Security comparisons Linux (Unix)-NT?

angelos at unix.gr angelos at unix.gr
Thu Nov 25 17:53:03 EET 1999


Georgios Sakalis <sakalis at ceid.upatras.gr> wrote:


> an de soy kanei kopo steilto moy

ypothetw oti apantas se emena kai eiswkleiw to keimeno

==============================================================================



                       Computer Security White Paper

                                      
How safe is it out there

   So you want to go on the internet, you want to do business on the web,
   and online financial transactions with your bank. You want to go
   online! You are opening your door to the cybernetic world and you
   anxiously await the returns. The internet and the web are new
   frontiers , new markets to be tapped , but beware , there be tigers
   out there.
   
   Past the metaphor, what is not obvious to all the business people
   going online is how secure they are doing so! Let's face it , modern
   day office equipment is in its majority geared towards ease and
   transparency of use, and not of security of data.The ease by which one
   of your employees shares his/her printer with the rest of the team, is
   the same ease by which an outsider can access the resources of her/his
   computer. The ease by which an NT server shares its disks , is an open
   invitation to outsiders to peek into and even destroy your hard earned
   business data.
   
   Let us first define what connecting to the internet means. At the
   majority of the cases a company purchases a router and signs a service
   agreement with an internet provider, and lo and behold they are
   online. All this is fine but have you ever sto pped to consider who is
   out there ? It is not only your current and prospective clientele, not
   only your suppliers, but also your competitors and enough sixteen year
   old hackers with more time to themselves than they know what to do
   with!
   
   Your competition is indeed a thorn at your side, but your competition
   armed with your internal data is a tiger unleashed. There is simply no
   defense against an able , willing and armed enemy, especially when
   that enemy is armed with your internal o perations, be they personnel
   reports, or tax papers. And do not forget the destructive tendencies
   of underage hackers. They may be of no competition to you, but they
   are of grave consequence. If a hacker breaks into your server and
   starts deleting and altering files (philes in hacker slang) , the
   results will be quite unpleasant to your operation. At best you will
   lose time and money trying to restore the damage and go full steam
   again. At worse you operation will be affected so grossly that only a
   totalshutdown will be able to bring thing under control. Either way
   you lose , be it your market share or your time, it all translates to
   revenues lost and disgruntled boards of trustees.
   
   Of course your MIS department is not wrong to want to go online,
   neither are your instincts telling you that you are right to let them
   do so. But is your organization equipped with elephant guns and lion
   snares? Can your MIS director become a secur ity expert within a
   heartbeat, or should you hire even more people under the shady title
   of Network Security Manager?
   
   You are right, of course that very few people hear of security issues
   directly. After all the very nature of the beast is to be cryptic.
   National and international organizations exists to alert the computer
   community of potential and actual securit y breaches, such as the CIAC
   and the CERT (Computer Emergency Response Team). It is also rather
   embarrassing for a large computer corporation such as Microsoft to
   admit that they have overlooked the security of their products.
   


How easy it is
   
   The tools are already available for wily foes to attack your
   organization, and they are regularly used to perform random, and
   directed sweeps of potential victims. Tools like SATAN and STROBE can
   very easily and quickly find out your internal digit al
   infrastructure. The notoriety of the above tools bespeaks little of
   their abilities. A poorly administered network appears literally
   perforated, with each perforation being a potential access tunnel.
   This problem is especially exacerbated with the new generation of file
   sharing systems such as CIFS.
   
   The situation becomes especially troublesome when we take into account
   the most common business setup on any modern organization. Chances are
   that most of the computers inside your organization are more or less
   Windows (TM) based, with the possibili ty of a few Window NT (TM)
   servers thrown around as application servers. It is obvious that this
   setup is inherently insecure. The minute a hard disk is shared without
   a password imposed upon it, this disk becomes available for browsing
   not only to your local net , but to the totality of the internet also.
   
   Let us take a possible scenario that has occurred all too often. You
   are in a hurry, a new server is needed, a new box comes in and goes to
   production immediately, your MIS folks do not set a password because
   they were pressed for time, after all you can either have ease and
   speed of use or security but not both. Maybe the upper management
   pressed them more than they should, maybe they were not careful enough
   by themselves. In any occasion you can consider this machine as being
   effectively open for perusal to the rest of the planet. Everybody
   knows that the default account is called administrator and with the
   new generation of client programs like smbclient, an adversary can see
   what you hold in this computer.
   
   It may sound just to easy to happen but the fact of the matter is that
   it is! More sites on the internet are poorly maintained than the sites
   that are taken good care of. And the trouble does not end at the file
   sharing level. Setting up a public WEB server , an extranet in modern
   parlance, creates some issues in and by itself. WWW server software
   has its own set of problems and can even create back doors to your
   operations and internal workings.
   


Whose fault it is
   
   It is nobody's fault, yet every person is responsible, MIS for not
   being paranoid enough, users for demanding total transparency, and
   management trying to extract more productivity out of everyone without
   considering the consequences.
   
   Do not discount your vendor's inability to inform you timely of
   problems. It is more often than not the case that computer or software
   vendors' marketing personnel obscure the issue of security problems
   when they crop up. Even worse they do not even test their products for
   possible outside tampering. It is rather disquieting to find out on
   the public forums the security risks of a particular application,
   rather than have its creator stress test the application ahead of
   time. One application that readily comes to mind is Microsoft's
   Internet Explorer , that would readily give out its users password to
   a malicious site.
   
   Obscurity and denial of problems is a common practice among large
   vendors but it definitely is not security. To not know about a problem
   , does not make that problem disappear, it just makes it so much more
   dangerous when an ill willing individual stumble s across it.



   
The Remedy, buying a Firewall
   
   How do you decide which firewall is best for you ? Do you just go out
   and buy one from a vendor, and we go back to square one, to trusting a
   vendors ability to see itself from the outside? Absolutely not. There
   are a few thing to consider before installin g a firewall. First of
   all let us consider your infrastructure, let us call it A, then your
   firewall must be of type B. In this fashion -allow me the pun- even if
   the security of the security machine is breached, a cracker cannot
   glean any more information about your infrastructure due to the
   dissimilarity of the systems.
   
   You also have to consider that off the shelf software cannot work on
   all cases and under all conditions, since different organizations have
   different needs. Where one needs absolutely FTP access , another will
   require a read only FTP access from the outside world, etc. etc. ad
   nauseum. So custom solutions are not be avoided but checked carefully
   for compliance to specs.
   

Copyright and Copy Angelos Karageorgiou


-- 
Angelos Karageorgiou            angelos at StockTrade.GR
Systems Administration		Tel: +30 31 498104
--
====================================================================
Gia boithia (h na diagrafhte) e-mail sto majordomo at hellug.gr
Ta archives tis listas einai sto http://lists.hellug.gr/archives
prin steilete kapoia erothsh psakte mipos exei hdh apanththei.
Gia opoiodipote problima stilte e-mail ston owner-linux-greek-users at hellug.gr
====================================================================



More information about the Linux-greek-users mailing list