Solaris TCP/IP Network Security Features Previous Screen Carol Siegel Payoff Reviewing System Security for UNIX Is a Difficult Task
Total Page:16
File Type:pdf, Size:1020Kb
84-10-11 Solaris TCP/IP Network Security Features Previous screen Carol Siegel Payoff Reviewing system security for UNIX is a difficult task. However, the new technologies have made this task simpler because of the development of new client/server technology and open systems. SUN Microsystems' Solaris (based on SUN-OS Release 5 and AT&T Corporation's AT&T System V Release IV) has become a dominant player in the UNIX arena. This article, addresses some of the Solaris Transmission Control/Internet Protocol (TCP/IP) networking security features. Introduction As the location of data and programs move from servers to clients(i.e., desktop workstations and microcomputers), security exposures increase exponentially. One of the biggest areas of concern is network security. Wide Area Network as well as local area network interconnectivity in conjunction with client/server technology translates into significant network traffic and services. This increased traffic along the wire places significant importance on creating an industrywide standard for secure transmissions. Cryptology and message authentication methodologies are tools that will help resolve this issue. In addition, TCP/IP network services that are offered in conjunction with UNIX operating systems need to be closely controlled. Some of these services send unencrypted ID and password information across the wire, others list them in plain text in files, while others permit user log-in by requiring password authentication. Clearly, the use of these services should be carefully considered. Networking Security Features Remote access through the TCP/IP protocol suite is regulated by the following local files: · /etc/hosts. This file correlates host names with IP addresses. · /etc/services. This file correlates service name with port number and protocol. · /etc/hosts.equiv. This file lists serverwide trusted hosts and users. If one host trusts another host, any user that has the same ID on both hosts can log in from the trusted host to the other computer without typing a password. A + sign means that all users are trusted. · $HOME/.rhosts. This file contains user-specified trusted hosts and users that may log in asuser without a password. These files are located in user's home directories and can be created by end-users. A + sign means that all users are trusted. As shown in Exhibit 1, /etc/hosts.equivfile is overridden by the use of the.rhosts. · /etc/inetd.conf. This file, as shown in Exhibit 2, matches service names with server programs to be executed. Telnet provides remote virtual terminal service. Telnet permits any user on any host on the network to access the local host if a valid user name and password is supplied. It permits users to act as if they are logged in locally with full-access privileges. $HOME/.rhosts and /etc/hosts.equiv Previous screen #Examples # denies access to all users on host #-@group denies access to all users on hosts in group #-@group1+@group2 allows access to users in group2 on hosts in group1 #host user allows acces to user on host #+user allows access to user on any host # host-user denies access to user on host #-host denies access to all users on host #-@group denies access to all users in hosts in group The /etc/inetd.conf Command #ident "@(#)inetd.conf 1.13 92/12/07 SMI/*SVr4.0 1.5/ #Configuration file for inedt (8). See inedt.conf(5). # #To reconfigure the runnint inetd process, edit this file, then #send the inetd proces a SIGNUP. # #Syntax for socket-based Internet services: #< service_name >< socket_type >< proto >< flags >< user > < server_pathname >< args > #Ftp and telnet are standard internet services # ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd # #Tnamed serves the obsolete IEN-116 name server protocol. # # name dgram udp wait root /usr/sbin/in.tnamed in.tnamed # #Shell,log-in,exec,comsat,and talk are BSD protocols. # shell stream tcp nowait root /usr/sbin/in.rshd in.rshd log-in stream tcp nowait root /rsr/sbin/in.rlogind in.rlogind exec stream tcp nowait root /usr/sbin/in.execd in.rexecd comsat dgram udp wait root /usr/sbin/in.comsat in.comsat talk dgram udp wait root /usr/sbin/in.talkd in.talkd Certain commands called the r-commands permit remote access in some cases that do not require password authentication. These commands are: · rlogin permits a user to log in to a remote machine. · rsh permits a user to spawn a shell on a remote machine. · rcp permits remote copying. Exhibit 3 presents an example of the authentication process for rlogin, rsh, and rcp. Some of the access paths for user A do not require passwords: · Path 1. When executing rlogin, rsh, or rcp, if the user is not root, and if user A from Previous screen host * is listed in the local password file, and host * is listed in the localhosts.equiv file, access is allowed without a password. · Path 2. Similarly, if user A is listed in the local password file, but not in the local host.equiv file, but the user A and host * combination is listed in user A's local.rhosts file, no password is required. In search order, first the hosts.equiv file is searched and then the .rhosts file. Therefore, if end-users have created their own .rhosts files, they have control over certain remote access. Remote Network Authentication Remote Execution Security considerations for remote execution are: · Network services that are determined to be unsafe(depending on the security policy of the environment) should be disabled by removing or commenting out their entry in the/etc/inetd.conf or the/etc/services file. · $HOME/.rhosts files in general are considered to be unsafe, and should not be permitted. · A + sign in the/etc/host.equiv file or any$HOME/.rhosts file means all known hosts(those listed in /etc/hosts) are trusted. No+ signs should be found in these files. · $HOME/.rhosts files override entries in the /etc/host.equiv file and can be used as a backdoor. As they are controlled by end users, they are difficult to prevent. Daily system sweeps of end user's home directories are suggested. File Transfer Services The File Transfer Protocol (ftp) files to and from a remote network. It allows a remote user to log into a remote system with valid account and password information on the local system. After logging in, the user can get files, change directories, list directories, make directories, and remove files or directories. A file called /$HOME/.netrc can be created by any end user. The .netrc file contains valid host, user ID, and password information in clear text. This file permits those users specified to use ftp commands without manual password verification. The trivial ftp, used primarily for booting diskless workstations, permits the copying of world-readable files without logging in, thus not requiring adequate identification and authentication. Security Considerations for File Transfer The following is a list of security considerations for file transfer: · The /etc/ftpusers contains a list of users that cannot access the system using ftp.If this file is missing, any user may use ftp to access the system. · Because the $HOME/.netrcfile contains unencrypted password information, it is a serious Previous screen security exposure and should not be permitted. The system should be swept daily for the existence of these files. · If the need exists for a$HOME/.netrc file, it should be read and write for the owner of the file only. In addition, the remote target system should only allow ftp and no interactive session (e.g., telnet orrlogin). · The ftpusers file should contain all /etc/passwd users, except those authorized to use ftp; this file should be monitored regularly. · The ftp service should not be available unless expressly needed and should be commented out in theinetd.conf or /etc/servicesfile. X-Windowing Services X is a popular network-based window system that allows many programs to share a single graphical display. X-based programs display their output in windows, which can be either on the same computer on which the program is running or on any other computer on the network. Exhibit 4 shows the * server that controls a graphical screen allowing * clients to display windows on it. X-Windowing Access to xhost is controlled through the use of access control lists (ACLs) that display the remote hosts that have permission to display their windows on local workstations. The use of these Audit Command Language must be monitored. By issuing the command xhost+, an ACLs is created that permits any server to display on that client. If this command is not used, specific servers must be listed. A good X programmer can place a full screen window over the server's graphical device that is not detectable to the end-user. In this fashion, the programmer can potentially spoof production clients by displaying sign-on windows (or other data-gathering windows such as trade input). The xhost utility also has implications with respect to the physical and logical separation of product life-cycle environments. Development areas must be separated from User- Acceptance Test areas and from production areas. If access to a development or user- acceptance test (UAT) area is permitted from a production box by the use of thexhost utility, certain risks are present. For example, a trader who might be performing a test of a program or tool to analyze market data could display the resultant data on the production workstation screen. By doing this, the risk exists that any trader, for example, will mistake this data for true production data and base a decision on the erroneous data displayed.