• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 348
  • Last Modified:

How to make our Solaris network secure....

We have Sun Microsystems running Solaris 2.5.1. over a branch network WAN. We also have Windows NT 4.0 and Novell 3.12. The Solaris servers run our banking system client/server application (the server side of course).
Our clients are running Win95b. Our network is 10/100 ethernet LAN using RJ45 cabling and HP Switches
(2400 & 4000).
We are not directly connected to the internet although we have connectivity from our Win95 clients only via our ISP.
Our banking application is TCP/IP based. Our Win95 clients have to be authenticated by each server they need resources from (Solaris via Solstice NFS client, Win NT 4.0, Novell 3.12).
We are located in Central America (Belize).
We are concerned with the security of our Solaris systems.
How can we secure our system wihout hiring a security expert?
We want to be able to control access to our systems and applications by insiders and outsiders!
I've read about Single Sign On systems or encryption etc.
We need a system that will upgrade the security level to at least C2. What security systems are available readily for Solaris? Is Kerberos secure?
What have been your experiences with security issues on Solaris?

Thanks in advance for your advice!
Knowledge is power, but it is only useful if it is shared!

  • 5
  • 4
1 Solution
You can bring the security of the Solaris system to C2 by purchasing the trusted version of Solaris (forgot what Sun calls it these days).  But that doesn't mean much unless your applications can cope with it and your applications themselves don't open major holes.

There are also a variety of reasonable authentication/encryption technologies you can apply (kerberos, NDS, X.509, IPsec, etc).  But these won't help unless the applications support them and the machines you're accessing the applications from are secure.

Since the end machines (win95 with Internet connectivity) aren't even close to secure, you're going to need to take a much broader view than just looking at your Solaris box.

In other words, yes, you really need to get some security expertise.  And I'd suggest permenant staff, not a consultant.  Security isn't something you can throw money at one time and never worry about again.
denmarkwAuthor Commented:
Thanks for your response chris. Your advice was rather general but insightful. I like the broader view approach.
However, I need more details about why our applications might not support a security scheme. If the application was not designed with security in mind then it would not support any scheme right?
I believe many TCP/IP based client/server applications are written without security schemes in mind.
How are they secured? Encryption might be a security option then, right?
How does an application support a security scheme?
There must be some strategies that organizations can follow
in the absence of security experts to secure their systems and applications.
I believe that all opinions should be considered, so I would like some additional opinions on this issue.
Some comments from experts who have actually been involved with implementing security schemes might shed more light on this sensitive topic.


Denmark W.
I 've been working in security (not Solaris specifically) and I agree with chris in that security is a complex matter that need expertise. You can secure some part of the whole very much but just a little hole somewhere and that 's it. But,

It 's not true that it an all-or-nothing matter. You can 't afford a permanent security expert. Ok, at least you can do the following:

- Security is a matter of *identifying* potencially *targets* and *securing* them.
In other words, you must think what you want to prevent from who.

- One thing you can do is to pay for a one-time proyect that can put a baseline to your organization and identify the security risks you have.

- Other thing you can do is to buy some software that scans all your operating systems and identify security holes. If you run this software (that generally are multiplatform) on all your systems, you can assure, at least, that they 're correctly configured and that you don 't have security holes you can prevent with standard methods.

- Encryption isn 't something you can 't just "put on" over the software you already have. Apart from some exceptions, encryption is something you use at "building time".

- The main purpose of "Single sing-on" is not security, but comfort. The idea is that people don 't like to have to type their password more than once. Single sing-on software (at least as I know them) ask the user the password once, and then they provide it to whatever system asks for it. But then, is someone can make it to that password, he gains access to ALL the information. Of course, it helps to security because you can have central definitions, you can force the users to use more sophisticated passwords (since they have to remember only one), etc., etc.

- For commercial software, I can recommend you software from Axent Technologies. I have nothing to do with them, but I 've used the software and it proved to be robust. (The software I tried, in particular, was very usefull for identifying security holes. It was not a security-administration soft ).

I hope this helps. Regards,

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

I've been head security guru for a couple of different companies, so I guess I'll consider myself qualified to answer the technical aspects of this question too....

Before you even worry about the applications, you need to make sure the Solaris box is immune to outside attack.  Harden it with the information at http://www.sabernet.net/papers/ or use my "harden" package (which I can send you via e-mail).  Find out if anyone's breached the security with tripwire (www.tripwiresecurity.com).  Test the security with tools such as Network Security Scanner and Security Scanner for Servers from ISS (www.iss.com).

As for the security of the application itself...

First, you need some asurance that it does what it's supposed to and doesn't allow people to gain elevated priveleges through things like buffer overflows and programs that are setuid and shouldn't be.

Next, you need to make sure it does strong authentication.  Since your network has some back-door Internet connections, you'll have to assume the network itself is untrusted, so strong authentication consists of public-key crypto authentication (X.509/PKI, SSH, kerberos in public-key mode), one-time-passwords (S/Key, SecurID), or regular passwords sent in an encrypted stream (SSH, Stel, SSL).

If the data being transmitted to the client is sensitive, then the data stream should also be encrypted (SSH, SSL, Stel).

Finally, since the client stations are extremely insecure (as they're 95/98 and have Internet connections), sensitive data should never be stored on the them.  This includes crypto-keys that don't require a pass-phrase to "unlock" them.

You're still going to need someone who understands this stuff to deal with the application developers/vendors, set everything up, etc.  When this person is done they will be your in-house security expert, whether they were when they started or not.
denmarkwAuthor Commented:
Thanks for the lesson in network/application security awareness. I am the Systems Administrator, so I will be the person who ensures that security is implemented on our network. Our IS department is not big. There are only four of us.
Our Win95/98 clients have dial-up access to the internet.
What can be done to minimize security risks from that security hole?
Since it is trivial for someone to steal data off these machines or plant trojans on these machines when they're connected to the internet, you need to do the following both by policy and technology (make sure the CEO signs off on the policy):
  1.  PC's must run anti-virus software (this is true even if they're not directly connected to the 'net).
  2.  PC's with non-firewalled Internet connectivity must not store company proprietary or confidential data.  This includes any financial data, any business plans, any personnel/HR data, and any customer data.  The Solaris applications should enforce this by not allowing the download of data into spreadsheets, etc.

Since #2 makes people's machines pretty much useless for real work, I suggest a few machines dedicated to web-browsing off in their own room.  This is an inexpensive and very secure solution.  Of course, you still probably want the wide-spread use of anti-virus software since people will be carrying floppies with downloads on them to their PC's.

As a longer term solution, I suggest getting a firewalled corporate Internet link, which will allow the desktop machines to connect to the net securely.  Even with this, you'll still want the anti-virus setup, though.

BTW, I don't know what laws are like in Belize, but any bank setup the way you've described would be dealt with pretty severely (maybe even have the doors shut) by the Securities Exchange Comission in the US.

Congradulations, you are now the company security expert.
denmarkwAuthor Commented:
I'm currently reading RFC 1244 Site Security Handbook, which I downloaded from the Internet.
Do you know any sites that focus on network & application security practices and implementations?
denmarkwAuthor Commented:
Hi Chris,

You appear to have some experience in this area.
Would you mind sharing some of your security monitoring
utilities (shell scripts, etc) that you use at your sites?
I know I need to strenghten my system montitoring strategy.
But I could use your tools to help me improve my skills.

Thanks in advance!

Denmark Weatherburn

Most of the tools I've written are owned by the companies I've written them for and are not available to the outside.  The exception to this is a bunch of stuff I wrote for Novell, which allowed me to release them.

You can find the UnixWare versions of 'harden' and 'paranoid-ftpd' on www.freebird.org.  You'll also find UnixWare and Solaris versions of 'router_config' there.  I've also got a Solaris version of harden, but it's getting out of date and you're just as well off following the instructions at http://www.sabernet.net/papers/.

I've also used the following 3rd party software:
  ISS Network Scanner
  ISS System Scanner
  Axent Enterprise Security Manager
  Tripwire (www.tripwiresecurity.com)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now