Re: prfile

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: choe song kwan: "I wanna have doc. of IDES"
• Previous message: Martin Hargreaves: "Re: prfile"
• Maybe in reply to: choe song kwan: "prfile"
• Next in thread: Martin Hargreaves: "Re: prfile"

> >and I know some good/not soo good security programs. In unix you can make
> >a system very safe. If u want I can tell you the exiriences I had with several
> >security programs.
> 
> I think that a discussion of this sort could be very useful. I have been /
> am involved with Unix security and have written a few of my own programs,
> and used most of the programs available on the Internet. I'd be interested
> in hearing what you thought of these programs. It would be nice to hear
> about some commercial systems - general purpose and IDS systems. I also
> don't mind sharing the experiences I've had.

We've are using a combination of commercial and freeware products and I
seem to be relying more on freeware than on the commercial products.
The majority of the pitfalls I am running into in both types of products
is the portability of the product to a multitude of Unix platforms.

If you have a heterogeneous Unix environment it is difficult to maintain
different types of security for each platform. We have basically decided
not to buy into or use any product that doesn't install on all the
platforms we have. For instance, Haystack Labs has a really nice ids
product called stalker which installs on Sun's and HP's, but not SGI's.
More disturbing was a comment I got from a developer there. He said
(and I am summerizing) that they have no plans to port to SGI's because
most SGI customers only buy the Unix systems for the graphics capability
and are not willing to take the performance hit. I personally do not
know what the performance degradation might be, but to exclude the
third largest Unix company from consideration makes me wonder if this
company is really cut out for customer support and how concerned are
they to Unix users' concerns about security. This is unfortunate because
I was quite impressed with their Stalker product.

One of the most portable packages I have seen to date in the freeware
realm is tcp_wrappers. It has become an invaluable tool at our site.
With its abilities to spawn scripts based on the incoming source ip address
(at least what it claims to be) allows me to get fairly sophisticated
with making decisions on whether or not I should allow a connection.
So if someone found a way to penetrate your firewall, you still have
a second line of defense. If you don't have the ability to firewall,
then you can still establish an effective line of defense on an individual
host basis. Oh, did I mention its a sinch to install? Heed the warnings
of the author, Wietse Venema, concerning SGI's. If you install using 
the "hard installation" this means you have to change the inetd.conf file
and in doing so, the sgis will have to be rebooted. :-(  It is the
only platform out of 7 different Unix platforms that I have to deal with
that exhibits this problem.

Of course, tcp_wrappers doesn't cover everything, nothing does. For
one time tokens, we have been demo'ing one of several products that
I have to choose from. We have been running into little snags that
the company has promised to incorporate into their next release, so
we won't buy the product until we are happy. We also dealt with 
another top company in this subject area and we already discounted
them because they DO NOT respond to the customer's phone calls. In
security this is crucial. Security software that does not work not
only can make your site more vulnerable, but it can easily result
in denial of services. 

So the commercial venue is a very touchy problem. Being able to
respond to a customers problems is top priority for us. Perhaps
that is why we rely on freeware because we can make changes ourselves
or contact the authors who generally are very willing to help. There
are even some very nice integrity checking packages out there in
freeware such as ISS, SATAN, COPS, etc, all of which are invaluable
tools to a Unix security administrator.

Well I've said enough. I hope some of this helps. I am more than
eager to hear anyone elses experiences with commercial packages.

Diane Davidowicz

--------------------------------------------------------------------------
Any opinions expressed herein was a mistake; was said under the influence;
was stolen; makes no sense whatsoever;....

Any comments, constructive criticism, and flames are welcome, but only
if sent to my email address. Don't cc mailing lists/newsgroups & increase 
their noise level.

Indeed, grep is omniscient :)
   To test for the existence of SATAN:
      ps -ef | grep -i satan
   To test for the existence of angels:
      ps -ef | grep -i gabriel
   To test for the existence of God:
      ps -ef | grep -i god
--------------------------------------------------------------------------

• Next message: choe song kwan: "I wanna have doc. of IDES"
• Previous message: Martin Hargreaves: "Re: prfile"
• Maybe in reply to: choe song kwan: "prfile"
• Next in thread: Martin Hargreaves: "Re: prfile"