denmarkw
asked on
How to make our Solaris network secure....
We have Sun Microsystems running Solaris 2.5.1. over a branch network WAN. We also have Windows NT 4.0 and Novell 3.12. The Solaris servers run our banking system client/server application (the server side of course).
Our clients are running Win95b. Our network is 10/100 ethernet LAN using RJ45 cabling and HP Switches
(2400 & 4000).
We are not directly connected to the internet although we have connectivity from our Win95 clients only via our ISP.
Our banking application is TCP/IP based. Our Win95 clients have to be authenticated by each server they need resources from (Solaris via Solstice NFS client, Win NT 4.0, Novell 3.12).
We are located in Central America (Belize).
We are concerned with the security of our Solaris systems.
How can we secure our system wihout hiring a security expert?
We want to be able to control access to our systems and applications by insiders and outsiders!
I've read about Single Sign On systems or encryption etc.
We need a system that will upgrade the security level to at least C2. What security systems are available readily for Solaris? Is Kerberos secure?
What have been your experiences with security issues on Solaris?
Thanks in advance for your advice!
Knowledge is power, but it is only useful if it is shared!
Our clients are running Win95b. Our network is 10/100 ethernet LAN using RJ45 cabling and HP Switches
(2400 & 4000).
We are not directly connected to the internet although we have connectivity from our Win95 clients only via our ISP.
Our banking application is TCP/IP based. Our Win95 clients have to be authenticated by each server they need resources from (Solaris via Solstice NFS client, Win NT 4.0, Novell 3.12).
We are located in Central America (Belize).
We are concerned with the security of our Solaris systems.
How can we secure our system wihout hiring a security expert?
We want to be able to control access to our systems and applications by insiders and outsiders!
I've read about Single Sign On systems or encryption etc.
We need a system that will upgrade the security level to at least C2. What security systems are available readily for Solaris? Is Kerberos secure?
What have been your experiences with security issues on Solaris?
Thanks in advance for your advice!
Knowledge is power, but it is only useful if it is shared!
ASKER
Thanks for your response chris. Your advice was rather general but insightful. I like the broader view approach.
However, I need more details about why our applications might not support a security scheme. If the application was not designed with security in mind then it would not support any scheme right?
I believe many TCP/IP based client/server applications are written without security schemes in mind.
How are they secured? Encryption might be a security option then, right?
How does an application support a security scheme?
There must be some strategies that organizations can follow
in the absence of security experts to secure their systems and applications.
I believe that all opinions should be considered, so I would like some additional opinions on this issue.
Some comments from experts who have actually been involved with implementing security schemes might shed more light on this sensitive topic.
Regards,
Denmark W.
However, I need more details about why our applications might not support a security scheme. If the application was not designed with security in mind then it would not support any scheme right?
I believe many TCP/IP based client/server applications are written without security schemes in mind.
How are they secured? Encryption might be a security option then, right?
How does an application support a security scheme?
There must be some strategies that organizations can follow
in the absence of security experts to secure their systems and applications.
I believe that all opinions should be considered, so I would like some additional opinions on this issue.
Some comments from experts who have actually been involved with implementing security schemes might shed more light on this sensitive topic.
Regards,
Denmark W.
I 've been working in security (not Solaris specifically) and I agree with chris in that security is a complex matter that need expertise. You can secure some part of the whole very much but just a little hole somewhere and that 's it. But,
It 's not true that it an all-or-nothing matter. You can 't afford a permanent security expert. Ok, at least you can do the following:
- Security is a matter of *identifying* potencially *targets* and *securing* them.
In other words, you must think what you want to prevent from who.
- One thing you can do is to pay for a one-time proyect that can put a baseline to your organization and identify the security risks you have.
- Other thing you can do is to buy some software that scans all your operating systems and identify security holes. If you run this software (that generally are multiplatform) on all your systems, you can assure, at least, that they 're correctly configured and that you don 't have security holes you can prevent with standard methods.
- Encryption isn 't something you can 't just "put on" over the software you already have. Apart from some exceptions, encryption is something you use at "building time".
- The main purpose of "Single sing-on" is not security, but comfort. The idea is that people don 't like to have to type their password more than once. Single sing-on software (at least as I know them) ask the user the password once, and then they provide it to whatever system asks for it. But then, is someone can make it to that password, he gains access to ALL the information. Of course, it helps to security because you can have central definitions, you can force the users to use more sophisticated passwords (since they have to remember only one), etc., etc.
- For commercial software, I can recommend you software from Axent Technologies. I have nothing to do with them, but I 've used the software and it proved to be robust. (The software I tried, in particular, was very usefull for identifying security holes. It was not a security-administration soft ).
I hope this helps. Regards,
It 's not true that it an all-or-nothing matter. You can 't afford a permanent security expert. Ok, at least you can do the following:
- Security is a matter of *identifying* potencially *targets* and *securing* them.
In other words, you must think what you want to prevent from who.
- One thing you can do is to pay for a one-time proyect that can put a baseline to your organization and identify the security risks you have.
- Other thing you can do is to buy some software that scans all your operating systems and identify security holes. If you run this software (that generally are multiplatform) on all your systems, you can assure, at least, that they 're correctly configured and that you don 't have security holes you can prevent with standard methods.
- Encryption isn 't something you can 't just "put on" over the software you already have. Apart from some exceptions, encryption is something you use at "building time".
- The main purpose of "Single sing-on" is not security, but comfort. The idea is that people don 't like to have to type their password more than once. Single sing-on software (at least as I know them) ask the user the password once, and then they provide it to whatever system asks for it. But then, is someone can make it to that password, he gains access to ALL the information. Of course, it helps to security because you can have central definitions, you can force the users to use more sophisticated passwords (since they have to remember only one), etc., etc.
- For commercial software, I can recommend you software from Axent Technologies. I have nothing to do with them, but I 've used the software and it proved to be robust. (The software I tried, in particular, was very usefull for identifying security holes. It was not a security-administration soft ).
I hope this helps. Regards,
I've been head security guru for a couple of different companies, so I guess I'll consider myself qualified to answer the technical aspects of this question too....
Before you even worry about the applications, you need to make sure the Solaris box is immune to outside attack. Harden it with the information at http://www.sabernet.net/papers/ or use my "harden" package (which I can send you via e-mail). Find out if anyone's breached the security with tripwire (www.tripwiresecurity.com). Test the security with tools such as Network Security Scanner and Security Scanner for Servers from ISS (www.iss.com).
As for the security of the application itself...
First, you need some asurance that it does what it's supposed to and doesn't allow people to gain elevated priveleges through things like buffer overflows and programs that are setuid and shouldn't be.
Next, you need to make sure it does strong authentication. Since your network has some back-door Internet connections, you'll have to assume the network itself is untrusted, so strong authentication consists of public-key crypto authentication (X.509/PKI, SSH, kerberos in public-key mode), one-time-passwords (S/Key, SecurID), or regular passwords sent in an encrypted stream (SSH, Stel, SSL).
If the data being transmitted to the client is sensitive, then the data stream should also be encrypted (SSH, SSL, Stel).
Finally, since the client stations are extremely insecure (as they're 95/98 and have Internet connections), sensitive data should never be stored on the them. This includes crypto-keys that don't require a pass-phrase to "unlock" them.
You're still going to need someone who understands this stuff to deal with the application developers/vendors, set everything up, etc. When this person is done they will be your in-house security expert, whether they were when they started or not.
Before you even worry about the applications, you need to make sure the Solaris box is immune to outside attack. Harden it with the information at http://www.sabernet.net/papers/ or use my "harden" package (which I can send you via e-mail). Find out if anyone's breached the security with tripwire (www.tripwiresecurity.com). Test the security with tools such as Network Security Scanner and Security Scanner for Servers from ISS (www.iss.com).
As for the security of the application itself...
First, you need some asurance that it does what it's supposed to and doesn't allow people to gain elevated priveleges through things like buffer overflows and programs that are setuid and shouldn't be.
Next, you need to make sure it does strong authentication. Since your network has some back-door Internet connections, you'll have to assume the network itself is untrusted, so strong authentication consists of public-key crypto authentication (X.509/PKI, SSH, kerberos in public-key mode), one-time-passwords (S/Key, SecurID), or regular passwords sent in an encrypted stream (SSH, Stel, SSL).
If the data being transmitted to the client is sensitive, then the data stream should also be encrypted (SSH, SSL, Stel).
Finally, since the client stations are extremely insecure (as they're 95/98 and have Internet connections), sensitive data should never be stored on the them. This includes crypto-keys that don't require a pass-phrase to "unlock" them.
You're still going to need someone who understands this stuff to deal with the application developers/vendors, set everything up, etc. When this person is done they will be your in-house security expert, whether they were when they started or not.
ASKER
Thanks for the lesson in network/application security awareness. I am the Systems Administrator, so I will be the person who ensures that security is implemented on our network. Our IS department is not big. There are only four of us.
Our Win95/98 clients have dial-up access to the internet.
What can be done to minimize security risks from that security hole?
Our Win95/98 clients have dial-up access to the internet.
What can be done to minimize security risks from that security hole?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm currently reading RFC 1244 Site Security Handbook, which I downloaded from the Internet.
Do you know any sites that focus on network & application security practices and implementations?
Do you know any sites that focus on network & application security practices and implementations?
ASKER
Hi Chris,
You appear to have some experience in this area.
Would you mind sharing some of your security monitoring
utilities (shell scripts, etc) that you use at your sites?
I know I need to strenghten my system montitoring strategy.
But I could use your tools to help me improve my skills.
Thanks in advance!
Denmark Weatherburn
dweatherb@btl.net
You appear to have some experience in this area.
Would you mind sharing some of your security monitoring
utilities (shell scripts, etc) that you use at your sites?
I know I need to strenghten my system montitoring strategy.
But I could use your tools to help me improve my skills.
Thanks in advance!
Denmark Weatherburn
dweatherb@btl.net
Most of the tools I've written are owned by the companies I've written them for and are not available to the outside. The exception to this is a bunch of stuff I wrote for Novell, which allowed me to release them.
You can find the UnixWare versions of 'harden' and 'paranoid-ftpd' on www.freebird.org. You'll also find UnixWare and Solaris versions of 'router_config' there. I've also got a Solaris version of harden, but it's getting out of date and you're just as well off following the instructions at http://www.sabernet.net/papers/.
I've also used the following 3rd party software:
ISS Network Scanner
ISS System Scanner
Axent Enterprise Security Manager
Tripwire (www.tripwiresecurity.com)
COPS
Crack
You can find the UnixWare versions of 'harden' and 'paranoid-ftpd' on www.freebird.org. You'll also find UnixWare and Solaris versions of 'router_config' there. I've also got a Solaris version of harden, but it's getting out of date and you're just as well off following the instructions at http://www.sabernet.net/papers/.
I've also used the following 3rd party software:
ISS Network Scanner
ISS System Scanner
Axent Enterprise Security Manager
Tripwire (www.tripwiresecurity.com)
COPS
Crack
There are also a variety of reasonable authentication/encryption technologies you can apply (kerberos, NDS, X.509, IPsec, etc). But these won't help unless the applications support them and the machines you're accessing the applications from are secure.
Since the end machines (win95 with Internet connectivity) aren't even close to secure, you're going to need to take a much broader view than just looking at your Solaris box.
In other words, yes, you really need to get some security expertise. And I'd suggest permenant staff, not a consultant. Security isn't something you can throw money at one time and never worry about again.