Disclaimer : I’m not a security professional, I’m just a user telling you what I’m doing to make me feel happier. If your income depends on good network security, talk to an authority on the subject.
Since getting the wireless access point at home, I’ve been starting to feel increasing amounts of dread and fear about having a local ethernet that’s easily crackable. Yes I’m using 128 bit WEP keys, MAC address filtering, I don’t broadcast my wireless SSID and I change it from time to time, but that still isn’t making me feel much better (though maybe that’s just perfectly normal paranoia, everybody in the universe has that )
The computer-security-specific-paranoia probably started a few years ago, after reading the O’Reilly Practical Internet & Unix Security book (while on holidays in Portugal, my copy is somewhat battered and full of sand as a result of that) I decided to get my act together a little bit, and stop using telnet, rlogin and friends. Of course, the muscle memory I’d built up over the years was making this a tricky task : I’d naturally type ‘telnet blah’ and blast in my username and password before even thinking what I’d done : not good. So, here’s something I used instead – you might want to give it a go – drop it in a ~/bin directory so it’s found before /usr/bin (though that itself is perhaps a security risk)
timf@cuprum ls -o | grep insecure 2 lrwxrwxrwx 1 timf 27 Feb 15 2004 ftp -> insecure-warning-wrapper.sh* 2 -rwxr-xr-x 1 timf 235 Apr 14 2004 insecure-warning-wrapper.sh* 2 lrwxrwxrwx 1 timf 27 Feb 15 2004 rlogin -> insecure-warning-wrapper.sh* 2 lrwxrwxrwx 1 timf 27 Feb 15 2004 telnet -> insecure-warning-wrapper.sh* timf@cuprum cat insecure-warning-wrapper.sh #!/bin/sh echo ---------------------------------------------------- echo WARNING ! echo `basename $0` is insecure : do you really want to do this '?' echo ----------------------------------------------------- /usr/bin/`basename $0` $@
So, every time I tried to use one of these commands, I’d get a message issuing a warning, but the system would still allow me to run the command if I wanted to. This was enough of a reminder to get me to switch to
ssh, sftp and
scp instead. Round one to Tim ! Now I suspect you could become more restrictive still, by either blocking outgoing connections to those ports, or even use the Role Based Access Control features of Solaris (they’re in the main release these days, not just in Trusted Solaris) to prevent users from running these commands in the first place, but I’m getting ahead of myself here (see Disclaimer)
So, I’m now at least using moderately secure applications on home network. I get my email via IMAPs, I tunnel VNC
over ssh and web browsing, well – I haven’t had my credit card ripped off in ages. The next step was to firewall the local machines. Internet-wise, they’re all behind an ASDL modem running NAT, so I’m relatively safe there I think : I let through SSH connections to my mac here, but that’s the only open port. It’s been said that the most secure computer is one that’s in a locked room with the power switch set to ‘off’. Failing that, I think I’ve got the next best thing : I leave the mac in ‘Sleep’ mode, so in order to connect to it remotely, I need to wake it up – I use the wake on modem ring setting and just give the home phone here a quick call when I need to connect to my home network. (nifty!)
I’d had a firewall running on the mac for a while,
ipfw is built-in to OS X, and with the addition of
Brickhouse, it’s very easy to configure. It turns out though, that Solaris 10 also has a built-in firewall, a different one – IP Filter, and it’s just as easy to configure – I haven’t seen a GUI yet, but the rules are very straightforward. As always, the instructions at docs.sun.com are terrific. It might be worthwhile reading the IP Filter HowTo as well – it’s a good introduction to the topic, and an entertaining read to boot.
From an application point of view, there were services running on my machines that I didn’t need. On Solaris 10, you can easily get a list of what’s there by running
svcs – with the new Service Management Facility, there’s no need to monkey around in /etc/init.d, /etc/rc*.d or /etc/inet/inetd.conf anymore (hurrah!)
If you want “out of the box” security, you might be interested in the new Reduced Networking Cluster during installation.
Finally, I’m starting to wean myself off using
su to become the root user whenever I need to alter configurations. On the laptop, where I’m often switching network settings, I’ve created a ‘network_admin’ role, which allows me to run ifconfig and the wireless NIC config scripts without needing the full power of the root user, which I think is a step in the right direction as well.
So, my laptop and the other Solaris machines on my home network are perhaps a little harder than they were at the beginning of the weekend. The question is, am I paranoid enough ?