Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to make our Solaris network secure....

Posted on 1999-07-27
10
Medium Priority
?
343 Views
Last Modified: 2013-12-21
We have Sun Microsystems running Solaris 2.5.1. over a branch network WAN. We also have Windows NT 4.0 and Novell 3.12. The Solaris servers run our banking system client/server application (the server side of course).
Our clients are running Win95b. Our network is 10/100 ethernet LAN using RJ45 cabling and HP Switches
(2400 & 4000).
We are not directly connected to the internet although we have connectivity from our Win95 clients only via our ISP.
Our banking application is TCP/IP based. Our Win95 clients have to be authenticated by each server they need resources from (Solaris via Solstice NFS client, Win NT 4.0, Novell 3.12).
We are located in Central America (Belize).
We are concerned with the security of our Solaris systems.
How can we secure our system wihout hiring a security expert?
We want to be able to control access to our systems and applications by insiders and outsiders!
I've read about Single Sign On systems or encryption etc.
We need a system that will upgrade the security level to at least C2. What security systems are available readily for Solaris? Is Kerberos secure?
What have been your experiences with security issues on Solaris?

Thanks in advance for your advice!
Knowledge is power, but it is only useful if it is shared!

0
Comment
Question by:denmarkw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 2011684
You can bring the security of the Solaris system to C2 by purchasing the trusted version of Solaris (forgot what Sun calls it these days).  But that doesn't mean much unless your applications can cope with it and your applications themselves don't open major holes.

There are also a variety of reasonable authentication/encryption technologies you can apply (kerberos, NDS, X.509, IPsec, etc).  But these won't help unless the applications support them and the machines you're accessing the applications from are secure.

Since the end machines (win95 with Internet connectivity) aren't even close to secure, you're going to need to take a much broader view than just looking at your Solaris box.

In other words, yes, you really need to get some security expertise.  And I'd suggest permenant staff, not a consultant.  Security isn't something you can throw money at one time and never worry about again.
0
 

Author Comment

by:denmarkw
ID: 2011685
Thanks for your response chris. Your advice was rather general but insightful. I like the broader view approach.
However, I need more details about why our applications might not support a security scheme. If the application was not designed with security in mind then it would not support any scheme right?
I believe many TCP/IP based client/server applications are written without security schemes in mind.
How are they secured? Encryption might be a security option then, right?
How does an application support a security scheme?
There must be some strategies that organizations can follow
in the absence of security experts to secure their systems and applications.
I believe that all opinions should be considered, so I would like some additional opinions on this issue.
Some comments from experts who have actually been involved with implementing security schemes might shed more light on this sensitive topic.

Regards,

Denmark W.
0
 

Expert Comment

by:marpon
ID: 2011686
I 've been working in security (not Solaris specifically) and I agree with chris in that security is a complex matter that need expertise. You can secure some part of the whole very much but just a little hole somewhere and that 's it. But,

It 's not true that it an all-or-nothing matter. You can 't afford a permanent security expert. Ok, at least you can do the following:

- Security is a matter of *identifying* potencially *targets* and *securing* them.
In other words, you must think what you want to prevent from who.

- One thing you can do is to pay for a one-time proyect that can put a baseline to your organization and identify the security risks you have.

- Other thing you can do is to buy some software that scans all your operating systems and identify security holes. If you run this software (that generally are multiplatform) on all your systems, you can assure, at least, that they 're correctly configured and that you don 't have security holes you can prevent with standard methods.

- Encryption isn 't something you can 't just "put on" over the software you already have. Apart from some exceptions, encryption is something you use at "building time".

- The main purpose of "Single sing-on" is not security, but comfort. The idea is that people don 't like to have to type their password more than once. Single sing-on software (at least as I know them) ask the user the password once, and then they provide it to whatever system asks for it. But then, is someone can make it to that password, he gains access to ALL the information. Of course, it helps to security because you can have central definitions, you can force the users to use more sophisticated passwords (since they have to remember only one), etc., etc.

- For commercial software, I can recommend you software from Axent Technologies. I have nothing to do with them, but I 've used the software and it proved to be robust. (The software I tried, in particular, was very usefull for identifying security holes. It was not a security-administration soft ).

I hope this helps. Regards,

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 14

Expert Comment

by:chris_calabrese
ID: 2011687
I've been head security guru for a couple of different companies, so I guess I'll consider myself qualified to answer the technical aspects of this question too....

Before you even worry about the applications, you need to make sure the Solaris box is immune to outside attack.  Harden it with the information at http://www.sabernet.net/papers/ or use my "harden" package (which I can send you via e-mail).  Find out if anyone's breached the security with tripwire (www.tripwiresecurity.com).  Test the security with tools such as Network Security Scanner and Security Scanner for Servers from ISS (www.iss.com).

As for the security of the application itself...

First, you need some asurance that it does what it's supposed to and doesn't allow people to gain elevated priveleges through things like buffer overflows and programs that are setuid and shouldn't be.

Next, you need to make sure it does strong authentication.  Since your network has some back-door Internet connections, you'll have to assume the network itself is untrusted, so strong authentication consists of public-key crypto authentication (X.509/PKI, SSH, kerberos in public-key mode), one-time-passwords (S/Key, SecurID), or regular passwords sent in an encrypted stream (SSH, Stel, SSL).

If the data being transmitted to the client is sensitive, then the data stream should also be encrypted (SSH, SSL, Stel).

Finally, since the client stations are extremely insecure (as they're 95/98 and have Internet connections), sensitive data should never be stored on the them.  This includes crypto-keys that don't require a pass-phrase to "unlock" them.

You're still going to need someone who understands this stuff to deal with the application developers/vendors, set everything up, etc.  When this person is done they will be your in-house security expert, whether they were when they started or not.
0
 

Author Comment

by:denmarkw
ID: 2011688
Thanks for the lesson in network/application security awareness. I am the Systems Administrator, so I will be the person who ensures that security is implemented on our network. Our IS department is not big. There are only four of us.
Our Win95/98 clients have dial-up access to the internet.
What can be done to minimize security risks from that security hole?
0
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 600 total points
ID: 2011689
Since it is trivial for someone to steal data off these machines or plant trojans on these machines when they're connected to the internet, you need to do the following both by policy and technology (make sure the CEO signs off on the policy):
  1.  PC's must run anti-virus software (this is true even if they're not directly connected to the 'net).
  2.  PC's with non-firewalled Internet connectivity must not store company proprietary or confidential data.  This includes any financial data, any business plans, any personnel/HR data, and any customer data.  The Solaris applications should enforce this by not allowing the download of data into spreadsheets, etc.

Since #2 makes people's machines pretty much useless for real work, I suggest a few machines dedicated to web-browsing off in their own room.  This is an inexpensive and very secure solution.  Of course, you still probably want the wide-spread use of anti-virus software since people will be carrying floppies with downloads on them to their PC's.

As a longer term solution, I suggest getting a firewalled corporate Internet link, which will allow the desktop machines to connect to the net securely.  Even with this, you'll still want the anti-virus setup, though.

BTW, I don't know what laws are like in Belize, but any bank setup the way you've described would be dealt with pretty severely (maybe even have the doors shut) by the Securities Exchange Comission in the US.

Congradulations, you are now the company security expert.
0
 

Author Comment

by:denmarkw
ID: 2011690
I'm currently reading RFC 1244 Site Security Handbook, which I downloaded from the Internet.
Do you know any sites that focus on network & application security practices and implementations?
0
 

Author Comment

by:denmarkw
ID: 2011692
Hi Chris,

You appear to have some experience in this area.
Would you mind sharing some of your security monitoring
utilities (shell scripts, etc) that you use at your sites?
I know I need to strenghten my system montitoring strategy.
But I could use your tools to help me improve my skills.

Thanks in advance!

Denmark Weatherburn
dweatherb@btl.net


0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 2011693
Most of the tools I've written are owned by the companies I've written them for and are not available to the outside.  The exception to this is a bunch of stuff I wrote for Novell, which allowed me to release them.

You can find the UnixWare versions of 'harden' and 'paranoid-ftpd' on www.freebird.org.  You'll also find UnixWare and Solaris versions of 'router_config' there.  I've also got a Solaris version of harden, but it's getting out of date and you're just as well off following the instructions at http://www.sabernet.net/papers/.

I've also used the following 3rd party software:
  ISS Network Scanner
  ISS System Scanner
  Axent Enterprise Security Manager
  Tripwire (www.tripwiresecurity.com)
  COPS
  Crack
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question