A conference a day keeps the diet at bay Peter's report on the recent LISA and Network Security conferences

January  1998

Conferences can be great places for information acquisition and exchange. They can be bad places if you are watching your weight. If you didn't manage to make it to LISA '97 and Network Security '97, this column can serve as a biased view of what you missed. It can also help to justify your attendance at the next security conferences. If you did attend, you can cut this out and use it as that trip report that your boss keeps requesting. Then you don't need to explain that you learned a lot but forgot it all while checking out Bourbon Street or Old Town. Also this month, coverage of the usual bunch of bugs. Some even have patches. Also, see the Solaris Security FAQ for all your Solaris security information needs. (1,800 words)

Mail this article to a friend

ISA '97 is one of the Usenix organization's major events. Well regarded for the quality and quantity of its tutorials, the conference is designed for administrators of large facilities (LISA stands for Large Installation System Administration). At LISA '97, the security content was fairly sparse, but there were a few gems to be found.

Dan Geer and Jon Rochlis gave a tutorial on "Security on the World Wide Web," covering client/server network security basics, basic WWW security, basic cryptography, network layer security via SSL, PCT, and IPSEC, advanced WWW security via s-http, Java, smartcards, payment protocols, and miscellaneous issues such as Web spoofing, I18N, and firewalls.

The course was a good overview for WWW developers and end users. I applaud their effort, because the people who do security day in and day out usually are not the ones that make the mistakes that compromise sites. These are more often committed by the developers and Webmasters who volunteer or are volunteered to build Web sites and applications and have no security background, knowledge, or training. If nothing else, Geer and Rochlis provide information on how the Web works, the security methods available, and the tradeoffs involved in the mainstream tools and protocols that are in use. Great information for those designing, implementing, and managing Web sites.

NetWork flight recorder
The more interesting security talks included one by Marcus Ranum on his company's forthcoming package, called Network Flight Recorder (NFR), as well as a few on spam.

Ranum's Network Flight Recorder fills an important void in the security tool arena. It is designed to be the be-all and end-all network traffic recorder. Once complete, it should be perfect for sites that need to know they are secure. NFR is a meta-programmed decision engine that is extremely flexible. For example, it can watch all traffic, recording statistics for legal traffic and recording all packet details of bad traffic. By "bad traffic," I mean, for example, packets destined for inappropriate ports, or traffic going from or to inappropriate IP addresses.

NFR will be free for noncommercial and research use, and the source will be available. When the engine is incorporated into commercial (and presumably free) tools, it should be a great addition to the security administrator's toolkit.

Rejecting spam using Sendmail
Unfortunately for those of us who receive spam mail every day, it is sometimes difficult to distinguish the spam from legitimate e-mail (which explains that set of Ginsu knives I just received!). It is even more difficult for software to make this distinction. At LISA, there was quite a lot of talk, both formal and informal, about spam, its uses and abuses, and what can be done to stop it. The bottom line is that ISPs need to be vigilant about preventing and discouraging spam, and that everyone who runs a mail server should be sure its rulesets prevent others from using it as a mail redirector. Incidentally, my ISP had all mail from it to AOL bounced when it was deemed a spam sender by AOL. They implemented anti-spam facilities and AOL allowed mail to flow again. Remember when AOL was the source of most spam? Times, they are a changin'.

Anyway, Robert Harker gave a thorough talk on changes you can make to Sendmail (V8) configuration files to have it reject what appears to be spam. You can see an abstract of his talk in Resources below.

SANS '97
The SANS organization's annual fall conference, Network Security '97, once again delivered the goods. I didn't attend any of the tutorials, but there were several that looked interesting. The talks, of course, were all about security. A synopsis of the more interesting talks follows. The full proceedings are available from SANS.

• Secure Electronic Commerce on the Internet by Innocent Eroraha of Trusted Information Systems Inc. (TIS)
  This talk examined a secure remote banking implementation. It advocated a "belt and suspenders" approach to security (what I call the "onion model" of multiple security layers. The facility included a multi-homed firewall with a DMZ-based Web server which had access to the back-end bank database. Communications were secured via SSL.

• Least Privilege In a Software Development Environment: The Problem of Root by Jerry Carlin of TCSI Corp
  Carlin espoused the use of tools to control, monitor, and manage software developers. The recommended tools included sudu, swatch, and tripwire.

• Writing Safe Setuid Programs by Matt Bishop of UC Davis
  This talk gave clear information on how to avoid creating another security hole on your systems.

• Hybrid Firewalls for the year 2010 by Brad Powell
  Sun Microsystems' Powell discussed the evolution of firewalls, their current architecture and utility, and their future directions. Essentially, he suggested that a sequential packet filter and proxy firewall is the best solution and the wave of the future. These should be implemented in-line, or back to back, to get the best aspects of each. Doing so now makes implementation difficult and hurts performance, but those problems should be solved in the future.

• DNS and Sendmail vs. Firewalls by Hal Pomeranz of Deer Run Associates
  Pomeranz, one of the co-chairs of the LISA show, described with precision the steps needed to get e-mail and DNS information through a corporate firewall without decreasing your corporate security.

• Effective Use of PGP by Mitchell Baker of Nichols Research.
  Baker provided a nice overview of PGP, how to set it up, how to manage it, and what pitfalls to watch for. He also reviewed the currently available PGP implementations for several platforms.

• Tools and Processes for Implementing VPNs by Andy Liu of TIS
  Liu made sense of the variations in virtual private networks (VPNs), and described how they worked, how to install them and test them, and how to measure their bandwidth. He also gave some examples of VPNs in use today. Unfortunately, some of the information was TIS specific.

• IPSec Overview by Paul Ferguson
  Cisco gave a higher-level overview of authentication, encryption, and key exchange technology, and discussed how IPSec approaches these issues. Because IPSec is a standard and is being implemented within several products and on several platforms, the information was pertinent to most folks interested in VPNs.

• Managing Your PartnerNets by Michele Crabb of Cisco Systems
  Crabb identified a very common problem: how to connect to partner companies without giving up security. She pointed out the solution must meet privacy, bandwidth, and access needs, provide appropriate security, be manageable, and be understood by all parties. She then provided methods to use to design partner access points. Unfortunately, she didn't have time to discuss solutions by example. She did, however, provide several sample documents including policies and worksheets. Very useful if you need to connect outside companies to your facilities.

• Dealing with Social Engineering Attacks by David Harley of Imperial Cancer Research Fund
  Prior to this conference, I had never heard of anyone giving a talk on this subject. Everyone (including me) spreads FUD about social engineering, but what can you do to prevent it? David defined the "seven deadly sins" that allow social engineering attacks: gullibility, curiosity, courtesy, greed, diffidence, thoughtlessness, and apathy. He also provided reasonable, if difficult, solutions to each of these problems. He then described the classic "wetware" attacks. Unfortunately, the solutions generally require policies and education, each of which companies are loath to implement. That does not, however, mean the problem or solutions should be ignored.

Finally, Char Sample and Mark Teicher gave a short course on firewall troubleshooting. Between the two, they've installed quite a few firewalls. The course captured their experiences at debugging the inevitable problems that occur. The topics included DNS, Mail, Routing, Subnetting, VPNs, authentication, trust relationships, cabling, filtering, rules, netacls, system logging, backups, indiscriminate use of generic proxies, human factors, operating system goodies, vendor fine print, internal network protocols, security administration procedures, network and security policy, system architecture, Internet security reviews, and more. I kid you not. The problem/solution format was especially useful for finding quick solutions to firewall problems. All this, and good food too....

The Buglist
Sun has released patches for the at program for all reasonable current operating system releases. The details are in Sun security bulletin #160. AUSCERT reported a security hole in statd and the details are provided in CERT advisory CA-97.26. Sun has already released patches for the major OS releases. Another CERT advisory, CA-97.27 reports on a fairly well-known problem with ftpdaemons. In this case a "port" command can be issued to the server to "bounce" the connection to an arbitrary host and port. Access to this destination system may ordinarily be denied (via a firewall for instance) but this method allows ftpd to be used to circumvent the restriction. Sun has patches for the problem, and wu-ftp is another good solution.

There is also an unresolved denial-of-service attack reported as CERT advisory CA-19.28. There are two tools that can be used to deny network connections on many TCP/IP-based machines. There is no information in the report about SunOS and Solaris vulnerability. Rob Diamond, a senior security architect at Sun, reports that Solaris 2.4 and above are not vulnerable to the "land" attack. No word yet on the "teardrop" attack.

SunOS 4.X, however, appears to be vulnerable. Rob also points out that if your machines are behind a well-constructed firewall, then the packets involved in an attack from the outside will never reach your internal machines.

Secure Networks has issued a security advisory about a common misconfiguration of Check Point Firewall-1. If you run this firewall and have this as your first configuration line:

"Enable Firewall-1 Control Connections [Essential]" [1].

then your firewall is susceptible to SNMP probing. Anyone with network access to the firewall (either from inside or outside the firewall) can query its SNMP status and determine information about the firewall and your internal networks. You should immediately disable this line. Check Point has also released a patch to its resellers.

Resources

• Network Flight Recorder
  http://www.nfr.com/
• Robert Harker
  http://www.harker.com/
• Robert Harker's "Selectively Rejecting spam using Sendmail" (available to Usenix members only)
  http://www.usenix.org/publications/library/proceedings/lisa97/22.harker.html
• SANS
  http://www.sans.org/
• David Harley's security page
  http://webworlds.co.uk/dharley/
• Usenix
  http://www.usenix.org
• This month's Usenix Security Symposium
  http://www.usenix.org/events/sec98/

• Sun Security Bulletin Archive
  http://sunsolve.sun.com/sunsolve/secbulletins/
• CERT Advisory CA-97.26
  ftp://info.cert.org/pub/cert_advisories/CA-97.26.statd
• CERT* Advisory CA-97.27
  ftp://ftp.cert.org/pub/cert_advisories/CA-97.27.FTP_bounce
• CERT advisory CA-19.28
  ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land
• Secure Networks' Check Point advisory
  http://www.secnet.com/sni-advisories/sni-21.firewall-1.advisory.html

• Full listing of Security columns in SunWorld
  http://www.sun.com/sunworldonline/common/swol-backissues-columns.html#security
• Related network security stories in SunWorld's Site Index
  http://www.sun.com/sunworldonline/common/swol-siteindex.html#netsec
• Peter Galvin's Solaris Security FAQ
  http://www.sun.com/sunworldonline/common/security-faq.html

About the author
Peter Galvin is chief technologist for Corporate Technologies Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is co-author of the best-selling Operating Systems Concepts textbook. Reach Peter at peter.galvin@sunworld.com.

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-01-1998/swol-01-security.html
Last modified: