, exchanging keys, encrypting & decrypting documents, making & verifying signatures, using clearsigned documents and detached signatures.

Senthil then went on to explain the concept of ciphers, which are symmetric ciphers, public-key ciphers, hybrid ciphers and digital signatures. Then a small discussion followed about encryption, decryption, conventional cryptography and public key cryptography. As per Senthil, GPG uses hybrid cipher. Then the talk went on to the encryption and decryption methods used in GPG. Senthil then explained about key management, which includes managing own keypair, key integrity, adding and deleting key components, revoking key components and updating key expiration date. Senthil provided a small demo with a brief explanation on this aspect. He then switched over for the need for message signatures, which provides authenticity and integrity of the same. A question was asked about using PGP mails, which can be signed. Senthil also clarified that GPG can be used with various front-end applications to do the same. Senthil then explained about the daily use of GNUPG by defining the security needs, building a web of trust and using GNUPG legally. A question on the different uses of PGP & GPG was discussed further. A discussion followed about the insecure memory warning, PGP key signing party, how Open PGP message format was based on RFC 2440. Some of the key management tools used are GPA in GNOME, KGPG which is default with FC2 and also SeaHorse for GNOME. Senthil then ended his talk with the different references of his slides and a small Q & A session followed about the interoperability of PGP & GPG and the practical usage of keys. Thus the talk ended and Kartik ended the meet with the announcement of the availability of food.

The meet ended with everyone involving in splurging on the food, socializing among one another and building new contacts. Everyone seemed to have had a good time during this meet. Informal BOF sessions were also under way at different corners of the Hall. A typical BLUG meet where we have good discussions at every meet. A total of 56 people had turned up for this meet, which made it a very memorable one. Well, that is all for this meet, people. Hope to see you all at the next meet in more numbers and have another gala time. Until then, feel safe and be secure with the Tux !



Source Income Expenses Balance
Covercharges (56x100) 5600
Hotel Charges 5600
Final Accounts 5600 5600 0
All amounts are in INR


Everything here is Copyright © The Author of the Piece
Anything else is Copyright © 2004 The Bangalore Linux User Group
All Rights Reserved.

Comments? Feedback? Mail The WebMaster