Solved

Need security products for Solaris...

Posted on 1998-07-09
7
296 Views
Last Modified: 2013-12-23
I am looking at a couple security products. But I'll need to
evaluate them first. I downloaded some information on the
Sun Security Manager 4.4 from the Sun internet site.
But when I called Sun Express, they told me that they can't
ship outside the U.S. I know we can purchase the "export controlled"
version, but it means we might have to settle for 40bit encryption.
 They also told me that this product has no evaluation copy.
 It's really a family of about 4 products,but they are expensive.

I also found a security product by Entrust Technologies from
Canada, but I need to contact them about an evaluation copy.
What advice can you give me regarding third party security products
for Sun? We want to ensure security on the following network
elements:
DESKTOP,LAN,WAN,Database Application

Thanks in advance for your help!

Denmark W.

===






Knowledge is power, but it is only useful if it is shared!
0
Comment
Question by:denmarkw
7 Comments
 
LVL 1

Expert Comment

by:albberat
Comment Utility

 Please state the Solaris version, and what is your primary goal. You can easily port source code from GNU sites like Sunsite and make them available for Solaris. The first ones I will suggest is the shadow(salt encryptions for passwords), the encryption public key, secure telnet, and please be specific for DATABASES and LAN. About Desktop ?? what you need for desktop. So far the only thing I can think for desktop are screensavers like Xoclock with password locking ... please give me an idea ... It seems all very interesting ...

 Good Luck ...
 
0
 

Expert Comment

by:seena
Comment Utility
Please state the exact thing u require from ur question i am percepting that u are expecting an security products in the LAN, DESKTOP etc., ur question is still unclear for me. I would appreciate if that question was escalated more.  U can reach me at srini75@hotmail.com.

Regards
Seena
0
 
LVL 1

Expert Comment

by:rgmisra
Comment Utility
As an MIT student, I may be not be very impartial, but I find
kerberos to be a good security product. It is freely available
outside the US, and uses 56-bit DES encryption. Certain databases
also support it for authentication and encryption.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Accepted Solution

by:
ksb earned 100 total points
Comment Utility
By security you mean you want your data to be safe from outsiders getting on the host and trashing it?  You should take these steps:

1) accounts only for those that need them, good passwords, on those.  Use "Crack" to check the passwords.

2) every account in it's own group, see the Linux justification.

3) Extra groups for Logins to do group work.  Just add them to /etc/group (or on an HP /etc/logingroup).  Make logins for each group with NO password.  The login is a place holder for the home directory for the project.

4) Use a mode sniffer like Tripwire (from Purdue) see <http://www.cs.purdue.edu/faculty/spaf.html> for a list of these, or <ftp://coast.cs.purdue.edu/pub/Purdue/>

5) There is a little known program "instck" that I use to find and repair Vendor problems, see <ftp://ftp.physics.purdue.edu/pub/pundits/>

6) Use things like ssh (the secure shell) to reach in from the Internet or out to other sites.  Avoid sending plain text passwords.

7) Keep up with Vendor patches and SANS style notifications of problems (like Ping-o-death, smurf attack, bind problems...)

8) Upgrade Vendor OS's at least every 2 years (I know that hurts).

9) Be careful with NFS, sendmail, and .rhosts.

10) Don't believe that a free "top 10" ist is the complete story.

0
 

Expert Comment

by:obkb
Comment Utility
You may want to state what country you are in. Many telesales people don't realize it but Canada counts as domestic for the purposes of the munitions restrictions on greater than 40 bit encryption codes. (Yeah, yeah there's plenty of annexing Canada jokes but remember that ithis year a US border town petitioned and was granted to be redefined as a Canadian Town rather than a US town on the basis of various fishing right treaties so unbeknownst to most, Canada annexed a small piece of the US this year and without bloodshed except for the fish).

Even so, good security products rarely require encryption since it's usually a matter of detecting intrusion and mitigating the damage, the encryption libraries are usually just to provide a better means of checksumming. Tripwire and a good alternate boot scenario (diskless or off a backup boot disk) is usually good enough for most sites and free stuff like tripwire are easier to run without fancy encryption libraries. Running Crack is a good thing to do but make sure you have a policy about what to do with the users whose passwords you can crack.

The problem I have with kerberos is the presumption of one user per machine. Although this is a good assumption from the point of view of usage patterns by actual users, enforcing it effectively disables most of the convenience of maintaining a large number of machines from a central computer. What I find is that kerberos sites actively disable the ability to rsh, rexec, telnet, ftp, rdist to the workstation forcing administration to be done at the actual terminal like a PC and soon all the workstations get out of sync with each other because the administrators take a as needed approach to everything because they can't take a mass distribution approach. The result being unadministered or loosely administered machines which I feel is worse than not running kerberos. Besides most wire sniffing concerns that require encryption are going away as we deploy more and more switches instead of hubs.

Conversely, I don't like commercial security apps because security is about identifying and controlling the software on your system, not about adding more without understanding where your security holes may be in the first place. There are some products that are terribly useful but you should play with the basics of identifying how your current access points work and how your logging systems work.

I'm against the as many group entries as users paradigm from a logistics point of view and from a redundant function point of view. People do the multiple group entries cause of a poor understanding of how permissions work so they make the groups work like users to simplify their thought processes. This is similar to the old name your NIS domain the same as your FQDN domain nonsense back in the 80's. You'll get more security by reading chapter 2 of "Essential System Administration" and thinking long and hard about how group permissions can benefit you rather than make it difficult to administer and as ridiculous as your passwd file. Remember take the advice of Linux administrators with a grain of salt, they usually have relatively small installations, and are often already pre-hacked.

There are trade-offs with everything you do for security. Do shadow passwords and you'll need a distribution scenario other than NIS; do NIS+ and you need to create a private public key for each machine for the triple DES encryption; shut down rdist and you need another way of getting configuration changes to everything.

I'm also against consultants unless it's me and at a high rate because it's more important for the administrator who'll be there in the long run to understand his system than it is for a quick housecleaning. One year I got the reputation of a miracle worker because some very expensive supercomputers had their IP addresses hard-wired into the rc.boot file by a consultant such that once a very expensive move from one facility to another was done, they could not boot up to change the IP address cause it was trying to do mounts as if they were still on the old subnets even in single user boots (the people doing the move was getting ready to call it a massive loss and send it all back to the other city when I showed them the magic of diskless boots); if you don't know what your consultant is doing then he shouldn't be there, unless of course you're prepared to call the consultant in again which is what the consultant wants.
0
 
LVL 1

Expert Comment

by:rgmisra
Comment Utility
obkb: To refute your kerberos arguments, kerberos *does not*
make any assumptions about the number of users per machine.
While sites you are familiar with may have disabled telnet,
rsh, rexec, ftp, etc., this is not required. In fact, kerberos
support for all of these applications are included with the
standard kerberos distributions from MIT and Cygnus. At MIT,
for example, I regularly telnet into a machine that has about 100
other users, and each user has their own kerberos tickets, and
can securely use services without any fear of eavesdropping or
attacks from any of the other users. Also, as a side note, the
standard ssh source includes support for kerberos.

On a switched network, you still have to trust the switch, all
the lines, and all of the machines, because if someone can
compromise one of the machines by obtaining a user's password,
he can potentially compromise all of the machines that that
user can log in to, just by sniffing the local line. So even on
a switched network, you should use encryption.
0
 

Author Comment

by:denmarkw
Comment Utility
We are running Solaris 2.5.1 on E3000 & Sparc 4/5 's over an Ethernet Lan. We also have
2 NT 4.0 servers and a Novell 3.12 server.
We are implementing a private WAN over our countrywide branch network using our Telephone/Internet service provider.
Our 8 branches have a Sparc4 or 5 running Solaris 2.5.1 on  Ethernet LANs.
Our application is client/server. On the server side (Solaris 2.5.1) we have Informix OWS 7.2.UC2 and MicroFocus Cobol 4.0. On the client side we have Win95b and APS generated DLLs.
Our telephone service provider is  saying that the PVC will be secure but I don't think that is absolutely true.
We want to protect our clients' data from outsiders, primarily.
We are located in Belize, Central America.
What security & encryption functions can I enable from Solaris, for example Kerberos & DES. I recall trying to setup DES encryption on a Sparc20 a few years ago, but It got messy and I could not access root account again. I had to reinstall the machine.
How can I find out what security & encryption tools are installed or available on the Solaris OS?
I'm having some problems with unix groups: Even with group permissions set, users in the same group cannot overwrite files from other users in the same group. This is needed because the group is for developers who frequently recompile executables, etc.
The only way that a user can overwrite another user's file in the same group is if the permissions are set to 777. I tried setting the umask to 000 but that only results in 666.
It's really weird why the permissions don't appear to be working the way they should.

I also would appreciate some comments or suggestions about this problem.

Thanks in advance for your help!

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now