Solved

Need security products for Solaris...

Posted on 1998-07-09
7
302 Views
Last Modified: 2013-12-23
I am looking at a couple security products. But I'll need to
evaluate them first. I downloaded some information on the
Sun Security Manager 4.4 from the Sun internet site.
But when I called Sun Express, they told me that they can't
ship outside the U.S. I know we can purchase the "export controlled"
version, but it means we might have to settle for 40bit encryption.
 They also told me that this product has no evaluation copy.
 It's really a family of about 4 products,but they are expensive.

I also found a security product by Entrust Technologies from
Canada, but I need to contact them about an evaluation copy.
What advice can you give me regarding third party security products
for Sun? We want to ensure security on the following network
elements:
DESKTOP,LAN,WAN,Database Application

Thanks in advance for your help!

Denmark W.

===






Knowledge is power, but it is only useful if it is shared!
0
Comment
Question by:denmarkw
7 Comments
 
LVL 1

Expert Comment

by:albberat
ID: 1582963

 Please state the Solaris version, and what is your primary goal. You can easily port source code from GNU sites like Sunsite and make them available for Solaris. The first ones I will suggest is the shadow(salt encryptions for passwords), the encryption public key, secure telnet, and please be specific for DATABASES and LAN. About Desktop ?? what you need for desktop. So far the only thing I can think for desktop are screensavers like Xoclock with password locking ... please give me an idea ... It seems all very interesting ...

 Good Luck ...
 
0
 

Expert Comment

by:seena
ID: 1582964
Please state the exact thing u require from ur question i am percepting that u are expecting an security products in the LAN, DESKTOP etc., ur question is still unclear for me. I would appreciate if that question was escalated more.  U can reach me at srini75@hotmail.com.

Regards
Seena
0
 
LVL 1

Expert Comment

by:rgmisra
ID: 1582965
As an MIT student, I may be not be very impartial, but I find
kerberos to be a good security product. It is freely available
outside the US, and uses 56-bit DES encryption. Certain databases
also support it for authentication and encryption.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 1

Accepted Solution

by:
ksb earned 100 total points
ID: 1582966
By security you mean you want your data to be safe from outsiders getting on the host and trashing it?  You should take these steps:

1) accounts only for those that need them, good passwords, on those.  Use "Crack" to check the passwords.

2) every account in it's own group, see the Linux justification.

3) Extra groups for Logins to do group work.  Just add them to /etc/group (or on an HP /etc/logingroup).  Make logins for each group with NO password.  The login is a place holder for the home directory for the project.

4) Use a mode sniffer like Tripwire (from Purdue) see <http://www.cs.purdue.edu/faculty/spaf.html> for a list of these, or <ftp://coast.cs.purdue.edu/pub/Purdue/>

5) There is a little known program "instck" that I use to find and repair Vendor problems, see <ftp://ftp.physics.purdue.edu/pub/pundits/>

6) Use things like ssh (the secure shell) to reach in from the Internet or out to other sites.  Avoid sending plain text passwords.

7) Keep up with Vendor patches and SANS style notifications of problems (like Ping-o-death, smurf attack, bind problems...)

8) Upgrade Vendor OS's at least every 2 years (I know that hurts).

9) Be careful with NFS, sendmail, and .rhosts.

10) Don't believe that a free "top 10" ist is the complete story.

0
 

Expert Comment

by:obkb
ID: 1582967
You may want to state what country you are in. Many telesales people don't realize it but Canada counts as domestic for the purposes of the munitions restrictions on greater than 40 bit encryption codes. (Yeah, yeah there's plenty of annexing Canada jokes but remember that ithis year a US border town petitioned and was granted to be redefined as a Canadian Town rather than a US town on the basis of various fishing right treaties so unbeknownst to most, Canada annexed a small piece of the US this year and without bloodshed except for the fish).

Even so, good security products rarely require encryption since it's usually a matter of detecting intrusion and mitigating the damage, the encryption libraries are usually just to provide a better means of checksumming. Tripwire and a good alternate boot scenario (diskless or off a backup boot disk) is usually good enough for most sites and free stuff like tripwire are easier to run without fancy encryption libraries. Running Crack is a good thing to do but make sure you have a policy about what to do with the users whose passwords you can crack.

The problem I have with kerberos is the presumption of one user per machine. Although this is a good assumption from the point of view of usage patterns by actual users, enforcing it effectively disables most of the convenience of maintaining a large number of machines from a central computer. What I find is that kerberos sites actively disable the ability to rsh, rexec, telnet, ftp, rdist to the workstation forcing administration to be done at the actual terminal like a PC and soon all the workstations get out of sync with each other because the administrators take a as needed approach to everything because they can't take a mass distribution approach. The result being unadministered or loosely administered machines which I feel is worse than not running kerberos. Besides most wire sniffing concerns that require encryption are going away as we deploy more and more switches instead of hubs.

Conversely, I don't like commercial security apps because security is about identifying and controlling the software on your system, not about adding more without understanding where your security holes may be in the first place. There are some products that are terribly useful but you should play with the basics of identifying how your current access points work and how your logging systems work.

I'm against the as many group entries as users paradigm from a logistics point of view and from a redundant function point of view. People do the multiple group entries cause of a poor understanding of how permissions work so they make the groups work like users to simplify their thought processes. This is similar to the old name your NIS domain the same as your FQDN domain nonsense back in the 80's. You'll get more security by reading chapter 2 of "Essential System Administration" and thinking long and hard about how group permissions can benefit you rather than make it difficult to administer and as ridiculous as your passwd file. Remember take the advice of Linux administrators with a grain of salt, they usually have relatively small installations, and are often already pre-hacked.

There are trade-offs with everything you do for security. Do shadow passwords and you'll need a distribution scenario other than NIS; do NIS+ and you need to create a private public key for each machine for the triple DES encryption; shut down rdist and you need another way of getting configuration changes to everything.

I'm also against consultants unless it's me and at a high rate because it's more important for the administrator who'll be there in the long run to understand his system than it is for a quick housecleaning. One year I got the reputation of a miracle worker because some very expensive supercomputers had their IP addresses hard-wired into the rc.boot file by a consultant such that once a very expensive move from one facility to another was done, they could not boot up to change the IP address cause it was trying to do mounts as if they were still on the old subnets even in single user boots (the people doing the move was getting ready to call it a massive loss and send it all back to the other city when I showed them the magic of diskless boots); if you don't know what your consultant is doing then he shouldn't be there, unless of course you're prepared to call the consultant in again which is what the consultant wants.
0
 
LVL 1

Expert Comment

by:rgmisra
ID: 1582968
obkb: To refute your kerberos arguments, kerberos *does not*
make any assumptions about the number of users per machine.
While sites you are familiar with may have disabled telnet,
rsh, rexec, ftp, etc., this is not required. In fact, kerberos
support for all of these applications are included with the
standard kerberos distributions from MIT and Cygnus. At MIT,
for example, I regularly telnet into a machine that has about 100
other users, and each user has their own kerberos tickets, and
can securely use services without any fear of eavesdropping or
attacks from any of the other users. Also, as a side note, the
standard ssh source includes support for kerberos.

On a switched network, you still have to trust the switch, all
the lines, and all of the machines, because if someone can
compromise one of the machines by obtaining a user's password,
he can potentially compromise all of the machines that that
user can log in to, just by sniffing the local line. So even on
a switched network, you should use encryption.
0
 

Author Comment

by:denmarkw
ID: 1582969
We are running Solaris 2.5.1 on E3000 & Sparc 4/5 's over an Ethernet Lan. We also have
2 NT 4.0 servers and a Novell 3.12 server.
We are implementing a private WAN over our countrywide branch network using our Telephone/Internet service provider.
Our 8 branches have a Sparc4 or 5 running Solaris 2.5.1 on  Ethernet LANs.
Our application is client/server. On the server side (Solaris 2.5.1) we have Informix OWS 7.2.UC2 and MicroFocus Cobol 4.0. On the client side we have Win95b and APS generated DLLs.
Our telephone service provider is  saying that the PVC will be secure but I don't think that is absolutely true.
We want to protect our clients' data from outsiders, primarily.
We are located in Belize, Central America.
What security & encryption functions can I enable from Solaris, for example Kerberos & DES. I recall trying to setup DES encryption on a Sparc20 a few years ago, but It got messy and I could not access root account again. I had to reinstall the machine.
How can I find out what security & encryption tools are installed or available on the Solaris OS?
I'm having some problems with unix groups: Even with group permissions set, users in the same group cannot overwrite files from other users in the same group. This is needed because the group is for developers who frequently recompile executables, etc.
The only way that a user can overwrite another user's file in the same group is if the permissions are set to 777. I tried setting the umask to 000 but that only results in 666.
It's really weird why the permissions don't appear to be working the way they should.

I also would appreciate some comments or suggestions about this problem.

Thanks in advance for your help!

0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question