|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Monday, 11 December 2000||Author: Matt Michie|
|Published to: enhance_articles_sysadmin/Sysadmin||Page: 1/1 - [Std View]|
Matt Michie's Security Outlook: Part I
Matt Michie will be writing a series of articles on guiding the amateur system administrator through the world of computer security routines. In his first article, Matt explains the three main areas of security vulnerability, and how they can affect you.
In this first article, I will outline threats to which a sysadmin should immediately respond. The three basic areas of vulnerability are physical access, local area network access, and remote access.
Physical access attacks are essentially impossible to defeat strictly using software. If an attacker can physically access your machine, your system can be compromised. For instance, physical attacks may consist of using a simple root boot disk, or even just yanking the hard drive. Physical security depends more on the security of the entire building and the room where the system is located.
Local area network attacks are those that originate behind firewalls or network intrusion detection systems. Often, systems are left vulnerable to these sorts of attacks because the internal network is trusted. Even if you consider everyone on your internal network to be implicitly trustworthy, this situation could be exploited later if an attacker breaks through your firewalls into your internal network. They will more easily be able to root other machines on your network instead of having access to only the original machine.
Most admins immediately associate cracker attacks with remote network attacks and spend most of their time defending and preparing their networks against. Many established techniques and tools are designed for this. We'll eventually cover some of these, including firewalls and network intrusion detection systems. Most Denial of Service (DoS) attacks also fall into this category.
How does one prevent, detect, and respond to these events? Let's work from outside in. To prevent remote access attacks, the first step is to keep your operating system patched and up to date. Next, shut down all services that you aren't actively using. These services are likely to fall out of date and later be exploited by the buffer overflow exploit of the week. Linux also has powerful firewalling and Masquerading tools which can make sure only traffic you've approved can be sent in and out of your internal networks.
Detection of ongoing attacks is also extremely important. Although a fledgling security area, Network Intrusion Detection Systems (NIDS) are gaining in capability and popularity. Most operate similar to the way a virus scanner works. You program in signatures of common attacks and the program "sniffs" your network looking for suspicious activity. Unfortunately, it can take some amount of tweaking until the number of false positives falls. Like car alarms, with too many false positives no one pays attention to any alarm.
Our next article will give you step by step instructions on how to set up SNORT, an open-source NIDS with thousands of user contributed signatures. You'll learn how to customize it for the type of network you have.
Local network security is slightly more difficult, but many of the same concepts apply. A switched network with internal fire-walls and "DMZs" can make an insider attack more difficult. Future articles will go more in depth on how to setup ipchains with this configuration, as well as other ways to increase your security.
Physical security is mostly beyond the scope of these articles. Beyond putting a BIOS password, adding a password to your lilo prompt, and controlling access to the hardware, ultimately if an attacker can get physical access to the machine, he can have root access.
Tune in next time for our SNORT tutorial!