Digg this story   Add to del.icio.us  
Multiple Security Roles With Unix/Linux
Daniel Hanson, 2004-06-02

There are some areas of security where Linux and Unix have some strong wins, and simply fit in better than anything else.

After the reception my last column regarding the security criticism I heaped on Unix and Linux vendors who are pursuing end-user desktops, I thought I would outline some of the areas where I think Linux and Unix already have strong wins.

While I am a dedicated Unix and Linux junkie and use it everywhere I can, I may be somewhat biased. However, there are some areas where Unix and Linux systems fit in better than anything else out there. In some cases, these roles can be performed on commercial Unix systems if your organization feels better about paying for commercial-grade software. The upcoming version of Solaris, for example seems to have some new security tricks that are worth a look if you need to run secure enterprise services.

CD based OS - security in an insecure world

Working in the security industry makes a person slightly paranoid. In my case, my paranoia goes far enough that I don't trust my own mother, or at least I don't trust her computer.

When I am visiting a remote location and want to check mail, surf the web, or check my bank balance, the bile starts to rise as I think about spyware, viruses, keyboard loggers and all the other little nasties that infect the average home PC. I have found that a CD based OS works wonders in lowering my stress level. I use Knoppix because it seems the most stable and complete, but there are other options out there. I simply stick it in the CD drive, boot from the CD, log on and read mail to my (relaxed) hearts content.

Unless my mom has installed a hardware keyboard logger, I feel I'm pretty safe.

CD based OS - a binary Dick Tracy

I moderate the SecurityFocus Incidents mailing list, and a recent thread caught my attention. The thread focused on incident response to a potential Windows compromise, and the forensics that might occur in the investigation. Many people chimed in with toolkits that did what was needed and a number of CD based investigation tools were cited, some I had not encountered but look interesting.

Forensics after a security incident is a critical area in this ever changing world. The risk of sensitive information being compromised continues to increase, and knowing exactly how you were compromised, and what the attacker did can be key. None of these toolkits will do the job for you; ultimately the Dick Tracy role is left to the brains behind the keyboard, but a strong toolset can sure make a difference.

In researching this column I came across the following article noting that Linux systems, when mounting journaled EXT3 and ReiserFS systems in read only mode, will write some data to the drive. This may be important if the analysis must face the scrutiny of a court of law.

I have included some of the cited tools below with warnings from the posters or a small summary taken from the web page:

F.I.R.E - but possibly not maintained
Knoppix - Be careful, Knoppix may automount certain partitions if they are available.
Inside Security Rescue CD - This will fit on one of those nifty credit card CDs.
Penguin Sleuth Kit - Knoppix without automount and additional Forensics tools.

Simple, effective perimeter security? Or complex, effective perimeter security?

This may be a contentious area for some. Choices for firewalls span from dedicated appliances that can cost hundreds of thousands of dollars to a Linux system running IPTables. Even the firewall choices on various open source Unix-like operating systems are numerous. You can deploy Linux with IPTables, or OpenBSD, NetBSD, FreeBSD have the ability to use a number of firewall choices including ipf, and pf and ipfw. What do all of these choices have in common? They all have powerful and configurable networking setup, tremendous extensibility, and the ability to add a whole lot of additional options to help strengthen a network perimeter.

Some downsides to these firewalls may be found in throughput, limitations in the hardware, or management of large installations and failover. Many of these hurdles can be overcome at a cost of administrator time but what if you organization has spent hundreds of thousands on a series of rackmounted firewall boxes?

Perimeter security is more than the firewall box

Luckily for Unix fans perimeter security moves beyond simple firewalling. Take the badly abused SMTP MTA in most organizations. If you are relying on delivery into a groupware system, you know how difficult it can be to use filtering, virus scanning, and every other add-on in a groupware environment. One of my favorite uses for a Unix-like system involves procmail pre-delivery filtering in a groupware environment.

A dedicated system that can rapidly sort and filter incoming email before it hits the already overloaded groupware mail servers can save considerable pain, regardless of what your organization's favorite brand of server operating system is.

Several options, one that included procmail, is discussed in Dogs of War: Securing Microsoft Groupware Environments parts one and two.

There are numerous other perimeter defense additions that happily run on Unix systems of all stripes. The SQUID proxy system can be used as an HTTP accelerator for incoming connections or as an outgoing proxy filter for outbound connections. IDS systems like snort can give visibility into the activity happening on a network perimeter, and there are numerous other utilities that can make the flow of information across your perimeter safer and quicker.

Honeynets and Honeypots - conceived for the paranoid

Many readers will be familiar with the notion of a honey pot or a honey net in the battle against Internet attackers, for those that aren't - this definition is provided by the honeynet project.

A Honeynet is one type of honeypot, specifically a high-interaction honeypot that provides real systems for attackers to interact with. A honeypot is a system who's value is being probed, attacked, or compromised, you want the bad guys to interact with your honeypot. There are many different kinds of honeypots, with many different uses and values. To learn more about honeypots, check out the website and the book Honeypots: Tracking Hackers.

Not everyone wants or needs a honeynet or a honeypot, but for those people who are intimately involved in security, they can be a valuable resource. A honeypot or honeynet allows an investigator or responder the ability to keep up with what attacks are occurring and how to recognize them and investigate them. Because of the flexibility needed, Unix and Linux systems make an ideal platform upon which to build a honeynet or honeypot. Almost every honeynet or honeypot implementation relies on significant logging and control of network connections to be most effective, and the flexibility of networking options inside Unix and Linux systems fit the bill perfectly.

A fit for almost any organization

It is a rare organization that has the money to deploy best of breed or integrated commercial software for every security role. Whether your job is perimeter protection, incident response or email server administration, there may be an opportunity to use your favorite Unix system with some additional tools to get the job done faster and cheaper than what you do now.

Daniel Hanson manages the Focus Incidents area of SecurityFocus as well as the Incidents mailing list.
    Digg this story   Add to del.icio.us  
Comments Mode:
CD security distros 2004-06-11
Multiple Security Roles With Unix/Linux 2004-06-14
Bob Radvanovsky


Privacy Statement
Copyright 2010, SecurityFocus