In: Categories » Computers and technology » Linux » Security Considerations in Choosing a UNIX Distribution
|
Consider the following key security factors when selecting a UNIX distribution: · Understand the intended use of the system. What threats must the system defend against? Consider physical, human, and technological threats. · Gauge the technical security competence and awareness of the primary administrator(s). Distributions that are a significant departure from local technical security expertise should be considered a higher risk (unless technical security training will be provided). Vendor-provided security training classes tend to be weak. The SANS Institute run good introductory courses. In 1997, the CERT coordination center produced a "Report to the President's Commission on Critical Infrastructure Protection." Security awareness and user/administrator security training were key points. · Learn about the vendor's approach to handling reported security vulnerabilities. Do they even acknowledge that vulnerabilities occur in their distribution? Do they have a clearly documented process for handling reports from outside? Do they watch Bugtraq for reports of security problems in their software? Do they provide e-mail addresses for reporting new security problems? · Assess the vendor's response time when fixing security vulnerabilities. The SecurityFocus vulnerability database is useful for comparing the public announcement date and vendor fix dates. · Consider the maturity and stability of built-in security tools and interface. Weak areas tend to be C2 audit log management and analysis, mixed coverage of daemon logging to syslog, and clunky security interfaces that can result in mistakes being made in security settings. · Do a gap analysis, comparing the native security features against your UNIX security policy. Consider the availability, cost, and installation overhead of third- party/open source tools required to plug the gap. · Estimate the time it will take to lock down a virgin install of the distribution to comply with your policy. Calculate the cost of the administrator's time and possible delays on projects. This is the cost of buying distributions that are not secure by default. Ask the vendor to provide you with smart ways to lower this cost. · Visit the vendor support site. How long does it take to find the security alerts/bulletins and security patches? Read a couple of security bulletins. Do they make sense? Do they tell you enough about the problem to figure out whether you would need the patch? Compare a security bulletin with the original announcement made on Bugtraq. Does the vendor's assessment of the problem tally with the original report? · Assess the ease of security patching. Are stable tools available to easily identify missing patches? Are these kept up to date? Can patch installation be reliably automated for server farms? Are MD5 hashes available to validate patch integrity? Bear in mind the SANS finding that failing to update systems when security holes are found is the third major security mistake. · Check the release versions of any bundled third-party software (for example, sendmail, bind, or wu-ftpd). Make sure they are current or that the vendor has backported fixes for security problems.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
Problem: Automated scripts and file transfers cannot decrypt password-protected public keys. It is possible to use public key authentication to automatically transfer files from one machine to another. While this is usually not recommended, it may be desirable for batch scripts. However, this involves setting a blank passphrase which clearly leads to some risks. Therefore this mechanism should only be used for a one-way connection between two specific, non-privileged user IDs on different hosts. STEP1: Decide wh...
2. Install OpenSSH to Replace the Remote Access Protocols with Encrypted Versions
Problem: The common UNIX remote access protocols - telnet, FTP and the Berkeley r-commands -- are unencrypted. Account and password information can easily be sniffed by unauthorized intruders and others who have been granted access to the same network. OpenSSH can be used to encrypt all remote sessions, thereby eliminating this vulnerability. OpenSSH is free and runs on virtually all of the different UNIX and Linux variants. Zlib, a compression library and OpenSSL, the secure sockets layer software, are required by Op...
3. Port Forwarding with SSH
Problem: Since many programs use services that send clear-text data over the network, it is desirable to find something that can be used to encrypt the network traffic for these services while minimizing any change to end users. SSH provides this functionality with port forwarding. Port forwarding allows a user to create an encrypted session from a client to a remote server for any TCP-based service by tunneling the service through SSH. Of course, this requires that the user have an account on the remote server and tha...
4. How to use PuTTY Passphrase Agents
STEP1: Use Pageant to store your private keys in memory To make public key authentication more convenient, the developers of PuTTY created Pageant. Pageant is a program included with PuTTY that will keep your decrypted private keys in memory so you only have to enter your passphrase once rather than every time you authenticate to a server using public key authentication. While this will make your day-to-day use more convenient, please keep in mind that it also poses a slight risk, since other applications (inc...
One method to transfer files from the Windows command line is to use PSFTP. PSFTP creates an interactive SFTP file transfer session where you can use many of the commands available within a normal FTP session. Since PSFTP uses the SFTP protocol, which is only available with servers running protocol SSHv2, you may not be able to run it on every server. PSFTP is run from the command line and provides numerous options. To see the options available run PSFTP with the –h option: ...
6. Using Plink to initiate an SSH session from the command line or a script
Using PuTTY from the command line will create an SSH interactive session. This may not be what we want if for example we need to remain at the Windows command line or we want to issue an SSH command from within a script. In order to satisfy these types of needs, PuTTY provides a tool called Plink. Plink is a command line tool that will allow you to log in to a remote machine using SSH and either create an SSH session or execute a command, all from the command line and without opening another window. Plink comes with many comma...
7. How to Generate a Key Pair Using OpenSSH
Problem: How can a key-pair be created in OpenSSH?STEP1: Generating your public/private key-pairThe ssh-keygen command is utilized to generate your public and private keys. OpenSSH provides authentication methods via a choice of three public key "cryptosystems": RSA1, RSA, and DSA. RSA1 works with SSHv1 while RSA and DSA are for SSHv2. RSA and DSA use different techniques for authenticating and have different capabilities, but for purposes of this guide, either will suffice.To create a key-pair, r...
8. Transfer files from the command line with PSCP
A second method to transfer files from a Windows command line prompt is to use PSCP. Unlike PSFTP, PSCP is not interactive and is designed to transfer files "in one shot" and then exit, much like OpenSSH's scp command. PSCP also allows you to specify wildcards within filenames (PSFTP does not). Additionally, PSCP will work with any SSH server as it is not dependent on SSHv2 being present. Note PSCP will blindly copy files to the remote server, overwriting any files with the same name, without prompting for veri...
9. Create an SSH session from the command line using PuTTY
There are multiple ways to create an SSH session from the command line using PuTTY. The first way involves using the PuTTY program itself. PuTTY comes with a number of options that can be used to invoke the graphical PuTTY terminal from the command line. A description of these options is available within the PuTTY help file. To run PuTTY from the command line: Note ...