In order to secure your networks, start with an accurate, up-to-date diagram and picture of what your network services look like. From there, you can assess and make improvements. For example, if your network flat and easy to move around laterally, it’s just as easy for an attacker to move around the network. Separate critical systems and services, build VLANs, and move your traffic to work on smaller pieces of your network. Create internal barriers for attackers to have to traverse. That way if system A is compromised, you can have a block at some point to make it difficult to also compromise system B.
If you don’t know what’s in your network, how will you properly secure it? The following commands help provide you with a comprehensive picture of what’s in your environment, and how it’s working.
Use the ifconfig command to assign an address to a network interface or to configure and display the current network interface configuration information. The ifconfig command has to be used at system startup to define the network address of each interface on the system. It can then be used to redefine the interface addresses, and other operating parameters.
You can use the lscfg command to display vital product data, such as part numbers, serial numbers, and engineering controls on those network interfaces.
Use enstat to get an idea of what’s available on your system, and what types of things are going on within your network traffic. The entstat command displays the generic statistics that are gathered by the specified ethernet device driver. Enstat also provides data on errors and virtual IO. Transmission errors, virtual IO information, hypervisor stats, and other types of information are all returned.
You can also specify that the device-specific statistics by running entstat with a flag, as seen in the example. Device specific statistics are also displayed if you run the netstat verbose command netstat-v.
# entstat –d ent0
Proxy services: inetd, xinetd
Often referred to a as super-servers, inetd and xinetd watch a given list of services, ports, and protocols for requests to come in and for people who need to use them. Recently, inetd is starting to be deprecated, so xinetd is now more commonly used. When activity occurs, xinetd then maps that incoming request to standard input, standard output, and standard error. Then it launches the proper daemon and the service processes that data, terminating upon completion. This helps to keep resource consumption to a minimum and it makes daemons easier to write.
Check if xinetd is running using grep. If you are not actually launching any services from xinetd, you don’t need xinetd to be running because there's nothing for it to do. If it’s running without any launched services, kill the command to eliminate an unnecessary attack surface. If /etc/xinetd.conf is running, restrict permissions to at least 440 so no alterations can be made.
grep -v "^#" /etc/inetd.conf
You also will want to verify that you have a default gateway defined using netstat. Without it, your system is at an increased risk of man-in-the-middle attacks, insecure monitoring, and denial of service. If you don’t have one, use either smitty route or route add 0, and the IP address of your gateway file.
The securetcpip command provides enhanced security on your network services in a variety of ways.
First, it runs the tcbck-a command to disable all non-trusted commands and daemons, including some of the older, non-encrypted services and remote access points, like rcp, rlogin, rlogind, or rsh. Those disabled commands and daemons aren’t deleted from your system, but are changed to mode 000. This allows you to go back later and reenable a particular command or service. Simply add a valid ACL whenever it is needed again.
Secondly, securetcpip adds a stanza in your security config file, which disables the old netrc functions that are no longer needed. It is best to run this scenario during a maintenance window and avoid doing it during production. Before you execute that command, you will want to acquiesce the system by logging in as root, and then executing a kill all command, which stops all network daemons, as well as every other process. If logging applications are running, you will want to make sure that you exit or finish before you execute that command.
After you issue this securetcpip command, you will have to shut down and restart your system. When the system restarts, the insecure network interface services, including tcpip commands, should be properly configured, enabling only the things you really need in a secure way.
TCP wrappers allow administrators to control and log all their incoming TCP-based connections on the local host that come out of that xinetd service file. Sometimes these are just called wrappers, and they can quickly lock down all of those popular TCP inbound channels on your AIX machine.
For example, you can edit /etc/xinetd.conf, substituting every instance of telnetd for tcpd. This implements the TCP wrapper around the telnet command, and while you are not hopefully using telnet, this is a good example if you actually need to use this operationally.
If you don't have the wrappers installed, you can use smit to install that from your AIX expansion pack media. The file set is netsec/options/tcpwrappers. Typically, after you enable wrappers on this system, it’s default is to deny, providing a secure least privilege posture on your system.
Set up only the individuals and systems that you want connections from using host.allow. If you are telnetting from inside of your corporate network, then you will want to block all access to telnet from outside of your corporate network. Using a firewall will provide another layer of defense, and protect your different systems and services.