Upcoming Events

Interop is the only event to give you a comprehensive and unbiased understanding of all the latest innovations—including cloud computing, virtualization, security, mobility and data center advances—that help position your company for growth.

Register Now!

Battening Down Your Unix Hosts
June 14, 1999

Side Bars

Host Security CheckList:

Company Directory

Browse our directory to get data, starting with a particular company.

Reader Service

Allows you to request additional product information from our advertisers.

Print The Full Article

Click

Here

E-mail this URL

Click

Here

Buy the Book

By Peter Morrissey


		our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

Looking for absolute assurance that your computers won't be victimized by an Internet attack? Disconnect them. Short of that, your best bet might be a properly configured firewall. But as soon as you open access to services on one of your hosts, you create vulnerabilities. In this workshop, we tell you how to tighten security on a Unix host--the most likely location for Internet service offerings--and identify the best tools for the job.

Location, Location
Proper placement of your network's hosts is security-critical. For starters, you can configure a firewall to enable only traffic responding to an internal initiation--delivering a high degree of protection and suitable for users who want to surf the Web. As soon as you provide your own services, however, you create an access level that lets hackers probe for vulnerabilities on your host. If the host residing on your internal network becomes compromised, it can undermine your firewall and open the possibility of attacks on other internal hosts.

To avoid this, consider placing the host in a DMZ (demilitarized zone), such as a network between your external router (which provides filtering) and the firewall. Alternatively, a DMZ can be a separate interface off your firewall that protects the host, but also contains an isolated network in case it is compromised (see "Isolating Your Network Hosts" above).

Keep in mind that any commercial OS, including Unix, will include default settings that are not optimized for security. While it may be tricky to lock them all down, success will make it easier to keep abreast of new OS releases. If you're new to OS administration, don't expose the OS to the Internet until you're confident of your level of protection. If you can choose the OS for a specific application, give some thought to in-house expertise regarding the OS's security.

Vendors address newly discovered vulnerabilities by continuously issuing patches. Naturally, you'll want to ensure that any OS you install contains the latest patches for that particular version. But don't stop there; as new vulnerabilities arise, it's important to promptly investigate them (www.l0pht.com and www. rootshell.com are helpful sources). In addition, the Computer Emergency Response Team Coordination Center (CERT) has a mailing list, but will only disclose pertinent information after a patch or fix is available. Its Web site (www. cert.org) includes a comprehensive archive of identified vulnerabilities. And Network Computing will soon offer its own security alerting service, Network Computing Security Express. You can register for it at www.networkcomputing.com/express/.