Securing your host
The purpose of this document is to provide a compiled list of helpful resources, starting guidelines, and address frequent issues with regard to properly maintaining a secure hosts that are connected to the Internet. Failing to properly configure software and hardware packages or keep up with security issues and their fixes can result in a number of problems including -- but not limited to -- exploitation of root access, installation of back doors, installation of trojan horses, mail worm propagation, and mail relay exploitation.
The University's Information Technology Security Policy must be reviewed and upheld by owners, custodians, and users of hosts accessing University IT resources. This and other policies, with related system administration "best practices", may be found at the ISO web site.
When you install the operating system
When you first install the operating system on a host, there are a few things that need to be done as a first step to securing your host. This will often consist of turning off remote services that are unnecessary and/or problematic and making sure all installed packages are up-to-date and configured properly.
Turning off services: It is a good idea to turn off or never install support for any services which are not necessary for your operations. Some such services might be telnet, ftp, http, and finger. Some remote services are notorious for having security holes and some are inherently insecure, such as telnet and ftp neither of which are encrypted on transmission. (See Data protocols and "secure" replacements for preferable replacements for common remote services)
Making sure software is up-to-date immediately: When installing the operating system on a host, it is also good practice to make sure all software packages are up-to-date. This is particularly important if you have installed the operating system from removable media rather than installing over the network from a distribution mirror.
Properly Configure Installed Software. For software that you opt to install on your host, make sure that they are properly configured such that arbitrary users or hosts cannot gain access to your host or data contained therein. Software you install will often have good documentation addressing this subject.
The following are helpful resources for some popular operating systems.
- For Windows:
- For Debian Linux:
- For Red Hat Linux:
- For MacOSX:
- For Solaris:
Even after a host has been secured at install, there is more to do to keep it secure through its use. Over the lifetime of hardware and software, there will inevitably be general bug and security patches as well as new viruses and mail worms. It is important that you continue to address security through the lifetime of a given host.
To start off, it is imperative that you keep informed of new bugs, security holes, viruses, and mail worms. Following that, you must act on that information to retain security for your hosts. Some of these lists are high-volume.
In order to keep informed, there are a number of resources you can turn to including:
- All administrators of hosts on CSRES are required to join the csres-admin mailing list. There is also the csres-security list where anyone can participate and discuss security maintenance with your peers. Send mail to email@example.com to be added to that list.
- Subscribe to some helpful mailing lists hosted by SecurityFocus. Such mailing lists include BugTraq, security-basics, and focus-sun.
- The CERT Advisory Mailing List: list for computer-related security problems and issues.
- Center for Internet Security
- NTBugtraq: specifically for security bugs in Windows NT, Windows 2000, and Windows XP
- Solaris Security Bulletin Archive
- PatchPro: Useful for determining what patches need to be applied to your host running Solaris.
- Apple Security Updates: A page outlining security updates for Apple products, including MacOSX.
- debian-security-announce: list for security announcements for Debian Linux.
- Redhat-watch-list: Announcement list for security and bug fixes specifically for Red Hat Linux
- Patch Club Report for Solaris: A weekly summary of all new and updated patch.
- Security Update List for Windows XP hosted at Windows & .NET Magazine. Send a message with "subscribe" in the body of the mail.
These mailing lists and sites are just a few of the ways you can get information on discovered security holes and how to patch them.
Software firewalls can provide additional security benefits to a system. They specify a series of rules for allowing or disallowing in-bound and out-bound network connections.
What they can do
Software firewalls can improve the security of network clients and services running on a computer. While an unnecessary service should be disabled, some services may need to be available to some other computers, but not the internet at large. Software firewalls can allow you to specify rules to control access to network services running on your computer -- for instance, you may specify that file-sharing services on your computer be made available to computers on your local network, but not to outside connections from the internet.
Some software firewalls can also control outgoing network connections. This can allow you to control what programs have access to your local network, or to the internet. If you do not fully trust the behavior of the software on your computer, a software firewall can prevent that software from accessing the internet without your knowledge or approval.
Some operating systems have firewall capabilities built-in, and most have additional firewall software available.
While most software firewalls control access based on the network port (e.g. the port for the file-sharing service is available only to the local network, while another service is available to the entire internet), some firewalls control access based on application -- one software program may be allowed to start a service available to the internet, a second may only be able to be seen on the local network, and a third may not have the ability to start such a service. The program ZoneAlarm for Windows is a popular choice for such an application-based firewall, and it controls outbound as well as in-bound connections. ZoneAlarm is available as part of BevoWare.
What they can't do
Software firewalls do not provide total security -- they are only part of an overall security strategy. For example, a software firewall will not prevent you from accessing the internet through your web browser (which would typically be granted access to the internet) and downloading a malicious piece of software, such as a trojan horse. In that case, the solution would be to use common sense (don't download questionable software from the internet) and the use of a virus scanner (as they will detect many common trojan horses).
Software firewalls like Zone Alarm that control access per application rather than per port may be subverted by malicious downloaded software, that may be able to cause your internet browser to access the internet on its behalf. There is no replacement for common sense and caution when it comes to downloading software online.
Another possible weakness with software firewalls is that they are simply software; if the operating system has weak (or no) security, then the firewall software may be removed or bypassed by a malicious program, just like any other software. Software firewalls should be configured to be altered or disabled only by an administrative user account, not the account that is used for day-to-day web browsing.
Like other software packages, make sure your software firewall is up-to-date.
A hardware firewall is a physical device designed to filter and restrict network access between a computer (or a network of computers) and the internet. It can be used in addition to a software firewall, but provides many of the same functions.
Some examples of hardware firewalls
Some hardware firewalls are purely firewalls; they provide no functions other than filtering network traffic to and from a local computer or network. These are generally very configurable, but can be expensive.
A more common solution is a NAT Router, a hardware device that provides Network Address Translation for the purpose of allowing multiple computers to share a single external IP address. These are typically marketed as tools for sharing a broadband internet connection across a household of computers. A side effect of NAT routing is that all in-bound connections are by default blocked. This doesn't disallow all in-bound communications; just any that originate with an external computer. Unless configured otherwise, NAT routers make any network services (file sharing, web sharing, etc.) on their internal network invisible to the internet at large. Many people use NAT routers as hardware firewalls -- while not as configurable as a pure firewall device, their default configuration more closely fits the needs of most internet users.
Hardware firewalls and/or NAT routers are available from every major network hardware vendor. NAT routers typically cost from $50-$150, and often contain built-in switches (to allow multiple client computers to connect to them directly) and can contain wireless access points as well.
What they can do
Hardware firewalls can provide network security for a number of computers simultaneously, and can provide firewalling that local software cannot bypass. They can be a very effective solution for allowing you to have a computer (or network of computers) with nearly seamless internet access, while keeping your network services restricted to the private network. They can also protect your private network from a number of types of network attacks.
What they can't do
Hardware firewalls cannot control access on a per-application basis, only a per-port basis. NAT routers are not compatible with all network protocols, and may require some network client software to be further configured to work.
As with software firewalls, hardware firewalls are not a complete solution. You must still keep your local software up-to-date and use care in configuring your operating system and software.
Like software packages, make sure the firmware is up-to-date
While hardware firewalls act like an appliance, they still require maintenance. They have built-in software (firmware) that can be updated to correct bugs and vulnerabilities. Check with your hardware firewall vendor periodically for firmware updates to keep them secure and reliable.
Resources for Security Information for Some Common Software Packages
- Apache Week, Apache Security
- Apache HTTP Server Mailing Lists
- Apache HTTP Server Security Tips for Version 1.3
- Apache HTTP Server Security Tips for Version 2.0
Some more "secure" data protocols
|telnet||ssh (version 2)|
Anything else... (Disclaimer!)
What has been illustrated in this document is a good starting point for maintaining security on your hosts, however, it does not cover all bases. There will be other means of updating and keeping informed of other operating systems and software packages. It is your responsibility to keep up with the software that is installed on the hosts which you administer. The University ISO has and will exercise the authority to remove from service any host which poses a risk or imminent threat of harm to The University's IT resources, and to hold the owner(s) and custodian(s) of such a host accountable for failure to properly maintain and secure it.