>1. It is difficult for me to separate "UNIX problems" from "Security
>problems". For example, are VMS sites running DECnet as concerned
>with the same issues?
I suspect the best way to characterize it would be that the
problems are the same, but the degree to which they affect you, and
the ways in which they manifest are different.
Probably the biggest security problem most folks face right
now is that they still use obsolete plaintext passwords for access
and authentication. The threat there is that that passwords can be
read off the wire as they fly by in the clear. The reason you hear
about this being a "problem with TCP/IP" is because the whole world
runs TCP/IP and nobody sniffs DECnet packets off the Internet
because there are none to sniff.
Another example of a whole category of problems is the
"buggy network service that runs with privileges" problem. I
suspect that all operating systems that have a notion of networks,
processes, and privileges have examples of this category of
problems. What happens is that some famous examples keep cropping
up and, while they're typical, they're unfortunately far from
unique. Just because sendmail has more holes in it than The Tirpitz
doesn't mean that other mailers running with privileges are any
better. We just hear a lot about sendmail because there are a
*LOT* of people using it, and fewer people use uucp, so the uucp
bugs are less interesting. ;) I suspect that fewer internet
break-ins occur against VMS machines because there are fewer
VMS machines on the internet.
>2. Little seems to be said about secure NFS or RPC in firewall
>discussions. Am I perhaps missing something? We have employees
>with machines at home who would like to NFS mount file systems across
>the Internet. I gather that some sites actually permit this on
>isolated machines, but product literature and papers I've read don't
>seem to talk about this much. I know that "secure NFS" has its
>own discussion group, but it seems like firewalls shouldn't completely
>ignore the topic.
Secure network filesystems are definitely an interesting
area to contemplate. We probably haven't seen much discussion of
them in the firewalls list because there aren't many out there
to talk about. :)
Normal NFS (calling it "insecure NFS" as opposed to "secure NFS"
is too much of an understatement) is bad news if you run it over the
internet for any filesystems that aren't read-only. NFS basically
does all its access based on a vaguely hidden "file handle" which, once
obtained, can let anyone with the file handle modify the file. Anyone
who can create a UDP packet with your server as the destination (and
any source address they like). Over the internet, all that stuff is
transmitted in the clear. Not a good thing at all. The "secure" NFS
variants perform some cryptographic functions to reduce this threat.
To me, the biggest problem with NFS and any remote filesystem
is that the possibility for attacks through transitive permissions
are just too great. I won't go into details, but there are lots of
fairly subtle ways you can parlay an ordinary user account on a
mis-configured client into a privileged account on a server by just
taking advantage of normal filesystem semantics. Notice I say
"mis-configured" -- a careful administrator with a devious mind
can spend a lot of time being careful to ensure that everything is
set up just right. In general, though, it's easier to just keep
that stuff inside a firewall where the outside can't get at it.
>3. As a practical matter, if one ignores bugs in things like sendmail
>(yeah, I know, this isn't realistic--so think of this as a theoretical
>question), and if only inbound news and mail are allowed onto the local
>net from the outside world, and then only to a single machine which
>forwards as needed, are there really any viable methods to get
>through a router which is discarding all other IP packets?
What you're doing here is good security practice. You're
reducing the scope of your problem to something very small and
then you're addressing the threats (whatever can come over NNTP
and SMTP servers) each service presents. Ignoring sendmail bugs
is a little hand-waving. :) Once you've narrowed the problem
down to two services, and have convinced yourself that your
news server and your SMTP servers are bulletproof, and that your
router is indeed screening what it's supposed to, then you're
in pretty good shape.
> If outbound
>telnet/ftp are then added, with additional checks for the reverse ftp
>data connection, are things any more compromised? Then what about
>X-servers which can only be started from in-house (e.g., running xterm
>on a local secure machine and "throwing a window" onto a host across
>the Internet).
...and each new service you add, you need to be able to
address the threats that can be brought against that service, and
how you protect against them. Ideally, once you've done that, you
have a document that looks a lot like a threat:countermeassure list.
In other words, you need to understand the security model
of each new service, as you add it. What *ARE* the problems inherent
in an X-server on a local machine that "throws" a window across the
internet (hint: you can march a herd of circus elephants through them).
>What I am trying to understand, and what I am not being
>able to discern from my reading, is to what degree security problems
>result from trying to be more "open" than is prudent, and to what degree
>there are real, intrinsic problems which must be guarded against.
It's a bit of both. Security problems result from trying
to be more open ("open" == more services, less attention to analysis
of each service's threats) *AND* from flaws in host operating systems,
and system software. A really important question when you're looking
at risks is the skill required on the part of the attacker to pull
off an attack, and the degree of difficulty it represents. If you
are protecting a general purpose campus computer, someone is not
likely to invest a huge amount of effort to crack it. If you are
protecting a security investment firm's network, it might be well
worth it for me to invest $50,000 in high end hardware and fancy
phone phreaking equipment to get into that network for a few hours.
Your security (and your "openness") needs to track what you're
afraid of losing, and how vigorously you need to defend it.
mjr.
|
|
