[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] [Chapter 22] 22.4 SOCKS file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch22_04.htm (8 of 8) [2002-04-12 10:45:45] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 20 NFS 20.3 Client-Side NFS Security NFS can create security issues for NFS clients as well as servers. Because the files that a client mounts appear in the client's filesystem, an attacker who is able to modify mounted files can directly compromise the client's security. The primary system that NFS uses for authenticating servers is based on IP host addresses and hostnames. NFS packets are not encrypted or digitally signed in any way. Thus, an attacker can spoof an NFS client either by posing as an NFS server or by changing the data that is en route between a server and the client. In this way, an attacker can force a client machine to run any NFS-mounted executable. In practice, this ability can give the attacker complete control over an NFS client machine. At mount time, the UNIX mount command allows the client system to specify whether or not SUID files on the remote filesystem will be honored as such. This capability is one of the reasons that the mount command requires superuser privileges to execute. If you provide facilities to allow users to mount their own filesystems (including NFS filesystems as well as filesystems on floppy disks), you should make sure that the facility specifies the nosuid option. Otherwise, users might mount a disk that has a specially prepared SUID program that could cause you some headaches later on. NFS can also cause availability and performance issues for client machines. If a client has an NFS partition on a server mounted, and the server becomes unavailable (because it crashed, or because network connectivity is lost), then the client can freeze until the NFS server becomes available. Occasionally, an NFS server will crash and restart and - despite NFS's being a connectionless and stateless protocol - the NFS client's file handles will all become stale. In this case, you may find that it is impossible to unmount the stale NFS filesystem, and your only course of action may be to forcibly restart the client computer. Here are some guidelines for making NFS clients more reliable and more secure: Make sure that your computer is either an NFS server or an NFS client, but not both. ● If possible, do not allow users to log into your NFS server.● Don't allow your NFS clients to mount NFS servers outside your organization.● Minimize the number of NFS servers that each client mounts. A system is usually far more reliable and more secure if it mounts two hard disks from a single NFS server, rather than mounting partitions from two NFS servers. ● [Chapter 20] 20.3 Client-Side NFS Security file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch20_03.htm (1 of 2) [2002-04-12 10:45:45] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com If possible, disable the honoring of SUID files and devices on mounted partitions.● 20.2 Server-Side NFS Security 20.4 Improving NFS Security [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] [Chapter 20] 20.3 Client-Side NFS Security file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch20_03.htm (2 of 2) [2002-04-12 10:45:45] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Appendix F Organizations F.2 U. S. Government Organizations F.2.1 National Institute of Standards and Technology (NIST) The National Institute of Standards and Technology (formerly the National Bureau of Standards) has been charged with the development of computer security standards and evaluation methods for applications not involving the Department of Defense (DoD). Its efforts include research as well as developing standards. More information on NIST's activities can be obtained by contacting: NIST Computer Security Division A-216 Gaithersburg, MD 20899 +1-301- 975-3359 http://www.nist.gov NIST operates the Computer Security Resource Clearinghouse: http://csrc.ncsl.nist.gov/ NIST also operates the National Technical Information Service from which you can order a variety of security publications. See Appendix D for details. F.2.2 National Security Agency (NSA) One complimentary copy of each volume in the "Rainbow Series" of computer security standards can be obtained from the NSA. The NSA also maintains lists of evaluated and certified products. You can contact them at: Department of Defense National Security Agency ATTN: S332 9800 Savage Road Fort George Meade, MD 20755-6000 +1 301-766-8729 http://www.nsa.gov:8080 [Appendix F] F.2 U. S. Government Organizations file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appf_02.htm (1 of 2) [2002-04-12 10:45:46] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com In addition to other services, the NSA operates the National Cryptologic Museum in Maryland. An online museum is located at: http://www.nsa.gov:8080/museum F.1 Professional Organizations F.3 Emergency Response Organizations [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] [Appendix F] F.2 U. S. Government Organizations file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appf_02.htm (2 of 2) [2002-04-12 10:45:46] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 17 TCP/IP Services 17.5 Monitoring Your Network with netstat You can use the netstat command to list all of the active and pending TCP/IP connections between your machine and every other machine on the Internet. This command is very important if you suspect that somebody is breaking into your computer or using your computer to break into another one. netstat lets you see which machines your machine is talking to over the network. The command's output includes the host and port number of each end of the connection, as well as the number of bytes in the receive and transmit queues. If a port has a name assigned in the /etc/services file, netstat will print it instead of the port number. Normally, the netstat command displays UNIX domain sockets in addition to IP sockets. You can restrict the display to IP sockets only by using the -f inet option. Sample output from the netstat command looks like this: charon% netstat -f inet Active Internet connections Proto Recv-Q Send- Q Local Address Foreign Address (state) tcp 0 0 CHARON.MIT.EDU.telnet GHOTI.LCS.MIT.ED.1300 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.telnet amway.ch.apollo 4196 ESTABLISHED tcp 4096 0 CHARON.MIT.EDU.1313 E40-008-7.MIT.ED.telne ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1312 MINT.LCS.MIT.EDU.6001 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1309 MINT.LCS.MIT.EDU.6001 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.telnet MINT.LCS.MIT.EDU.1218 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1308 E40-008-7.MIT.ED.telne ESTABLISHED tcp 0 0 CHARON.MIT.EDU.login RING0.MIT.EDU.1023 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1030 *.* LISTEN NOTE: The netstat program only displays abridged hostnames, but you can use the -n flag to display the IP address of the foreign machine. The first two lines of this output indicate Telnet connections between the machines GHOTI.LCS.MIT.EDUu and AMWAY.CH.APOLLO.COM and the machine CHARON.MIT.EDU. Both of these connections originated at the remote machine and represent interactive sessions currently being run on CHARON; you can tell this because these ports are greater than 1023 and are connected to the Telnet port. (They may or may not be unnamed.) Likewise, the third Telnet connection, between CHARON and E40-008-7.MIT.EDU, originated at CHARON to the machine E40-008-7. The next two lines are connections to port 6001 (the X Window Server) on MINT.LCS.MIT.EDU. There is a Telnet from MINT to CHARON, one from CHARON to E40-008-7.MIT.EDU, and an rlogin from RINGO.MIT.EDU to CHARON. The last line indicates that a user program running on CHARON is listening for connections on port 1030. If you run netstat on your computer, you are likely to see many connections. If you use the X Window System, you may also see "UNIX domain sockets" that are the local network connections from your X clients to the X Window Server. With the -a option, netstat will also print a list of all of the TCP and UDP sockets to which programs are listening. Using the -a option will provide you with a list of all the ports that programs and users outside your computer can use to enter the system via the network. (Unfortunately, netstat will not give you the name of the program that is listening on the [Chapter 17] 17.5 Monitoring Your Network with netstat file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_05.htm (1 of 2) [2002-04-12 10:45:46] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com socket.)[20]: [20] But the lsof command will. See the discussion about lsof in Chapter 25, Denial of Service Attacks and Solutions. charon% netstat -a -f inet Active Internet connections Proto Recv-Q Send- Q Local Address Foreign Address (state) Previous netstat printout tcp 0 0 *.telnet *.* LISTEN tcp 0 0 *.smtp *.* LISTEN tcp 0 0 *.finger *.* LISTEN tcp 0 0 *.printer *.* LISTEN tcp 0 0 *.time *.* LISTEN tcp 0 0 *.daytime *.* LISTEN tcp 0 0 *.chargen *.* LISTEN tcp 0 0 *.discard *.* LISTEN tcp 0 0 *.echo *.* LISTEN tcp 0 0 *.exec *.* LISTEN tcp 0 0 *.login *.* LISTEN tcp 0 0 *.shell *.* LISTEN tcp 0 0 *.ftp *.* LISTEN udp 0 0 *.time *.* udp 0 0 *.daytime *.* udp 0 0 *.chargen *.* udp 0 0 *.discard *.* udp 0 0 *.echo *.* udp 0 0 *.ntalk *.* udp 0 0 *.talk *.* udp 0 0 *.biff *.* udp 0 0 *.tftp *.* udp 0 0 *.syslog *.* charon% NOTE: There are weaknesses in the implementation of network services that can be exploited so that one machine can masquerade temporarily as another machine. There is nothing that you can do to prevent this deception, assuming that the attacker gets the code correct and has access to the network. This kind of "spoof" is not easy to carry out, but toolkits are available to make the process easier. Some forms of spoofing may require physical access to your local network, but others may be done remotely. All require exact timing of events to succeed. Such spoofs are often impossible to spot afterwards. 17.4 Security Implications of Network Services 17.6 Network Scanning [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] [Chapter 17] 17.5 Monitoring Your Network with netstat file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_05.htm (2 of 2) [2002-04-12 10:45:46] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 17 TCP/IP Services 17.7 Summary A network connection lets your computer communicate with the outside world, but it can also permit attackers in the outside world to reach into your computer and do damage. Therefore: Decide whether or not the convenience of each Internet service is outweighed by its danger.● Know all of the services that your computer makes available on the network and remove or disable those that you think are too dangerous. ● Pay specific attention to trap doors and Trojan horses that could compromise your internal network. For example, decide whether or not your users should be allowed to have .rhosts files. If you decide that they should not have such files, delete the files, rename the files, or modify your system software to disable the feature. ● Educate your users to be suspicious of strangers on the network.● 17.6 Network Scanning 18. WWW Security [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] [Chapter 17] 17.7 Summary file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_07.htm [2002-04-12 10:45:46] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 19 19. RPC, NIS, NIS+, and Kerberos Contents: Securing Network Services Sun's Remote Procedure Call (RPC) Secure RPC (AUTH_DES) Sun's Network Information Service (NIS) Sun's NIS+ Kerberos Other Network Authentication Systems In the mid-1980s, Sun Microsystems developed a series of network protocols - Remote Procedure Call (RPC), the Network Information System (NIS, and previously known as Yellow Pages or YP[1]), and the Network Filesystem (NFS) - that let a network of workstations operate as if they were a single computer system. RPC, NIS, and NFS were largely responsible for Sun's success as a computer manufacturer: they made it possible for every computer user at an organization to enjoy the power and freedom of an individual, dedicated computer system, while reaping the benefits of using a system that was centrally administered. [1] Sun stopped using the name Yellow Pages when the company discovered that the name was a trademark of British Telecom in Great Britain. Nevertheless, the commands continue to start with the letters "yp." Sun was not the first company to develop a network-based operating system, nor was Sun's approach technically the most sophisticated. One of the most important features that was missing was security: Sun's RPC and NFS had virtually none, effectively throwing open the resources of a computer system to the whims of the network's users. Despite this failing (or perhaps, because of it), Sun's technology soon became the standard. Soon the University of California at Berkeley developed an implementation of RPC, NIS, and NFS that interoperated with Sun's. As UNIX workstations became more popular, other companies, such as HP, Digital, and even IBM either licensed or adopted Berkeley's software, licensed Sun's, or developed their own. Over time, Sun developed some fixes for the security problems in RPC and NFS. Meanwhile, a number of other competing and complementary systems - for example, Kerberos and DCE - were developed for [Chapter 19] RPC, NIS, NIS+, and Kerberos file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch19_01.htm (1 of 3) [2002-04-12 10:45:46] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com solving many of the same problems. As a result, today's system manager has a choice of many different systems for remote procedure calls and configuration management, each with its own trade-offs in terms of performance, ease of administration, and security. This chapter describes the main systems available today and makes a variety of observations on system security. For a full discussion of NFS, see Chapter 20, NFS. 19.1 Securing Network Services Any system that is designed to provide services over a network needs to have several fundamental capabilities: A system for storing information on a network server● A mechanism for updating the stored information● A mechanism for distributing the information to other computers on the network● Early systems performed these functions and little else. In a friendly network environment, these are the only capabilities that are needed. However, in an environment that is potentially hostile, or when an organization's network is connected with an external network that is not under that organization's control, security becomes a concern. To provide some degree of security for network services, the following additional capabilities are required: Server authentication. Clients need to have some way of verifying that the server they are communicating with is a valid server. ● Client authentication. Servers need to know that the clients are in fact valid client machines.● User authentication. There needs to be a mechanism for verifying that the user sitting in front of a client workstation is in fact who the user claims to be. ● Data integrity. A system is required for verifying that the data received over the network has not been modified during its transmission. ● Data confidentiality. A system is required for protecting information sent over the network from eavesdropping. ● These capabilities are independent from one another. A system can provide for client authentication and user authentication, but also require that the clients implicitly trust that the servers on the network are, in fact, legitimate servers. A system can provide for authentication of the users and the computers, but send all information without encryption or digital signatures, making it susceptible to modification or monitoring en route. Obviously, the most secure network systems provide all five network security capabilities. 18.7 Summary 19.2 Sun's Remote Procedure Call (RPC) [Chapter 19] RPC, NIS, NIS+, and Kerberos file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch19_01.htm (2 of 3) [2002-04-12 10:45:46] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... newsgroups comp .security. announce (moderated) Computer security announcements, including new CERT-CC advisories comp .security .unix UNIX security comp .security. misc Miscellaneous computer and network security comp .security. firewalls Information about firewalls comp.virus (moderated) Information on computer viruses and related topics alt .security Alternative discussions of computer and network security comp.admin.policy... | Firewalls | Practical Security ] file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch27_04.htm [2002-04-12 10: 45:51] [Chapter 5] 5 .10 Summary Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 5 The UNIX Filesystem 5 .10 Summary The UNIX filesystem is the primary tool that is used by the UNIX operating system for enforcing computer security Although... Computer administrative policy issues, including security comp.protocols.tcp-ip TCP/IP internals, including security comp .unix. admin UNIX system administration, including security comp .unix. wizards UNIX kernel internals, including security sci.crypt file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appe_02.htm (1 of 2) [2002-04-12 10: 45:51] [Appendix E] E.2 Usenet Groups Discussions... | Practical Security ] file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch21_02.htm (4 of 4) [2002-04-12 10: 45:49] [Appendix D] D.2 Security Periodicals Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Appendix D Paper Sources D.2 Security Periodicals Computer Audit Update, Computer Fraud & Security Update, Computer Law & Security Report, Computers & Security. .. Systems Security Monitora U.S Department of the Treasury Bureau of the Public Debt AIS Security Branch 200 3rd Street Parkersburg, WV 2 6101 Voice: +1-304-480-6355 BBS: +1-304-480-6083 InfoSecurity News 498 Concord Street Framingham, MA 01701 Voice: +1-508-879-9792 file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appd_02.htm (2 of 3) [2002-04-12 10: 45:49] [Appendix D] D.2 Security. .. Library/networking/puis/appd_02.htm (1 of 3) [2002-04-12 10: 45:49] [Appendix D] D.2 Security Periodicals Voice: +1-617-235-2895 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Computer Security, Audit & Control (Law & Protection Report) P.O Box 5323 Madison, WI 53705 Voice: +1-608-271-6768 Computer Security Alert Computer Security Journal Computer Security Buyers Guide Computer Security Institute 600 Harrison... Firewalls | Practical Security ] file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch05 _10. htm [2002-04-12 10: 45:51] [Appendix E] E.2 Usenet Groups Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Appendix E Electronic Resources E.2 Usenet Groups There are several Usenet newsgroups that you might find to be interesting sources of information on network security. .. sendmail | sendmail Reference | Firewalls | Practical Security ] file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appd_02.htm (3 of 3) [2002-04-12 10: 45:49] [Chapter 18] 18.7 Summary Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 18 WWW Security 18.7 Summary One of the principal goals of good security management is to prevent the disclosure of privileged... Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch18_07.htm [2002-04-12 10: 45:50] [Chapter 14] 14.2 Serial Interfaces Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 14 Telephone Security 14.2 Serial Interfaces Information inside most computers moves in... file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch14_02.htm (1 of 2) [2002-04-12 10: 45:50] [Chapter 14] 14.2 Serial Interfaces Simpo PDF Merge 14.1 Modems: Theory of and Split Unregistered Version - http://www.simpopdf.com 14.3 The RS-232 Serial Operation Protocol [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] file:///C|/Oreilly Unix . Server-Side NFS Security 20.4 Improving NFS Security [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] [Chapter 20] 20.3 Client-Side NFS Security file:///C|/Oreilly. Reference | Firewalls | Practical Security ] [Chapter 22] 22.4 SOCKS file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch22_04.htm (8 of 8) [2002-04-12 10: 45:45] Simpo PDF. Firewalls | Practical Security ] [Appendix F] F.2 U. S. Government Organizations file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appf_02.htm (2 of 2) [2002-04-12 10: 45:46] Simpo