> >and I know some good/not soo good security programs. In unix you can make > >a system very safe. If u want I can tell you the exiriences I had with several > >security programs. > > I think that a discussion of this sort could be very useful. I have been / > am involved with Unix security and have written a few of my own programs, > and used most of the programs available on the Internet. I'd be interested > in hearing what you thought of these programs. It would be nice to hear > about some commercial systems - general purpose and IDS systems. I also > don't mind sharing the experiences I've had. We've are using a combination of commercial and freeware products and I seem to be relying more on freeware than on the commercial products. The majority of the pitfalls I am running into in both types of products is the portability of the product to a multitude of Unix platforms. If you have a heterogeneous Unix environment it is difficult to maintain different types of security for each platform. We have basically decided not to buy into or use any product that doesn't install on all the platforms we have. For instance, Haystack Labs has a really nice ids product called stalker which installs on Sun's and HP's, but not SGI's. More disturbing was a comment I got from a developer there. He said (and I am summerizing) that they have no plans to port to SGI's because most SGI customers only buy the Unix systems for the graphics capability and are not willing to take the performance hit. I personally do not know what the performance degradation might be, but to exclude the third largest Unix company from consideration makes me wonder if this company is really cut out for customer support and how concerned are they to Unix users' concerns about security. This is unfortunate because I was quite impressed with their Stalker product. One of the most portable packages I have seen to date in the freeware realm is tcp_wrappers. It has become an invaluable tool at our site. With its abilities to spawn scripts based on the incoming source ip address (at least what it claims to be) allows me to get fairly sophisticated with making decisions on whether or not I should allow a connection. So if someone found a way to penetrate your firewall, you still have a second line of defense. If you don't have the ability to firewall, then you can still establish an effective line of defense on an individual host basis. Oh, did I mention its a sinch to install? Heed the warnings of the author, Wietse Venema, concerning SGI's. If you install using the "hard installation" this means you have to change the inetd.conf file and in doing so, the sgis will have to be rebooted. :-( It is the only platform out of 7 different Unix platforms that I have to deal with that exhibits this problem. Of course, tcp_wrappers doesn't cover everything, nothing does. For one time tokens, we have been demo'ing one of several products that I have to choose from. We have been running into little snags that the company has promised to incorporate into their next release, so we won't buy the product until we are happy. We also dealt with another top company in this subject area and we already discounted them because they DO NOT respond to the customer's phone calls. In security this is crucial. Security software that does not work not only can make your site more vulnerable, but it can easily result in denial of services. So the commercial venue is a very touchy problem. Being able to respond to a customers problems is top priority for us. Perhaps that is why we rely on freeware because we can make changes ourselves or contact the authors who generally are very willing to help. There are even some very nice integrity checking packages out there in freeware such as ISS, SATAN, COPS, etc, all of which are invaluable tools to a Unix security administrator. Well I've said enough. I hope some of this helps. I am more than eager to hear anyone elses experiences with commercial packages. Diane Davidowicz -------------------------------------------------------------------------- Any opinions expressed herein was a mistake; was said under the influence; was stolen; makes no sense whatsoever;.... Any comments, constructive criticism, and flames are welcome, but only if sent to my email address. Don't cc mailing lists/newsgroups & increase their noise level. Indeed, grep is omniscient :) To test for the existence of SATAN: ps -ef | grep -i satan To test for the existence of angels: ps -ef | grep -i gabriel To test for the existence of God: ps -ef | grep -i god --------------------------------------------------------------------------