Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

Supporting Security for Unix Systems

  • Print
  • + Share This
Unix systems administrator Jon Lasser covers the top four non-technical components necessary for Unix systems security, from developing a threat model to making sure that things can get fixed.

This article is derived from /etc/hosts, Jon's column in Web Hosting magazine.

From the author of

From the author of

Jon is the author of Think Unix (Que, 2000).

This article is derived from /etc/hosts, Jon's column in Web Hosting magazine.

Computer security is technical, of course, but it requires support. Consider systems administration as a grueling military campaign, and management as the generals and strategists planning the war: As important as soldiers may be, every general knows that maintaining supply lines and managing inventory are even more crucial for winning battles. Although techs hate to admit it, this is how management justifies its existence. In as much as management makes it possible to get the job done, it fulfills its purpose.

Before we go into detail, let's take a quick look at the four points we're going to cover. First, know your threat model: This means knowing what you're trying to protect, and from whom you're trying to protect it. Second, develop a security policy based on that threat model. Third, dedicate resources to security; failure to do so will make it impossible for you to secure your systems. Fourth, monitor security mailing lists in order to keep abreast of current news and information.

To summarize, the top four non-technical things you need to secure your boxes are as follows:

  1. Know your threat model.
  2. Develop a security policy.
  3. Dedicate resources to security.
  4. Monitor security mailing lists.

1. Know Your Threat Model

Your threat model describes what you're worried about. You can derive this from the answers to three basic questions: What's at risk? Who are you afraid of? What can they touch? If you can answer these three questions, you're well on your way to securing your systems.

What's at risk? Most people need to protect three basic things: availability, data, and image. Availability is obvious—you probably need to keep your Web site available and keep adequate bandwidth. It is most often at risk from denial-of-service attacks, but anything that might crash or block your availability is worth worrying about.

For data, you need to protect both integrity and confidentiality. Data integrity means that the data you have has not been altered by unauthorized parties: When your Web page is replaced with hundreds of pornographic .GIFs, the integrity of your data has been violated. Confidentiality means that only authorized parties have access to the data: When the selfsame hackers copy down your users' credit card numbers, the confidentiality of your data has been violated.

When vandals have replaced your home page with obscene messages, something besides your data integrity has been violated as well—your organizational image has been damaged. If your ISP is the laughingstock of the Internet, that has real-world consequences.

Who are you afraid of? Consider the four basic classes of security threats, in order of how hard they are to guard against: "crackers," opportunistic attackers who hack sites whose security has been found to be inadequate, usually through automated scanning techniques; competitors who have targeted your site or your customers' sites for attacks; employees, who attack from inside; and "the Government," a.k.a. omnipotent attacks. If you think they can read your mind, your system's probably up for grabs too.

What can they touch? Crackers and competitors most often have access to external services, so anything you can do to harden your outer shell protects against these attacks. Employees have access to your internal services as well: If you depend upon any software to run your business, can you protect it from your employees? Also, what about your infrastructure? Buildings, phone lines, net connections, and so on can all be attacked as part of a denial-of-service attack. If you're hosting an online securities-trading company, it might be worth somebody's time and effort to truly bring down your site.

  • + Share This
  • 🔖 Save To Your Account