SELinux, IPTables, And Bro: Basic Architecture And Features

Discussion

This is associated with discussing the basic concepts of the SELinux, IPTables, and Bro. The report would be discussing about the basic architecture that they are having along with discussing the basic feature and the way they operate by making use of various kind of commands. Firstly the report discusses about the SELinux which is followed by discussion upon the IPTable and Bro. All this has been discussed in brief so as to understand the service that is provided by this.

SELinux or the Security-Enhanced Linux is a type of Linux Kernel Security Model which is associated with providing a mechanism in order to support the access control security policies along with including the United States Department of Defence–style mandatory access controls (MAC). This is set of kernel modification or a user-space tool that has been added to different kind of Linux distributions (Xu Shehab and Ahn 2013). The architecture of this SELinux has been striving a lot to separate the enforcements of the various decisions related to the security of system from the security policies. Besides this it also associated with the streamlining of the amount of software which are responsible for the implementation of the security policies. SELinux consists of several feature some of them have been listed below:

• Policies are separated from the enforcement in a clean way
• The policy interfaces are defined in a well manner
• The applications which makes query regarding the policy and enforcing access control are provided with a well support
• Certain policies and policy languages are independent
• Security-label formats and contents are also independent
• The kernel objects and services are provided with individual label and control
• The changes is policies are also supported
• In order to protect the integrity of the system integrity along with the confidentiality of the data there exists several measures.
• The policies are flexible
• There exists effective controls over the process of initialization, inheritance and execution of the programs
• Effective Control over the open files, file descriptors, directories, and file systems
• Controls over network interfaces, messages, and sockets (Mutti Bacis and Paraboschi 2015)
• Controls over the usage of the “capabilities”

SELinux is also associated with defining the access as well as the transition rights of each and every user, application, process and file present in a system. Followed by this the SELinux is associated with governing the different interactions that these entities conduct by making use of the security policies which in turn are associated with specifying how much a strict or lenient a Red Hat Enterprise Linux should be when it is installed.

Whenever a subject is associated with making attempts for the purpose of accessing one of the object then the policy enforcement server which is present in the kernel is associated with checking an access vector cache or AVC. At this stage the caching of the permissions of the subjects and the object are done. In case when it is not possible to take any kind of decision by depending upon the data that is present upon the AVC then the request moves toward the security server and this is associated with looking up for context related to the security of the application and the file present in the matrix. Followed by this the permission gets denied or granted with an “avc: denied” message detailed in “/var/log/messages” in case when the permission gets denied. From the installed policies the various security context of the subjects and the objects are applied which in turn is associated with providing of information so as to populate the matrix of the security server (Wikberg 2017).  

The modes of SELinux can be categorized into three different parts which includes the following:

Enforcing Mode: This is the default mode that is received whenever a SELinux is installed which are responsible for enhancing the various policies that a system is having which include the denial of access and log of the various actions  (Bacis et al. 2015).

SELinux

Permissive mode: This mode is commonly used in the SELinux for the purpose of troubleshooting various kind of problems. Along with this the permissive mode is also associated with enabling the security policies, however they are not responsible for the enforcement of security policies (Chatterjee and Mishra 2014). This means that the actions taken would be providing results in the form of warning and log for the system administrator.

Disable mode: in this mode the SELinux is turned off which means that the security policies would no longer be associated with protecting the server (Vermeulen, 2016).

SELinux is associated with the usage of a set of rules which are known as policies and this policies are in turn used for the purpose of authorizing or forbidding an operation. There exists various kind of difficulties in creating this rules. But there exists two standard policies which are used for the purpose of avoiding bulk of the configuration work and this includes the strict and targeted policies.

The building of the SELinux is done into standard kernels which are provided by Debin. The SELinux is also supported by the core Unix tool without any kind of modifications. The apt install selinux-basics selinux-policy-default command is associated with the installation of the programs automatically whenever it is required to configure the SELinux system. 

There exists a set of standard rule in the SELinux-policy-default package and by default this policies are associated with restricting the access for the few widely exposed services. The sessions of the user are not restricted and due to this reason there is likely any occurrence of blocking of the user operations which are legitimate (Paolino Hamayun and Raho 2014).  But certainly the security of the services provided by the system is enhanced. In order to setup a policy that is equivalent to the old strict rules then it is recommended that the users should just disable the modules that are unconfined. And after the installation of the policy is completed then it is necessary for the user to label all the files that are available (Kenkre Pai and Colaco 2015). This operation is to be started manually by making use of the fixfile relabel. After this the SELinux is ready for usage and for enabling this it is necessary to add the  selinux=1 security=selinux parameterin the Linux kernel. After this the enforcing=1 parameter is associated with bringing the rules into application which is without the policies the SELinux would be working to its permissive mode where the denied actions would be logged and would also be executed” (Amthor 2015). So it is essential to modify the GRUB bootloader configuration file so as to append the parameters that are desired. Another easy way of doing this is to modify the GRUB_CMDLINE_LINUX variable present in the /etc/default/grub and for the purpose of running pdate-grub is to be used. After the reboot is completed the SELinux would be activated.

This is considered to be a user-space utility program which is associated with allowing an administrator of the system to configure the tables which are provided by the Linux Kernel Firewall along with the chains and the rules which is stored in it. For different kind of protocols different type of kernel modules and programs are used (Diekmann et al. 2016). The application of IPTables is done in IPv4, ip6tables in IPv6, arptables are used in ARP and ebtables in Ethernet frames.

The decision making process of SELinux

Elevated privileges is required by iptables in order to operate and this are to be executed essentially by the user root or else it would fail in functioning. In most of the Linux system installation of the iptable is done as “/usr/sbin/iptables”. Followed by the installation process is the documentation process which is done in the main pages which can be opened by making use of the “man iptables” when they are installed. This might also be found in the “/sbin/iptables” however due to the fact that iptables are like a service rather than an “essential binary” where the preferred location remains as the “/usr/sbin” (Diekmann and Hupel 2016).

IPTables is the default firewall which is used in most of the Linux Distribution. This are used for the purpose of managing the packet filtering, DNAT or Destination Network Address Translation, SNAT or the Source Network Address Translation rules (Šimon Huraj and ?er?anský 2015). IPTables comes in all of the Linux distributions. IPTables might also be consisting of multiple tables and this tables might be consisting of multiple chains and this chains consists of numerous rules which are defined for the packages which are coming in and going out (Chatterjee 2013).   

There exists five built-in chains which can be placed for the firewall policy rules which includes the following:

INPUT CHAIN: This is generally utilized for the rules which can be applied in the traffic or packets which are moving towards the server (Xu and Su 2013).

OUTPUT CHAIN: This is generally used for the rules which are to be applied on the traffic or packet that are going out from the server.

FORWARD CHAIN: This is generally used for the purpose of adding the rules that are related to the process of forwarding of one of the IP packet.

PRE-ROUTING CHAIN: This is generally used for the purpose of adding rules which are associated with defining the actions which are needed to be taken before taking of the routing decisions by the kernel (Xuan and Wu 2015).

POST-ROUTING CHAIN: This is generally used for the purpose of adding rules which are associated with defining the actions which are needed to be taken after taking of the routing decisions by the kernel. 

Some of the useful commands have been listed below:

sudo iptables -t <table-name> -L

Where,

-t   is used for the purpose of specifying the name of the table,

-v   is used for the verbose and lastly,

-L   is used for the purpose of listing the chains and rules

Example:

In the figure provide the chains and the rules have been listed which are defined inside a filter table.

sudo iptables -t <table-name> -A <chain-name> -d <destination-address> -p <protocol> -j <action>

Where,
-A   is used for the purpose of appending one or more rules to the end of the chain which has been selected

-d   is used for the purpose of specifying a particular destination

-p  This is the protocol of the rule or of the packet so as to check them

-j    This is associated with specifying the target of the rule; which means what are things that are to be done if the packet matches it,

Modes of SELinux

Example:

from the it is understandable that a rule has been inside the OUTPUT chain which states that any TCP is to be dropped going to 1.2.3.4.

sudo iptables -t <table-name> -F

where,
-F is used for the flushing of all the table rules that has been selected

Example:

from the figure it is understandable that all the rules from filter table are either deleted/flushed (Karimi et al. 2013).

sudo iptables -t <table-name> -N <chain-name>

Where,

-N   is depicting any kind of addition of the new chain to a specific table

Example:

The command above has been used for the purpose of creating a new chain name “TEST” as shown in the figure.

sudo iptables -t <table-name> -X <chain-name>

Where,
-X   is used in order to delete any kind of optional user-defined chain which is specified

Example:

Chain name “TEST” has been deleted from filter table.

Bro is one of the free and open source software framework used for network analysis and is utilized for the purpose of network intrusion detection system or NIDS but having additional live analysis of the various network events. The IP packets which are captured by making use of the pacp are generally transferred to an event engine which is associated with accepting or rejecting them. The packets which are accepted are generally forwarded to the policy script interpreter (Koning et al. 2018).

The event engine is associated with analysing the network traffics which are recorded or live for the purpose of generating the neutral events. This is associated with the generation of the events whenever something happens. Triggering of this can be initially done making use of the bro process in order to be sure about the fact that after the initialization or just before the termination of the Bro process along with something place on the network are being analysed in such a manner that the Bro is associated with witnessing an HTTP request or a new TCP connection. BRO is associated with the usage of the common ports or dynamic protocol detection so as to be sure of making the best guess regarding at the interpreting network protocols (Lin et al. 2013).

Most of the Bro analysers are seen to be located in the Bro’s event engine which is accompanied by the policy script. Besides this customization of the policy scripts can also be done by the users. The analysers are associated with performing various things which includes the decoding of the application layer, detection of any type of anomaly, matching of the signatures and analysis of the connection. The design of the Bro has been done in such a way that addition of the other analysers can be done in a proper way. Few of the analysers which are added with the Bro includes the HTTP, FTP, SMTP, DNS and many more. Some of the other non-application layer analysers which are included with the analysers are associated with the detection of the host or the port scans, syn-floods and intermediary hosts (Sun Nanda and Jaeger 2015). The Bro is also associated with including the signature detection which also allows the importing of the Snort signature.

Setting Up SELinux

Like the other network tools associated with a Unix or Linux heritage, the Bro is associated with the usage of the libcap package which would be acting as a part of its architecture (Kuusijärvi et al. 2016). By having support from the labcap it is possible for the Bro becomes capable of running on various networks and the typical form of Bro architecture.  

Along with providing Bro with portability the libcap also makes it capable of being used as a passive network toll that means it can act as a network tap or can be used as a port responsible for monitoring of the switch without being a node by itself associated with an assigned IP address on the monitoring network.

After receiving the IP packets by bro the application architecture starts playing its role. The event engine of bro is responsible for the acceptance of the packets which is followed by converting them in to certain events. After this the forwarding of the events to the policy script interpreter takes place which initially creates the output (Lara and Ramamurthy 2014).   The outputs of Bro can be divided as actions, alerts, and logs. 

The bro is associated with providing support to a wide range of analysis by making use of its scripting language and even without any kind of customization bro has a set of powerful features some of them have been listed below:

• Having the capability of running on standard UNIX-style systems
• The traffic analysis off a network tap or upon a port associated with monitoring is fully passive.
• Consist of standard libpcap interface by which the packets are captured.
• Analysis is done on a real-time and offline basis.
• In large-scale deployments Cluster support is available
• Consists of Unified management framework in order to possess the capability of working on both of the operating that is in the standalone and cluster setups (Amann and Sommer 2015).
• This is an Open-source which lies under a BSD license.

• In order to conduct offline analysis and forensics there exists Comprehensive logging of the various activities.
• Analysis of application-layer protocols is conducted irrespective of the Ports that is it is port-independent.
• Associated with providing Support to application-layer protocols
• The file content exchanged over application-layer protocols is analyzed which includes the MD5/SHA1 computation that is generally used for the fingerprinting.
• Has a support from the comprehensive IPv6.
• Bro is also capable of Tunnel detection and analysis. Along with this Bro is also associated with decapsulation of the tunnels which is followed by the analysis of the content.
• During protocol analysis process there exists an Extensive sanity check.
• IDS-style pattern matching is also supported by Bro (Cao et al. 2015).

• Turing-complete language is done while expressing arbitrary analysis tasks.
• Consists of a programming model which is based upon the Events
• Consists of a Domain-specific data types which includes the IP addresses, number of the ports, and timers.
• In order to track and manage network state over time Extensive support is used.

• Conversion to well-structured ASCII logs is done from the Default output.
• There exists an Alternative backends for the ElasticSearch and DataSeries. Preparation of the Further database interfaces is also done.
• Integration of external input is done on a Real-time basis is done into analyses. Preparation of the live database input (Udd et al. 2016).
• Use of External C library in order to exchange Bro events with the programs which are external in nature. Bro come with the Perl, Python, and Ruby bindings.
• Having the ability of triggering the arbitrary processes which are external from within the scripting language.

Conclusion:

The about helps in understanding the basic concepts of SELinus, IPTable and Bro along with understanding the ways by which they used. the report also provides an brief overview of all this which helps in understanding the way this operates and what are the basic functions that they are having along with understanding the basic architecture of all this are having.  

References:

Amann, J. and Sommer, R., 2015, November. Providing dynamic control to passive network security monitoring. In International Workshop on Recent Advances in Intrusion Detection (pp. 133-152). Springer, Cham.

Amthor, P., 2015, July. A uniform modeling pattern for operating systems access control policies with an application to SELinux. In e-Business and Telecommunications (ICETE), 2015 12th International Joint Conference on (Vol. 4, pp. 88-99). IEEE.

Bacis, E., Mutti, S., Capelli, S. and Paraboschi, S., 2015, September. DockerPolicyModules: mandatory access control for docker containers. In Communications and Network Security (CNS), 2015 IEEE Conference on (pp. 749-750). IEEE.

Cao, P., Badger, E.C., Kalbarczyk, Z.T., Iyer, R.K., Withers, A. and Slagell, A.J., 2015, April. Towards an unified security testbed and security analytics framework. In Proceedings of the 2015 Symposium and Bootcamp on the Science of Security (p. 24). ACM.

Chatterjee, A. and Mishra, A., 2014. Securing the Root Through SELinux. In Intelligent Computing, Networking, and Informatics (pp. 653-659). Springer, New Delhi.

Chatterjee, K., 2013. Design and Development of a Framework to Mitigate DoS/DDoS Attacks Using IPtables Firewall. International Journal of Computer Science and Telecommunications, 4(3), pp.67-72.

Diekmann, C. and Hupel, L., 2016. Iptables Semantics. Archive of Formal Proofs, Sep.

Diekmann, C., Michaelis, J., Haslbeck, M. and Carle, G., 2016, May. Verified iptables firewall analysis. In IFIP Networking Conference (IFIP Networking) and Workshops, 2016 (pp. 252-260). IEEE.

Karimi, K., Ahmadi, A., Ahmadi, M. and Bahrambeigy, B., 2013, December. Acceleration of IPTABLES Linux packet filtering using GPGPU. In Symposium on Computer Science and Software Engineering (CCSE), Tehran, Iran.

Kenkre, P.S., Pai, A. and Colaco, L., 2015. Real time intrusion detection and prevention system. In Proceedings of the 3rd International Conference on Frontiers of Intelligent Computing: Theory and Applications (FICTA) 2014 (pp. 405-411). Springer, Cham.

Koning, R., Buraglio, N., de Laat, C. and Grosso, P., 2018. CoreFlow: Enriching Bro security events using network traffic monitoring data. Future Generation Computer Systems, 79, pp.235-242.

Kuusijärvi, J., Savola, R., Savolainen, P. and Evesti, A., 2016, December. Mitigating IoT security threats with a trusted Network element. In Internet Technology and Secured Transactions (ICITST), 2016 11th International Conference for(pp. 260-265). IEEE.

Lara, A. and Ramamurthy, B., 2014, December. OpenSec: A framework for implementing security policies using OpenFlow. In Global Communications Conference (GLOBECOM), 2014 IEEE (pp. 781-786). IEEE.

Lin, H., Slagell, A., Di Martino, C., Kalbarczyk, Z. and Iyer, R.K., 2013, January. Adapting bro into scada: building a specification-based intrusion detection system for the dnp3 protocol. In Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop (p. 5). ACM.

Mutti, S., Bacis, E. and Paraboschi, S., 2015, September. An SELinux-based intent manager for Android. In Communications and Network Security (CNS), 2015 IEEE Conference on (pp. 747-748). IEEE.

Paolino, M., Hamayun, M.M. and Raho, D., 2014, May. A performance analysis of arm virtual machines secured using selinux. In Cyber Security and Privacy Forum (pp. 28-36). Springer, Cham.

Šimon, M., Huraj, L. and ?er?anský, M., 2015. Performance evaluations of IPTables firewall solutions under DDoS attacks. Journal of Applied Mathematics, Statistics and Informatics, 11(2), pp.35-45.

Sun, Y., Nanda, S. and Jaeger, T., 2015, November. Security-as-a-service for microservices-based cloud applications. In Cloud Computing Technology and Science (CloudCom), 2015 IEEE 7th International Conference on (pp. 50-57). IEEE.

Udd, R., Asplund, M., Nadjm-Tehrani, S., Kazemtabrizi, M. and Ekstedt, M., 2016, May. Exploiting bro for intrusion detection in a SCADA system. In Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security(pp. 44-51). ACM.

Vermeulen, S., 2016. SELinux System Administration. Packt Publishing Ltd.

Wikberg, M., 2017. Secure computing: SELinux.

Xu, J. and Su, W., 2013. Performance evaluations of Cisco ASA and linux IPTables firewall solutions.

Xu, W., Shehab, M. and Ahn, G.J., 2013. Visualization-based policy analysis for SELinux: framework and user study. International Journal of Information Security, 12(3), pp.155-171.

Xuan, L.F. and Wu, P.F., 2015, April. The optimization and implementation of iptables rules set on linux. In Information Science and Control Engineering (ICISCE), 2015 2nd International Conference on (pp. 988-991). IEEE.