Many
years ago, my father decided to put a birdfeeder in our backyard. It was
great. We could see all kinds of birds visiting our yard from our breakfast
table. However, it soon became the official hangout for the local squirrel
population. The squirrels would eat all of the birdfeed and chase the birds
away. My brothers and I thought the squirrels were every bit as interesting
as the birds, but not my dad. He referred to them as "acrobatic vermin"
and they soon became the focus of a major family project. The project's
goal was to design a birdfeeder which was easily accessible by birds but
impossible to reach by the squirrels. On the surface it sounded easy enough.
How hard could it be to outwit some goofy squirrels? At least that's what
my brothers and I thought when our dad first explained the project to us.
It would be fun for us to work on together. We discussed ideas, drew plans,
built and tested our designs. We worked on it all summer. Our birdfeeders
ranged from the simple to the absurd. Each design worked temporarily, but
eventually the squirrels would figure a way around our defenses. Each time,
our adversaries outwitted us. Still to this day, when we get together,
our conversation will invariably turn to a design idea one of us had for
the Ultimate Squirrel-Proof Birdfeeder. The project could continue forever
for one simple reason: It can't be done.
When
I first got involved with computer security, I kept thinking about the
Ultimate Squirrel-Proof Birdfeeder. The reason our designs ultimately failed
each time was actually very simple. The more challenging we made our design
the more cunning our squirrels had to be in order to defeat it. In essence,
we were seeing Darwinian theory in action. Our efforts were helping breed
a smarter, craftier squirrel. I still have this recurring nightmare that
I walk into an office for a technical interview and there's a squirrel
sitting behind the desk.
It's
very similar to the challenges we face in computer security. How can we
provide easy access to resources by the authorized users and still deny
unauthorized access?
Luckily,
as Solaris System Administrators, we have some excellent tools available
to us. Sun Microsystems has spent a great deal of effort in designing Solaris
to be both stable and secure. This book is your reference guide for not
only securing your Solaris systems, but also for securing the environment
in which they operate.
This
book is not designed to be an introduction to UNIX or a primer on Solaris
System Adminstration. It's designed to be a reference guide for experienced
Solaris sysadmins who need to make sure their systems are secure.
Starting
with Chapter One, we'll be attempting to level the playing field between
you and your systems. It begins by discussing how to evaluate your current
security scheme. One thing a hacker will always take advantage of is a
sysadmin's complaceny. We start by going over the default settings you
will find on a newly installed Solaris 8 system. We'll also go over the
basics of testing, monitoring and documenting security procedures.
Next,
in Chapter 2, we cover the standard security tools available from Sun Microsystems.
This includes an overview of Sun's BSM product and a look at the features
of Sun's Trusted Solaris 8.
In Chapter
3, we introduce 3rd party security tools which are commonly used to secure
and monitor Solaris systems. This chapter not only recommends some valuable
tools to have on hand but where to get them and how to configure them for
maximum effectiveness.
We begin
discussing how to protect our resources in Chapters 4 and 5. First, by
covering how users are authenticated on a Solaris system. Then by discussing
how to configure file permissions and commonly used protocols such as FTP
and NFS to transfer information safely among our authenticated users.
Once
we have our systems secure, we need to explore our options for providing
secure network services. Network users today need access to resources both
on your local network and on the Internet. Opening this door can be a tremendous
headache for a sysadmin. A major portion of this book's chapters is devoted
to providing secure access on both sides of your router. Chapter 6 expands
our focus to how Solaris 8 operates securely in a networked environment
by providing DNS and DHCP services to network clients. In Chapter 7, we
learn how to configure a secure web and e-mail server. In Chapter 8, we
narrow our networking focus by concentrating on how to configure Solaris
to be a router and provide firewalling services. One of the most popular
apps for providing web access to our users is called Squid. Chapter 9 is
totally devoted to providing information on the configuration of the security
features of Squid.
Knowing
your opponent's methods and tools is the first step in defeating their
efforts. Now that we've learned what tools we have available, in Chapter
10 we learn what tools hackers commonly use to circumvent our security.
We cover the most popular methods of attack, such as Distributed Denial
of Service, Ping of Death and the much-hated buffer overflow exploit. We
discuss how they are used, what to be on the look-out for and how to configure
our Solaris systems to prevent their use against us.
Finally,
in Chapter 11 we cover what we can do to prepare for that day when they
make it passed our main defenses. This chapter covers the configuration
of a Solaris Honeypot system using freeware or commercial products. With
a well-designed Honeypot system and some luck, we can lure our intruders
away from our real systems. If designed correctly, it can tie up an intruder
while collecting information on them. We can use this data later to plug
the gaps they used to get in. Our final chapter also covers the use of
a popular file monitoring tool called Tripwire which takes a snapshot of
our systems and alerts us when key files have been altered.
So, the
book comes full circle. From describing the need for improved and consistent
security to learning what to do when our efforts fail.
Our Ultimate Squirrel-Proof Birdfeeder Project failed for the same reason that many security plans fail. Squirrels, like many hackers, are very curious, very single-minded and have a lot of time on their hands. They also tend to work together. Eventually we figured out how to defeat them. We found that by monitoring their efforts and changing our designs in response we were able to build our Ultimate Squirrel-Proof Bird Feeder. The key is that's it's not one design, but an ever-changing design.
The same
holds true for designing your Ultimate Hack-Proofing Solaris Plan. It's
not something you do once and ignore. It takes constant reviewing, monitoring
and improving. Using the information in this book you will be able to keep
your resources secure provided you understand the importance of one simple
truth:
The hackers
are out there and they want your sunflower seeds.
Randy Cook, SCSA
Technical
Editor