Security: Pete's Wicked World by Peter Galvin

Should Sun be your security manager?

Sun's Security Manager Suite can add access control, centralized management, single sign-on, and auditing to your Suns and PCs. But should you let it?

SunWorld
November  1997
[Next story]
[Table of Contents]
[Search]
Sun's Site

Abstract
Sun has released a suite of security management tools for intranets, desktops, and applications. These tools provide some much-needed security enhancements to servers and the PCs that communicate with them. This month's column features an overview of these products with information on their features and limitations to help you decide if they have a place in your organization.

Also this month: The Bookstore gives details on a new SANS pamphlet and a useful break-in planning and reporting document. Break-ins includes the SANS digest and AirTran. SAMBA and rdist are included in The Buglist, as well as several patches. And The Toolbox alerts you to the release of ISS V5. Also, see The Solaris Security FAQ for all your Solaris security information needs. (2,000 words)



Mail this
article to
a friend
Sun is rapidly expanding its security product line. The line now includes Firewall-1 and SunScreen firewall products, SKIP encryption technology, and the Sun Security Manager suite. The SunScreen and SKIP products will be reviewed in upcoming columns. This month's column evaluates the Security Manager suite.

The Security Manager suite was recently released by Sun. The release is a quiet one. I suspect that this is due to, well, limitations in Sun's marketing. The products actually are not new. They are Sun-enhanced versions of some of the DynaSoft BoKS product line. DynaSoft was recently acquired by Security Dynamics, assuring not only that the product line will continue growing but that it will also have strong ties to SecurID cryptocards and the other Security Dynamics products. Sun is participating in the development of new releases of the Solstice Security Manager product line, which will help tie it in with existing and new Solaris features.

The Solstice Security Manager product line consists of Solstice Security Manager (SSM), Solstice Security Manager for Intranets (SSMI), Solstice Security Manager for Desktops (SSMD), and Solstice Security Manager for Applications (SSMA). (Notice the retro naming. Sun is moving away from the "Solstice" label but hasn't made a clean break yet.) Together, these products aim to allow clients and servers to work together in a secure computing environment. Internets and intranets can carry the secure communications. And the security for the entire set of machines can be easily managed. Given the ubiquitous "80% of security problems are internal" studies, chances are that your company could benefit from increased internal security. Below, the product features are analyzed. Following that is a hands-on evaluation of how well the products match their promises.


Advertisements

The products, in a nutshell
SSM 4.3 provides access control and auditing for a single server. It allows the definition of access rights for users and user classes, and defines how the access is allowed (console, network, terminal, su, and secure single sign-on (SSSO)). SSSO provides an encrypted-password exchange that allows access to hosts and applications as allowed by access rules (see SSMI below). It also defines password parameters to force the use of "good" passwords and provides extensive security event auditing. It also includes a COPS-like integrity checker and inactivity monitoring. SSM can be used to manage user and host data and is nicely tied to existing facilities. For instance, if you define a host or a user, it easily updates system file, NIS, and even DNS databases. It will work with NIS+, but requires some integration work. SSM's best use is on standalone machines requiring an extra level of security. A Web server or mail server, for example, would benefit from the access control and auditing.

SSMI takes SSM's feature set and extends it for use throughout a facility or company. The SSM features can be centrally managed, with management delegation. For instance, facility managers may be given the ability to define access control rules for the machines under their control, while the corporate security folks would have access control, password management, and auditing control for the entire company. SSMI can best be used on all or a set of corporate servers. It increases security (assuming that you trust it) while decreasing security management load. SSMI is also the management platform for the SSMD and SSMA products and their SSSO session feature. Unfortunately, SSMI currently does not run on Solaris 2.6. In the 2.5.1 implementation, it replaces binaries such as login, passwd, su, ftp*, rexecd, rsh*, xdm, and xinit. SSMI currently does not play well with Kerberos. When the 2.6 version is released it will use the new PAM facility and leave the system binaries alone. Another limitation in the current release is support for cryptocards and other hardware-token-based authentication systems. This problem should be fixed in the next release.

SSMI and SSM are only available for Solaris from Sun, but there are plans to expand that. The BoKS product on which they are based is available for most major Unix platforms.

SSMD is a client-side expansion to SSMI. With it, PCs running Windows 3.x, 95, or NT can be secure players in the corporation. They have single sign-on to hosts and applications, boot protection, local file encryption, integrity checks, public key encryption and digital signature, system monitoring, and automatic screen locking. Some of these features are only available on some platforms. According to Sun, SSMD scales to "tens of thousands" of desktop users. Essentially, it implements virtual smart cards called personal security devices (PSDs). The PSDs are registered with SSMI, and the information is made available to SSMA, thus implementing SSSO. (Did anyone follow that?) There are five types of PSD: host, user, certificate authority, password encrypted, and desktop protection. Each PSD contains an X.509 certificate, signed by the certification authority (SSMI in this case). They work together to identify those entities to servers running SSMI. The user PSD contains the same information found on smart cards, including a certificate and private RSA key. It can be used for encrypted telnet, for instance. The same mechanism can be used by administrators for encrypted, authenticated remote administration of servers or desktops from the SSMI GUI. The desktop PSD is used for local encryption of files on a desktop.

SSMA provides secure single sign-on access to Oracle and Sybase applications. It sits on the application server and responds to connections from SSMD and SSMI. SSMA also supports SSSO to MVS applications using mainframe PassTickets, a built-in function in MVS. Also, single sign-on to Netware is supported, but it is not secure (non-encrypted exchange of PSD information).

When SSMI is combined with SSMD and SSMA, a user at a PC logs in once at boot time. The user is authenticated to any hosts and applications that they has access to, without the requirement of more passwords being entered.

How does single sign-on work?
The single sign-on is perhaps the most complicated part of the product line, so let's look at some more detail. The SSSO process for a given user includes these steps:

  1. User starts the application on the client running SSMD.
  2. The server running SSMA receives the access request and contacts SSMI for authentication and encryption information.
  3. A common session key is negotiated between the SSMD and SSMA. The key is used to encrypt further communications between the two.
  4. The user is authenticated.
  5. SSMI maps the user PSD to the application/Unix user.

Because this suite is based on an established product, there are several features that make it robust and usable in large environments. For instance, it includes read-only replica servers that can provide information to any requester. These servers may not change the information though. They can function when the primary SSMI server is down. Also, there are U.S./Canada and global versions of the products. The global versions use weaker, 40-bit encryption to keep the Feds happy.

Taken together, these tools provide a means to implement your security policy. The policy should be the driving force in the decisions made on how, when, and whether to use these tools. Sun has made a nice security policy summary available if you need a head-start on creating a policy.

In my experience, the packages were easy to install and use. They performed as expected, with the overall effect of making the PCs a much more usable part of a facility.

Sun Security Manager stands up well when compared to other products, like SeOS. SeOS has more depth to it, including add-in kernel modules to prevent non-registered setuid programs from executing, for instance. However, SeOS is more complicated to implement and maintain. With better integration with smart card technology and Solaris, the SSM product line should find its way into many Solaris-centric environments.

For more information on Sun's security offerings, visit http://www.sun.com/security/, and http://www.sun.com/solstice/Networking-products/securitymgr.html. There is also a form available to request a copy of Sun's security brochure.

The Bookstore
The Intranet SANS Institute and SANS have published a useful little pamphlet entitled "Twelve Mistakes to Avoid in Managing Security -- For the Web." It is based on the experiences of the U.S. Department of Justice -- lessons learned when its Web site was hacked. Among its list of mistakes are: distributing Web site authority, participating in networks in which some members are careless about security, and misconfiguring firewalls. Unfortunately, the coverage is short on details. Still, you might find this pamphlet useful as an awareness tool -- say, something to give to the boss or the CIO. E-mail intranet@clark.net to get a copy.

John C. Smith, (not his real middle initial), a senior criminal investigator in the Computer Crime/High Technology Theft Unit of the Santa Clara County District Attorney's Office, has released a very useful paper on planning for and reporting computer crimes. John has seen it all, including many incidents that could not be prosecuted due to poor planning or reporting by the victim. Avoid these problems by reading his Reporting & Planning Guidelines for Industrial Espionage & Network Intrusions. It includes many "do's" and "don'ts," as well as sections of pertinent California legal code and checklists for preventing computer crime.

Break-ins
A break-in to the SANS security digest mailing-list server software caused more than a little embarrassment. The bogus mailing included nasty words and pictures. The security problem has been fixed, and the SANS detectives are busy trying to figure out who the culprit is. In spite of this foible, the digest is quite worth receiving (if I do say so myself). The real digest is available at http://www.sans.org/nwstoc.htm

You have to feel at least a little sorry for ValuJet. Just six days after starting business again, this time as AirTran, its site was hacked and filled with references to their crash. 2600 has copies of this and other hacked pages.

The Buglist
CERT has released an advisory about SAMBA and a bug that's being thoroughly exploited over the Internet. It allows remote users to gain root access to SAMBA servers. Details are available from ftp://ftp.cert.org/pub/cert_bulletins/VB-97.10.samba.

CERT also reports that users on machines that have rdist installed can use that facility to gain root privileges. Because the rdist facility without bugs can be considered a security hole, you might want to disable it in your entire facility. Details on the bug are available from ftp://info.cert.org/pub/cert_advisories/CA-97.23.rdist.

Over the past month Sun has released a bunch of security-related patches. Below is a list of SPARC Solaris 2.5.1 patches. Many of these patches are also available for x86 Solaris and previous OS releases.

104650-02   SunOS 5.5.1: /usr/bin/rlogin patch
104533-03   OpenWindows 3.5.1: OLIT Jumbo Patch
104976-03   OpenWindows 3.5.1: Calendar Manager patch
105092-01   SunOS 5.5.1: usr/sbin/sysdef patch
105478-02   FireWall-1 3.0b Sparc: Upgrade/Jumbo (VPN)
At last count there were 43 security patches against SPARC Solaris 2.5.1. There are already two against Solaris 2.6. If you haven't visited the Sun security patch list page recently, there's no better time than the present. Here's a pointer: http://sunsolve.sun.com/pub-cgi/us/pubpatchpage.pl.

The Toolbox
ISS has released version 5 of its top-notch security scanner. V 5 includes checks for ever more Unix and NT security holes. Details are available from ISS.

Next month
Next month's column will feature a report on the happenings at the Network Security '97 and LISA '97 conferences.


Resources


About the author
[Peter Galvin's photo] Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at peter.galvin@sunworld.com.

What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough
 
 
 
    

SunWorld
[Table of Contents]
Sun's Site
[Search]
Feedback
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-11-1997/swol-11-security.html
Last modified: