Should Sun be your security manager?
Sun's Security Manager Suite can add access control, centralized management, single sign-on, and auditing to your Suns and PCs. But should you let it?
Sun has released a suite of security management tools for intranets, desktops, and applications. These tools provide some much-needed security enhancements to servers and the PCs that communicate with them. This month's column features an overview of these products with information on their features and limitations to help you decide if they have a place in your organization.
Also this month: The Bookstore gives details on a new SANS pamphlet and a useful break-in planning and reporting document. Break-ins includes the SANS digest and AirTran. SAMBA and
rdistare included in The Buglist, as well as several patches. And The Toolbox alerts you to the release of ISS V5. Also, see The Solaris Security FAQ for all your Solaris security information needs. (2,000 words)
The Security Manager suite was recently released by Sun. The release is a quiet one. I suspect that this is due to, well, limitations in Sun's marketing. The products actually are not new. They are Sun-enhanced versions of some of the DynaSoft BoKS product line. DynaSoft was recently acquired by Security Dynamics, assuring not only that the product line will continue growing but that it will also have strong ties to SecurID cryptocards and the other Security Dynamics products. Sun is participating in the development of new releases of the Solstice Security Manager product line, which will help tie it in with existing and new Solaris features.
The Solstice Security Manager product line consists of Solstice Security Manager (SSM), Solstice Security Manager for Intranets (SSMI), Solstice Security Manager for Desktops (SSMD), and Solstice Security Manager for Applications (SSMA). (Notice the retro naming. Sun is moving away from the "Solstice" label but hasn't made a clean break yet.) Together, these products aim to allow clients and servers to work together in a secure computing environment. Internets and intranets can carry the secure communications. And the security for the entire set of machines can be easily managed. Given the ubiquitous "80% of security problems are internal" studies, chances are that your company could benefit from increased internal security. Below, the product features are analyzed. Following that is a hands-on evaluation of how well the products match their promises.
The products, in a nutshell
SSM 4.3 provides access control and auditing for a single server. It allows the definition of access rights for users and user classes, and defines how the access is allowed (console, network, terminal,
su, and secure single sign-on (SSSO)). SSSO provides an
encrypted-password exchange that allows access to hosts and
applications as allowed by access rules (see SSMI below). It also
defines password parameters to force the use of "good" passwords and
provides extensive security event auditing. It also includes a
COPS-like integrity checker and inactivity monitoring. SSM can be
used to manage user and host data and is nicely tied to existing
facilities. For instance, if you define a host or a user, it easily
updates system file, NIS, and even DNS databases. It will work with
NIS+, but requires some integration work. SSM's best use is on
standalone machines requiring an extra level of security. A Web
server or mail server, for example, would benefit from the access
control and auditing.
SSMI takes SSM's feature set and extends it for use throughout a
facility or company. The SSM features can be centrally managed,
with management delegation. For instance, facility managers may be
given the ability to define access control rules for the machines
under their control, while the corporate security folks would have
access control, password management, and auditing control for the
entire company. SSMI can best be used on all or a set of corporate
servers. It increases security (assuming that you trust it) while
decreasing security management load. SSMI is also the management
platform for the SSMD and SSMA products and their SSSO session
feature. Unfortunately, SSMI currently does not run on Solaris 2.6.
In the 2.5.1 implementation, it replaces binaries such as
xinit. SSMI currently does
not play well with Kerberos. When the 2.6 version is released it
will use the new PAM facility and leave the system binaries alone.
Another limitation in the current release is support for cryptocards
and other hardware-token-based authentication systems. This problem
should be fixed in the next release.
SSMI and SSM are only available for Solaris from Sun, but there are plans to expand that. The BoKS product on which they are based is available for most major Unix platforms.
SSMD is a client-side expansion to SSMI. With it, PCs running Windows 3.x, 95, or NT can be secure players in the corporation. They have single sign-on to hosts and applications, boot protection, local file encryption, integrity checks, public key encryption and digital signature, system monitoring, and automatic screen locking. Some of these features are only available on some platforms. According to Sun, SSMD scales to "tens of thousands" of desktop users. Essentially, it implements virtual smart cards called personal security devices (PSDs). The PSDs are registered with SSMI, and the information is made available to SSMA, thus implementing SSSO. (Did anyone follow that?) There are five types of PSD: host, user, certificate authority, password encrypted, and desktop protection. Each PSD contains an X.509 certificate, signed by the certification authority (SSMI in this case). They work together to identify those entities to servers running SSMI. The user PSD contains the same information found on smart cards, including a certificate and private RSA key. It can be used for encrypted telnet, for instance. The same mechanism can be used by administrators for encrypted, authenticated remote administration of servers or desktops from the SSMI GUI. The desktop PSD is used for local encryption of files on a desktop.
SSMA provides secure single sign-on access to Oracle and Sybase applications. It sits on the application server and responds to connections from SSMD and SSMI. SSMA also supports SSSO to MVS applications using mainframe PassTickets, a built-in function in MVS. Also, single sign-on to Netware is supported, but it is not secure (non-encrypted exchange of PSD information).
When SSMI is combined with SSMD and SSMA, a user at a PC logs in once at boot time. The user is authenticated to any hosts and applications that they has access to, without the requirement of more passwords being entered.
How does single sign-on work?
The single sign-on is perhaps the most complicated part of the product line, so let's look at some more detail. The SSSO process for a given user includes these steps:
Because this suite is based on an established product, there are several features that make it robust and usable in large environments. For instance, it includes read-only replica servers that can provide information to any requester. These servers may not change the information though. They can function when the primary SSMI server is down. Also, there are U.S./Canada and global versions of the products. The global versions use weaker, 40-bit encryption to keep the Feds happy.
Taken together, these tools provide a means to implement your security policy. The policy should be the driving force in the decisions made on how, when, and whether to use these tools. Sun has made a nice security policy summary available if you need a head-start on creating a policy.
In my experience, the packages were easy to install and use. They performed as expected, with the overall effect of making the PCs a much more usable part of a facility.
Sun Security Manager stands up well when compared to other products,
like SeOS. SeOS has more depth to it, including add-in kernel
modules to prevent non-registered
setuid programs from executing,
for instance. However, SeOS is more complicated to implement and
maintain. With better integration with smart card technology and
Solaris, the SSM product line should find its way into many
For more information on Sun's security offerings, visit http://www.sun.com/security/, and http://www.sun.com/solstice/Networking-products/securitymgr.html. There is also a form available to request a copy of Sun's security brochure.
The Intranet SANS Institute and SANS have published a useful little pamphlet entitled "Twelve Mistakes to Avoid in Managing Security -- For the Web." It is based on the experiences of the U.S. Department of Justice -- lessons learned when its Web site was hacked. Among its list of mistakes are: distributing Web site authority, participating in networks in which some members are careless about security, and misconfiguring firewalls. Unfortunately, the coverage is short on details. Still, you might find this pamphlet useful as an awareness tool -- say, something to give to the boss or the CIO. E-mail email@example.com to get a copy.
John C. Smith, (not his real middle initial), a senior criminal investigator in the Computer Crime/High Technology Theft Unit of the Santa Clara County District Attorney's Office, has released a very useful paper on planning for and reporting computer crimes. John has seen it all, including many incidents that could not be prosecuted due to poor planning or reporting by the victim. Avoid these problems by reading his Reporting & Planning Guidelines for Industrial Espionage & Network Intrusions. It includes many "do's" and "don'ts," as well as sections of pertinent California legal code and checklists for preventing computer crime.
A break-in to the SANS security digest mailing-list server software caused more than a little embarrassment. The bogus mailing included nasty words and pictures. The security problem has been fixed, and the SANS detectives are busy trying to figure out who the culprit is. In spite of this foible, the digest is quite worth receiving (if I do say so myself). The real digest is available at http://www.sans.org/nwstoc.htm
You have to feel at least a little sorry for ValuJet. Just six days after starting business again, this time as AirTran, its site was hacked and filled with references to their crash. 2600 has copies of this and other hacked pages.
CERT has released an advisory about SAMBA and a bug that's being thoroughly exploited over the Internet. It allows remote users to gain root access to SAMBA servers. Details are available from ftp://ftp.cert.org/pub/cert_bulletins/VB-97.10.samba.
CERT also reports that users on machines that have
can use that facility to gain root privileges. Because the
facility without bugs can be considered a security hole, you might
want to disable it in your entire facility. Details on the bug are
Over the past month Sun has released a bunch of security-related patches. Below is a list of SPARC Solaris 2.5.1 patches. Many of these patches are also available for x86 Solaris and previous OS releases.
104650-02 SunOS 5.5.1: /usr/bin/rlogin patch 104533-03 OpenWindows 3.5.1: OLIT Jumbo Patch 104976-03 OpenWindows 3.5.1: Calendar Manager patch 105092-01 SunOS 5.5.1: usr/sbin/sysdef patch 105478-02 FireWall-1 3.0b Sparc: Upgrade/Jumbo (VPN)At last count there were 43 security patches against SPARC Solaris 2.5.1. There are already two against Solaris 2.6. If you haven't visited the Sun security patch list page recently, there's no better time than the present. Here's a pointer: http://sunsolve.sun.com/pub-cgi/us/pubpatchpage.pl.
ISS has released version 5 of its top-notch security scanner. V 5 includes checks for ever more Unix and NT security holes. Details are available from ISS.
Next month's column will feature a report on the happenings at the Network Security '97 and LISA '97 conferences.
About the author
Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at firstname.lastname@example.org.
If you have technical problems with this magazine, contact email@example.com