Network Service Security
Network services enable distributed computers and their users to communicate, access remote systems and information, transfer files, send electronic mail, print files on network printers, and manage remote systems. Multiuser operating systems, such as the Solaris OE, typically provide many network services. In the standard Solaris OE configuration, even desktops systems offer some network services. Many third-party applications provide additional network services when deployed on the Solaris OE. These services are either necessary for the operation or management of the application (for example, VERITAS Volume Manager Storage Administrator, a web-based GUI management tool) or are essential to the service the application provides (for example, Netscape Enterprise Server, a web server). A standard Solaris OE installation with third-party applications may provide many different and varied network services.
In order to facilitate rapid system deployment, the Solaris OE is designed to provide unrestricted access to most installed network services by default. This allows customers to quickly integrate Solaris OE systems into the computing environment with little effort and few administrative requirements. Most of the enabled network services are not necessary or even used in some environments. For security purposes, all unneeded network services should be disabled, and all required network services should be protected.
Installation and minimization of the Solaris OE are important to the security of the system. This section discusses the network services provided when all Solaris OE bundled packages are installed (the Entire Distribution cluster). If a smaller installation cluster is used, some of these services are not installed. The Solaris OE Core cluster contains the fewest packages and services. If the recommendations from Chapter 3 are followed, then fewer network services are installed.
The network services a system provides are the entry points into that system. It is important to understand the default configuration of Solaris OE services, and the methods used to disable them. Often, organizations must use protocols or services that are not secure. For these commonly used insecure services (such as RPC, NFS, and Trivial FTP), suggestions are given for how to improve security.
Services offered by a system should be protected by as many layers of security as possible. This protection should start at the network level. Refer to Chapter 2 for a description of actual network attacks, lists of available Solaris OE configuration options, and recommendations for providing additional protection for the ARP, ICMP, IP, TCP, and UDP protocols at the network driver layer.
Network Service Issues
Network services may be attacked in many different ways. These services may contain programming flaws, use weak or no authentication, transfer sensitive data in unencrypted format, and allow connections from any network host. These weaknesses allow a system to be compromised by an attacker.
There are some simple methods to reduce the risk of successful attacks against a system. Administrators should disable unneeded services and apply all security patches. In addition, network services with security features (for example, encryption, strong authentication, etc.) should be used whenever possible.
While the Solaris OE does not include mechanisms to provide protection for network services, several tools are available that are useful in securing services and systems. Well-regarded open source and commercial tools allow Solaris OE administrators to protect systems throughout the enterprise. These tools address security concerns by providing the following protection: access control, logging, strong authentication, and privacy through encryption.
The SunScreen™ and SunScreen Lite software are two products from Sun
Microsystems that provide network protection. Both are firewall products that can provide network-level access control and logging. The SunScreen Lite product is a feature-reduced version that is available for the Solaris 8 OE release at no cost. The SunScreen Lite product is limited to two network interfaces, but it can still provide adequate protection for network services. Use the SunScreen software for systems where more than two network interfaces are required.
A freeware firewall alternative is IP Filter (http://coombs.anu.edu.au/ipfilter). Versions are available for Solaris OE versions 2.3 through 8.
Firewall products like these can be deployed on servers and even desktops where IP forwarding is not required but network service protection is. Massive deployments and management of firewalls on many systems can be burdensome, so plan appropriately.
TCP Wrappers, an open source tool developed by Wietse Venema, provides TCP-level access control, logging, and DNS hostname verification. It is used to protect network services managed by inetd. The TCP Wrappers tool provides a flexible configuration mechanism for controlling incoming connections based on pattern matching for hostnames, DNS domains, network addresses, and NIS netgroups. The tool also provides better logging and detects DNS hostname discrepancies which may indicate an attack in progress. TCP Wrappers are fairly straight forward to deploy on Solaris OE systems.
Sun Microsystems has a more sophisticated product that can be used to provide strong authentication and privacy for intranet network services and systems called the Sun Enterprise™ Authentication Mechanism. It is based on MIT's Kerberos V system. The Sun product provides centralized security management and interoperates with other heterogeneous Kerberos systems. For Kerberos to be used effectively and correctly, an entire infrastructure of Kerberos components must be deployed. This infrastructure adds additional administrative overhead that may not be desired.
OpenSSH (an open source toolkit) and SSH (a commercial product) are both a suite of tools to replace unsafe UNIX® network commands such as telnet, ftp, rlogin, rsh, and rcp and securely tunnel X window network communications. Both provide strong authentication and privacy through encryption. When built with the TCP Wrappers library, it also benefits from TCP Wrapper access control. Like TCP Wrappers, OpenSSH/SSH is straight-forward to deploy on many systems. It is a very valuable tool simply because of the number of unsafe commands it replaces. Once deployed, the replaced network services should be disabled in favor of OpenSSH/SSH.
Telnet is a user-interactive service used to log into and access a remote system on the network. Unfortunately, this service provides little in the way of security. The only authentication information required is user name and password. Neither of these pieces of information are encrypted while in transit and are therefore vulnerable to a variety of attacks including man-in-the-middle attack, session hijacking, and network sniffing. The Sun Enterprise Authentication Mechanism™ product provides a replacement telnet command that uses strong authentication and encryption. SSH tools can serve as an effective replacement.
If you must use a telnetdaemon that does not support encryption, then One Time Passwords (OTP), host-based firewalls, or TCP Wrappers should be used to secure the connections. One Time Passwords protect against network sniffing by not transmitting the password over the network. Instead, a challenge issued by the server in combination with a secret phrase is used to generate the password used for authentication. Host-based firewalls and TCP Wrappers can be used to limit the hosts that may connect to a system. By restricting access to services based on IP addresses, a system can limit its exposure to network attacks. None of these alternatives will protect a session against being 'hijacked' by a malicious user. A session is hijacked when a malicious user takes over a session that was begun by an authorized user. The malicious user, in effect, takes over the session from the authorized user. Session hijacking can only be prevented through the proper use of encryption.