Security comparisons Linux (Unix)-NT?
angelos at unix.gr
angelos at unix.gr
Thu Nov 25 17:53:03 EET 1999
Georgios Sakalis <sakalis at ceid.upatras.gr> wrote:
> an de soy kanei kopo steilto moy
ypothetw oti apantas se emena kai eiswkleiw to keimeno
==============================================================================
Computer Security White Paper
How safe is it out there
So you want to go on the internet, you want to do business on the web,
and online financial transactions with your bank. You want to go
online! You are opening your door to the cybernetic world and you
anxiously await the returns. The internet and the web are new
frontiers , new markets to be tapped , but beware , there be tigers
out there.
Past the metaphor, what is not obvious to all the business people
going online is how secure they are doing so! Let's face it , modern
day office equipment is in its majority geared towards ease and
transparency of use, and not of security of data.The ease by which one
of your employees shares his/her printer with the rest of the team, is
the same ease by which an outsider can access the resources of her/his
computer. The ease by which an NT server shares its disks , is an open
invitation to outsiders to peek into and even destroy your hard earned
business data.
Let us first define what connecting to the internet means. At the
majority of the cases a company purchases a router and signs a service
agreement with an internet provider, and lo and behold they are
online. All this is fine but have you ever sto pped to consider who is
out there ? It is not only your current and prospective clientele, not
only your suppliers, but also your competitors and enough sixteen year
old hackers with more time to themselves than they know what to do
with!
Your competition is indeed a thorn at your side, but your competition
armed with your internal data is a tiger unleashed. There is simply no
defense against an able , willing and armed enemy, especially when
that enemy is armed with your internal o perations, be they personnel
reports, or tax papers. And do not forget the destructive tendencies
of underage hackers. They may be of no competition to you, but they
are of grave consequence. If a hacker breaks into your server and
starts deleting and altering files (philes in hacker slang) , the
results will be quite unpleasant to your operation. At best you will
lose time and money trying to restore the damage and go full steam
again. At worse you operation will be affected so grossly that only a
totalshutdown will be able to bring thing under control. Either way
you lose , be it your market share or your time, it all translates to
revenues lost and disgruntled boards of trustees.
Of course your MIS department is not wrong to want to go online,
neither are your instincts telling you that you are right to let them
do so. But is your organization equipped with elephant guns and lion
snares? Can your MIS director become a secur ity expert within a
heartbeat, or should you hire even more people under the shady title
of Network Security Manager?
You are right, of course that very few people hear of security issues
directly. After all the very nature of the beast is to be cryptic.
National and international organizations exists to alert the computer
community of potential and actual securit y breaches, such as the CIAC
and the CERT (Computer Emergency Response Team). It is also rather
embarrassing for a large computer corporation such as Microsoft to
admit that they have overlooked the security of their products.
How easy it is
The tools are already available for wily foes to attack your
organization, and they are regularly used to perform random, and
directed sweeps of potential victims. Tools like SATAN and STROBE can
very easily and quickly find out your internal digit al
infrastructure. The notoriety of the above tools bespeaks little of
their abilities. A poorly administered network appears literally
perforated, with each perforation being a potential access tunnel.
This problem is especially exacerbated with the new generation of file
sharing systems such as CIFS.
The situation becomes especially troublesome when we take into account
the most common business setup on any modern organization. Chances are
that most of the computers inside your organization are more or less
Windows (TM) based, with the possibili ty of a few Window NT (TM)
servers thrown around as application servers. It is obvious that this
setup is inherently insecure. The minute a hard disk is shared without
a password imposed upon it, this disk becomes available for browsing
not only to your local net , but to the totality of the internet also.
Let us take a possible scenario that has occurred all too often. You
are in a hurry, a new server is needed, a new box comes in and goes to
production immediately, your MIS folks do not set a password because
they were pressed for time, after all you can either have ease and
speed of use or security but not both. Maybe the upper management
pressed them more than they should, maybe they were not careful enough
by themselves. In any occasion you can consider this machine as being
effectively open for perusal to the rest of the planet. Everybody
knows that the default account is called administrator and with the
new generation of client programs like smbclient, an adversary can see
what you hold in this computer.
It may sound just to easy to happen but the fact of the matter is that
it is! More sites on the internet are poorly maintained than the sites
that are taken good care of. And the trouble does not end at the file
sharing level. Setting up a public WEB server , an extranet in modern
parlance, creates some issues in and by itself. WWW server software
has its own set of problems and can even create back doors to your
operations and internal workings.
Whose fault it is
It is nobody's fault, yet every person is responsible, MIS for not
being paranoid enough, users for demanding total transparency, and
management trying to extract more productivity out of everyone without
considering the consequences.
Do not discount your vendor's inability to inform you timely of
problems. It is more often than not the case that computer or software
vendors' marketing personnel obscure the issue of security problems
when they crop up. Even worse they do not even test their products for
possible outside tampering. It is rather disquieting to find out on
the public forums the security risks of a particular application,
rather than have its creator stress test the application ahead of
time. One application that readily comes to mind is Microsoft's
Internet Explorer , that would readily give out its users password to
a malicious site.
Obscurity and denial of problems is a common practice among large
vendors but it definitely is not security. To not know about a problem
, does not make that problem disappear, it just makes it so much more
dangerous when an ill willing individual stumble s across it.
The Remedy, buying a Firewall
How do you decide which firewall is best for you ? Do you just go out
and buy one from a vendor, and we go back to square one, to trusting a
vendors ability to see itself from the outside? Absolutely not. There
are a few thing to consider before installin g a firewall. First of
all let us consider your infrastructure, let us call it A, then your
firewall must be of type B. In this fashion -allow me the pun- even if
the security of the security machine is breached, a cracker cannot
glean any more information about your infrastructure due to the
dissimilarity of the systems.
You also have to consider that off the shelf software cannot work on
all cases and under all conditions, since different organizations have
different needs. Where one needs absolutely FTP access , another will
require a read only FTP access from the outside world, etc. etc. ad
nauseum. So custom solutions are not be avoided but checked carefully
for compliance to specs.
Copyright and Copy Angelos Karageorgiou
--
Angelos Karageorgiou angelos at StockTrade.GR
Systems Administration Tel: +30 31 498104
--
====================================================================
Gia boithia (h na diagrafhte) e-mail sto majordomo at hellug.gr
Ta archives tis listas einai sto http://lists.hellug.gr/archives
prin steilete kapoia erothsh psakte mipos exei hdh apanththei.
Gia opoiodipote problima stilte e-mail ston owner-linux-greek-users at hellug.gr
====================================================================
More information about the Linux-greek-users
mailing list