A conference a day keeps the diet at bay
Peter's report on the recent LISA and Network Security conferences
Conferences can be great places for information acquisition and exchange. They can be bad places if you are watching your weight. If you didn't manage to make it to LISA '97 and Network Security '97, this column can serve as a biased view of what you missed. It can also help to justify your attendance at the next security conferences. If you did attend, you can cut this out and use it as that trip report that your boss keeps requesting. Then you don't need to explain that you learned a lot but forgot it all while checking out Bourbon Street or Old Town. Also this month, coverage of the usual bunch of bugs. Some even have patches. Also, see the Solaris Security FAQ for all your Solaris security information needs. (1,800 words)
Dan Geer and Jon Rochlis gave a tutorial on "Security on the World Wide Web," covering client/server network security basics, basic WWW security, basic cryptography, network layer security via SSL, PCT, and IPSEC, advanced WWW security via s-http, Java, smartcards, payment protocols, and miscellaneous issues such as Web spoofing, I18N, and firewalls.
The course was a good overview for WWW developers and end users. I applaud their effort, because the people who do security day in and day out usually are not the ones that make the mistakes that compromise sites. These are more often committed by the developers and Webmasters who volunteer or are volunteered to build Web sites and applications and have no security background, knowledge, or training. If nothing else, Geer and Rochlis provide information on how the Web works, the security methods available, and the tradeoffs involved in the mainstream tools and protocols that are in use. Great information for those designing, implementing, and managing Web sites.
NetWork flight recorder
The more interesting security talks included one by Marcus Ranum on his company's forthcoming package, called Network Flight Recorder (NFR), as well as a few on spam.
Ranum's Network Flight Recorder fills an important void in the security tool arena. It is designed to be the be-all and end-all network traffic recorder. Once complete, it should be perfect for sites that need to know they are secure. NFR is a meta-programmed decision engine that is extremely flexible. For example, it can watch all traffic, recording statistics for legal traffic and recording all packet details of bad traffic. By "bad traffic," I mean, for example, packets destined for inappropriate ports, or traffic going from or to inappropriate IP addresses.
NFR will be free for noncommercial and research use, and the source will be available. When the engine is incorporated into commercial (and presumably free) tools, it should be a great addition to the security administrator's toolkit.
Rejecting spam using Sendmail
Unfortunately for those of us who receive spam mail every day, it is sometimes difficult to distinguish the spam from legitimate e-mail (which explains that set of Ginsu knives I just received!). It is even more difficult for software to make this distinction. At LISA, there was quite a lot of talk, both formal and informal, about spam, its uses and abuses, and what can be done to stop it. The bottom line is that ISPs need to be vigilant about preventing and discouraging spam, and that everyone who runs a mail server should be sure its rulesets prevent others from using it as a mail redirector. Incidentally, my ISP had all mail from it to AOL bounced when it was deemed a spam sender by AOL. They implemented anti-spam facilities and AOL allowed mail to flow again. Remember when AOL was the source of most spam? Times, they are a changin'.
Anyway, Robert Harker gave a thorough talk on changes you can make to Sendmail (V8) configuration files to have it reject what appears to be spam. You can see an abstract of his talk in Resources below.
The SANS organization's annual fall conference, Network Security '97, once again delivered the goods. I didn't attend any of the tutorials, but there were several that looked interesting. The talks, of course, were all about security. A synopsis of the more interesting talks follows. The full proceedings are available from SANS.
Finally, Char Sample and Mark Teicher gave a short course on firewall troubleshooting. Between the two, they've installed quite a few firewalls. The course captured their experiences at debugging the inevitable problems that occur. The topics included DNS, Mail, Routing, Subnetting, VPNs, authentication, trust relationships, cabling, filtering, rules, netacls, system logging, backups, indiscriminate use of generic proxies, human factors, operating system goodies, vendor fine print, internal network protocols, security administration procedures, network and security policy, system architecture, Internet security reviews, and more. I kid you not. The problem/solution format was especially useful for finding quick solutions to firewall problems. All this, and good food too....
Sun has released patches for the at program for all reasonable current operating system releases. The details are in Sun security bulletin #160. AUSCERT reported a security hole in statd and the details are provided in CERT advisory CA-97.26. Sun has already released patches for the major OS releases. Another CERT advisory, CA-97.27 reports on a fairly well-known problem with ftpdaemons. In this case a "port" command can be issued to the server to "bounce" the connection to an arbitrary host and port. Access to this destination system may ordinarily be denied (via a firewall for instance) but this method allows ftpd to be used to circumvent the restriction. Sun has patches for the problem, and wu-ftp is another good solution.
There is also an unresolved denial-of-service attack reported as CERT advisory CA-19.28. There are two tools that can be used to deny network connections on many TCP/IP-based machines. There is no information in the report about SunOS and Solaris vulnerability. Rob Diamond, a senior security architect at Sun, reports that Solaris 2.4 and above are not vulnerable to the "land" attack. No word yet on the "teardrop" attack.
SunOS 4.X, however, appears to be vulnerable. Rob also points out that if your machines are behind a well-constructed firewall, then the packets involved in an attack from the outside will never reach your internal machines.
Secure Networks has issued a security advisory about a common misconfiguration of Check Point Firewall-1. If you run this firewall and have this as your first configuration line:
"Enable Firewall-1 Control Connections [Essential]" .
then your firewall is susceptible to SNMP probing. Anyone with network access to the firewall (either from inside or outside the firewall) can query its SNMP status and determine information about the firewall and your internal networks. You should immediately disable this line. Check Point has also released a patch to its resellers.
About the author
Peter Galvin is chief technologist for Corporate Technologies Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is co-author of the best-selling Operating Systems Concepts textbook. Reach Peter at email@example.com.
If you have technical problems with this magazine, contact firstname.lastname@example.org