Securing a Solaris Server - Overview
Before going any further, I think I should describe what I mean when I say that a system needs to be secured, and why it needs to be done.
When we secure a server, we take measures to ensure that only those people with a legitimate reason to be on a computer, actually have access to it. We also make sure that those users that do have access to the computer, only have access to their information, and have the ability to allow, or restrict, such access for others.
We are interested in securing servers to keep one user's information from being improperly available to another. We also secure servers to ensure that the disk space, network bandwidth, and CPU resources are available for the intended users.
There are three general classes of people that we're securing the server against. The one thing that people in these classes all have in common is that they're criminals.
An extreme version of this type of person might modify the data on your server. This might be done to discredit a person or organization, or to cause incorrect/invalid results or conclusions.
These people are separate and distinct from the commonly found web page defacers and vandals, due to their motivation. The motivation of this group is usually either money or revenge. This motivation tends to create a determination that is not normally found in the other groups.
The goal here is to either have enough security doors blocking the intruder that they give up, and move on, or they run into a door that they don't know how to get through. From the security standpoint, both of these can be considered a win, or at least a draw.
This concept should also be applied to the physical security of a server, and will be discussed in greater depth in the section on System Hardware Configuration.
This concept is why large organizations have dedicated name servers, NFS servers, web servers, time servers, etc..
The purpose of an intrusion detection system is to inform a system administrator when a possible intrusion has occurred. This detection is often done by looking at the fingerprints of critical system files.
The purpose of a centralized configuration management system is to ensure that each system has the correct configuration at all times. The system should report when a discrepancy is found.
If you wish to run both of these tools, then the intrusion detection system should finish running prior to starting the centralized configuration management system, so that it can properly identify any changes that may have been made.
Also, there are several security oriented E-mail lists, whose purpose is to keep administrators informed about current security issues. Among these are CERT, Bugtraq (from SecurityFocus) and SANS. URLs for these organizations may be found in the section on Sources of Tools.
It should be noted that this security philosophy only serves to muddle the playing field. It is not sufficient, without the support of the other security philosophies described here. The Code Red worm is an example of why this security philosophy is inadequate. It didn't look or ask, it just hit.
These messages are not very useful against intrusion, but they may improve your legal position, if an intrusion occurs.
If you have any comments or suggestions, please E-mail firstname.lastname@example.org
© 2004 - Ashford Computer Consulting Service