Headline: Unix Security: It Doesn't Have To Be So Insecure | Full Article | August 23, 1999

NEWS BLOGS FORUMS NEWSLETTERS RESEARCH EVENTS DIGITAL LIBRARY CAREERS

Network Computing

IMMERSE YOURSELF:

SOA

|

Data Center

|

802.11n

|

Data Privacy

|

APO |

Virtualization

|

NAC

|

Security

|

Network Mgmt

|

Enterprise Apps

|

Storage & Servers


	C O L U M N

Headline: Unix Security: It Doesn't Have To Be So Insecure August 23, 1999 By Robert J. Kohlhepp Why does the word Unix strike fear into the minds of the security-conscious everywhere? Lab Director, Rob Kohlhepp emphasizes the need for quick installations of solid, secure Unix systems in his latest Online Column. Unix is probably the most prolific server in use on the Internet for e-mail, Web and other services. So why does the word Unix strike fear into the minds of the security-conscious everywhere? Why do most immediately think security hole when they think of Unix? Because Unix offers comprehensive IP-related services that are causing its own detraction. My Unix servers are stable and flexible. I set them up and they run forever, unless someone mucks with them. However, because of them, I must read security bulletins, download, patch and reboot, and fret about breakins. Unfortunately, the only way to avoid this is to use a server OS that has no (or very few) native IP services, such as MacOS or NetWare (pre NetWare 5). Not only does Unix security seem unattainable, so does Unix installation to a general audience. Many vendors have started to address this but, we are a long way from a quick installation of a solid, secure Unix system. Installing a Unix server in your environment doesn't have to be difficult. Vendors have just been slow to implement a simple install and configure process. Maybe that's why they have flourishing integration teams. By default, most Unix systems implemented for Internet-accessible services need very few of the packages that are install by default. For our server, we simply commented out almost every single line in the /etc/inetd.conf file. Why doesn't this happen by default? I would rather enable what I need (after researching the security risk) than disable after the fact. Recently, I installed an Apple Mac OS X server and found that Apple has made a few steps toward closing default holes. During installation, the configuration program asked me if I wanted to enable remote logins. When I selected "no," my server installed without the remote services (telnet, rlogin, rexec and rsh, for example). This probably eliminated 90 percent of the vulnerabilities of my server. However, there were still many other unnecessary services left running. So, Apple didn't go far enough. By contrast, my recent installation of Solaris 2.6 didn't ask me a single question regarding possible security. It installed every single service known to mankind. I should have been prompted for each and every service--with an adequate description of each. This would give me the information needed to determine the risks associated with each service. Now, I am no Unix novice. I understand most of the services that are running on my Unix machines. However, sifting through the /etc/inetd.conf file and figuring out what each entry means is somewhat time-consuming. Am I supposed to know that "rpc.cmsd" is related to Solaris' calendar program? How about this entry for clarity: # Sun Font Server # fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs Does every Solaris administrator know what a font server is? Does everyone have X terminals or other dependent machines? Does that need to be enabled by default? I think not. In a perfect world, the install script would have prompted me, and I would have been able to pre-empt the extensive research. Ideally, I would see: Would you like to enable the font server? This allows remote (usually diskless) clients, such as X terminals, to load fonts from this machine. (default "no") -> Linux distributions, such as RedHat 6, install most inetd services with a TCP wrapper. This lets you implement some control over which hosts and networks are allowed to access those services. But, again, by default the TCP wrapper is only configured to log connections, not restrict them. So you will have to dig into the manual pages on /etc/hosts.allow and setup the proper rights yourself. For the time being, Unix security is relegated to those who want to revolve their life around security bulletins and patches. Not to mention putting up with some downtime and rebooting to activate some of the patches. Network Computing's Security Express newsletter can help. This weekly e-mail newsletter delivers practical security solutions. Subscribers to Security Express receive security alerts, product updates and software patches, as well as instructions on how to counter threats. Learn more about this service and/or sign up at http://www.networkcomputing.com/express/ For the record, other platforms are implementing more IP-related services as well. This is evident from the increasing number of exploits on Windows NT and NetWare servers. Send your comments on this column to Rob Kohlhepp at rkohlhepp@nwc.com.

Looking for a new job?
Open | Close

Post Your Resume

Employers Area

News & Features

Blogs & Forums

Career Resources

Browse By:
State | City

SPONSOR

RECENT JOB POSTINGS

Featured Jobs:

Boeing seeking Software Engineer 5 in Anaheim, CA

KForce seeking Inside Sales Associate in San Diego, CA

Amalgamated Bank seeking Chief Information Officer in New York, NY

Apollo College seeking Medical Billing and Coding Instructors in Albuquerque, NM

Allstate seeking Exlusive Agent in Las Vegas, NV

For more great jobs, career-related news, features and services, please visit our Career Center.

CAREER NEWS

IT Jobs Stabilize; Tech Unemployment Rate 5.5%

The tumbling of IT jobs stopped in the second quarter, as the IT sector added about 44,000 jobs.

Oracle Execs See First Hints Of IT Spending Turnaround

It's just a glimmer, but Oracle is starting to see a bit of light at the end of the recession tunnel.

More articles from our career center


Today's Most Popular Stories • Rolling Review: SOA Appliances • Making The Move To Multicore • Rolling Review: Web 2.0 Tools Demand A Cautious Approach • Rolling Review: Windows Server 2008 Server Core
Today's News Analysis • Amazon EC2 Entices Innovative Uses With Persistent Storage • AIG Private Client Group Diagnoses SOA Glitches With BMC Solution • CA Emphasizes Holistic Enterprise IT Management • Apple Previews Its Next Mac OS 'Snow Leopard'
REPORTS Analyize In-Line NAC strategies and products.	ANALYTICS Plan and design your enterprise blade server deployments

2009 IT Salary Survey: Meager Raises, Solid Prospects

Though raises are notably smaller than a year ago, and job security�s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.

ROLLING RIGHT ALONG

Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.

Network Computing Reports

Emerging Enterprise Podcast Series: Secrets to Success

TechSearch

Microsite of the Week

Powerful Information at Your Fingertips

Techweb

Informationweek Business Technology Network

TechWeb Events Network

Light Reading Communications Network

Financial Technology Network

Advanced Trading

Bank Systems and Technology

Insurance and Technology

Wall Street and Technology

Accelerating Wallstreet

BST Summit

Buyside Trading Summit

Microsoft Technology Network

MSDN

TechNet

Total IT Pro

Total Dev Pro

NET Total Dev Pro Community

SQL Total Dev Pro Community

App Infrastructure | Messaging & Collaboration | Network & Systems Mgmt | Network Infrastructure | Security | Storage & Servers | Wireless | Enterprise Apps

About Us | Contact Us | Site Map | Technology Marketing Solutions | Advertising Contacts | Briefing Centers

Copyright © 2009 United Business Media LLC | Privacy Statement | Terms of Service