Chapter 12. Securing TCP and UDP Services
Connecting a Unix computer to the Internet is not an action that
should be taken lightly. Although the TCP/IP protocol suite and the
Unix operating system themselves have few inherent security problems,
many security flaws have been found with their specific
implementations and distributions. Before you place a Unix computer
on the Internet, you must make certain that no security problems have
been reported with the specific software release that you intend to
use. Otherwise, you may find that your machine is identified, broken
into, and compromised before you even have a chance to download the
latest software patch!
Generally speaking, there are two
ways to assure the security of a Unix system that you intend to place
on the Internet:
You can install the latest release of your vendor's
operating system onto a freshly formatted hard drive on a clean
computer. Then, using a second computer, go to the
vendor's web site and download any software patches,
fixes or updates. Copy those updates from the second computer to your
new machine, install the updates, and then place your new computer on
the Internet. Once the computer is on the Internet, be vigilant: get
on all of the mailing lists for software updates, be on the lookout
for security flaws, and install the patches as quickly as humanly
possible (see Chapter 17 for more details about
this process).
Alternatively, you can get an old computer that uses an operating
system and a hardware architecture that is not widely used. Install
your operating system on this hardware. Search the Web and
security-related mailing lists to see if any security problems have
been reported with the specific combination of hardware and software
that you intend to use. If you can find no reports of flaws, you are
probably safe.
You can combine these two approaches if you wish. For example, you
could purchase a SPARC-based computer, but instead of running
Sun's Solaris, run a copy of OpenBSD. There are few
known exploits for the OpenBSD operating system; if new exploits are
discovered, it is likely that they will be developed for OpenBSD
running on Intel, rather than OpenBSD running on SPARC-based systems.
(Note, however, that using an unusual combination of software and
hardware does not mean that you do not need to still watch for
security vulnerability announcements and patch them as necessary.
Furthermore, using unusual systems may make you vulnerable to
exploits that have simply not been addressed on your system because
nobody has gotten around to them yet.)
No matter what underlying hardware and software you decide upon, you
need to understand the specific services that your Unix-based
computer is making available to the Internet. There are literally
thousands of network servers available for hundreds of Internet
protocols that run on Unix systems. Each of these servers has its own
security issues. While this chapter cannot discuss them all, it does
introduce the most popular ones, explore their security issues, and
give you a framework for understanding other servers that we do not
mention.
For additional information on Unix
Internet servers and their security issues, we especially recommend
the following books:
Web Security, Privacy and Commerce, by Simson
Garfinkel with Gene Spafford (O'Reilly, 2001).
Building Internet Firewalls, by Elizabeth D.
Zwicky, Simon Cooper, and D. Brent Chapman
(O'Reilly, 2000).
DNS and BIND, by Paul Albitz and Cricket Liu
(O'Reilly, 2001).
Sendmail, by Bryan Costales with Eric Allman
(O'Reilly, 2002).
Unix Network Programming, by W. Richard Stevens
(Prentice Hall, 1998).
Other references are listed in Appendix C.
|