|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
Dr. Nikolai Bezroukov
Version 1.0, Dec 1999
Never underestimate the power of human stupidity
Computer Security is an anthropomorphic deity of a new messianic high demand cult. It is synonym of goodness, happiness and light; a mystic force which provides a beautiful eternal harmony of all things computable. The main recruitment base of the cult are system administrators.
A secure server is a cosmic harbinger of charismatic power; an exorcistic poltergeist that preserves mental health, cures headache, allergy, alcoholism, depression, and deters aging. It is a nirvana for both young and old system administrators; an enviable paragon of all imaginable idealistic virtues; an apocalyptic voice that answers the question: "What is truth?".
Finally, a secure computer network is the bright hope of all mankind, a glimpse of things to come with the help of Homeland Security, and an inscrutable enigma that may well decide whether this nation, or any other nation, conceived in Liberty, can endure. In the USA this notion plays a role similar to the second coming of Christ in some high demand cults.
Computer security is a very loaded term. One aspect of security is so called hardening, which is currently is one of the most fashionable topics. The latter is essentially an attempt to convert a general purpose server into an appliance to improve the level of protection from external as well as internal threats, including the "fifth column" problem; there is no free lunch and hardening generally makes server less users/developers friendly. Given that complexity is the biggest single enemy of security, it's only logical to remove everything that is not essential for the task in hand, users be damned ;-)
Unix hardening in general can be viewed as implementation of the Principle of Least Privilege. For example it is difficult to harden systems with GUI desktops like Gnome of KDE. So it server is interned to be more secure, it is prudent to configure X subsystem for a manual start, so that in production mode X usually does not run. Same is true for other similar daemons.
But the key problem with hardening is to know where to stop not how to make the system more secure. And the key principle is "not too much zeal". Unfortunately corporate security departments often discard this vital principle and use hardening for justification of their existence ;-).
Although few, if any, fundamentally new Unix vulnerabilities are evident today, most today's Unixes do not include advanced security techniques, let alone the enhancements identified as essential to fight them. Solaris is one of the better Unixes in this respect and it does include some interesting features like , roles and, especially, zones and privileges management (in Solaris 10+). It also includes advanced file attributes which is a mixed blessing.
The author argues that deep hardening is essentially a process of conversion of general purpose OS into a specialized OS and that's why for organizations without much local talent it might be better to use appliances.
There are also some inherent limitations in the level of security achievable in any given organization. The author formulated three laws of Computer Security:
- In a long run the level of security of any large enterprise Unix environment can not be significantly different from the average level of qualification of system administrators responsible for this environment...
- If a large discrepancy between the level of qualification of system administrators and the level of Computer Security of the system or network exists, the main trend is toward restoring equilibrium at some, not so distant, point...
- In a large corporate environment incompetent people implementing security solutions are a bigger problem then most OS security weaknesses because users tend to react on their actions that decrease user-friendliness of the system by counteractions that the tend to restore it, simultaneously weakening the security level, often to lower level than existed before. The real computer security skills presuppose not only the knowledge of what should be done, but the knowledge were to stop in order not to cause excessive backlash. The latter skills presuppose understanding of architecture of the environment and are completely lacking in wanna-be security specialists. If incompetents happen to be in charge of security one should expect that they will implement the most destructive for corporate IT security measures dictated by the current fashion, driven by excessive zeal and desire to survive. Measures that backfire and due to use counteractions create security holes bigger then they are trying to patch.
This article is an attempt of skeptic treatment of this theme and is a modest attempt to fight "security fascism": counterproductive restrictions that complicate user and system administrator lives, while adding nothing of even diminishing security. There is almost no articles on the WEB that are critical or even slightly skeptical about security tools in general and Computer Security tools in particular. This article tries to fill the gap.
Security is like an erection: with proper drugs
it can always be harder and longer lasting but it never lasts forever.
Also that doesn't necessarily imply your initial impotence.
Slightly modified Slashdot post (#10252795)
Not too much zeal!
Charles-Maurice de Talleyrand
advice to new diplomats
Computer security currently is one of the most fashionable topics. Important part of computer security is related to hardening: making a system or network of computers less vulnerable to some broadly defined class of attacks. It is essentially an attempt to convert a general purpose server into a less flexible (and less useful) appliance. There is no free lunch and in order to improve the level of protection from external as well as internal threats ( including the "fifth column" problem) means to make the server less user/developers friendly.
Given that complexity is the biggest single enemy of security, it's only logical to remove everything that is not essential for the task in hand, users be damned ;-). Unix vulnerabilities are not new and are usually just a variations of some classic theme. Many of them are connected with the usage of low level language (C) for system programming. For example buffer overflows is a classic example of this category.
Most of classic Unix vulnerabilities were discovered approximately 40 years (Let's say at the time of writing of Morris worm) and for the last 40 years there were proposed and implemented various features that help to fight them. Modern Unixes usually contain some additional security mechanisms that allow fighting them. There are even some improvements in C compilers that allow to generate less deterministic code (and thus make buffer overflow more difficult). Even classic security problem of too powerful root and underpowered regular accounts was solved in Solaris -- one of the better Unixes in this respect. Solaris does include some interesting features like advanced file attributes, roles and, especially, zones and privileges management (in Solaris 10+). This mechanism allows to alienate the problem of all-powerful root, but the problem is that classic root/regular user mode of operation, this mentality is so ingrained now in Unix system administrators that most often Solaris is used like "deficient" Unix that does not has those capabilities. So here we might start to understand that in some way with operating system of complexity of Unix human factor might be more important then real or imaginable deficiencies of the OS.
Similar situation exists in Linux. Various flavor of Linux has additional security mechanisms such as AppArmor in suse, Ubuntu and friends, SELinux in Red Hat, Oracle Linux, CentOS and friends. But few administrators uses them because they a little bit (AppArmor) or substantially (SELinux) complicate troubleshooting and make it more difficult to add services to the system. Situation reminds old proverb: you can take horse to the water but you can't force it drink.
Similar situation exists with usage of firewall. Among enterprise Linux distributions Red Hat instances has substantial fraction of cases with enabled firewall. All other flavors of Linux typically are used with firewall disabled, at least in enterprise environment (paradoxically Linux desktops typically have firewall enabled -- may because it is enabled by default and few user know how to disable it :-). Even Red Hat in many large corporations is used with firewall disabled, not because they want to weaken security but because sysadmins feels less comfortable with firewall enabled environment.
Moreover in all modern Unixes TCP wrapper are deployed by default (in Linux they are built-in in xinetd daemon and many standalone services such as Sendmail, postfix, vsftpd, etc). They are closer to application level firewall then iptables, easier to configure and permit doing much more then regular firewall. For example they can prohibit connections from IPs that are not resolvable by DNS (albeit only for TCP, not UDP). They are also much more efficient as they affect only TCP handshake. But probably less then 10% of sysadmins who uses firewall also use TCP wrappers. This is another cane of complexity that is affecting security.
While we can argue to what extent those observation reflect reality one thing is certain. The weakest link is not always the modern Unix or modern applications (although they both still have problems). It's he qualification of system administrator and users who have access to root that is critical factor in modern Unix security.
This article is an attempt to emphasize human factor in Unix security as well as a modest attempt to fight "security fascism": counterproductive restrictions from clueless "security specialists" which just complicate user and system administrator lives, while adding nothing of even diminishing the level of security. There is almost no articles on the WEB that are critical or even slightly skeptical about security honchos and security tools in general. Somehow it is naively assumed that hardening tools available are good and that their application does improve security.
It's important to understand that you should not take anything for granted, especially
in security. If you are confused by the stream of software, hardware, and services
hanging their claim to fame on better security, please be aware that security is
probably the second most promising IT field for snake-oil salesmen after (or may
be even before) software development methodologies ;-) We're all for better security,
but often "security" is used like a universal door-opening key by yet another variety
of "ambulance chasing lawyers" to force on the customers useless or even harmful
product that trivialize the really complex issues involved. "Mistrust first impulses"
this advice of Talleyrandis especially applicable to security.
Based on this understanding of the importance of human factor in computer security in general unix security the author formulated the following three laws of computer security:
The first law is connected to the fact that the security is always as strong as the weakest link and most often the weakest link is not the OS or application, but the security specialist in change of security and system administrator who is responsible for the particular server. In case measures severely limited server functionality are implemented, the natural tendency of users and administrators is to adopts set of behaviors which are directed toward restoration of the previous level of the user friendliness of the system. Often such behaviors are more dangerous then the real or fake threats that were stimulus for implementing the original "pseudo-security" measures in the first place.
Seldom one can see a critical evaluation that openly states that such-and-such security tool is a dinosaur that lost all practical value several years or even decades ago and such-and-such is badly written and has poor architecture. The reader often needs the ability to read between the lines and if the source is available, analyze the source to get the idea of "what is what".
Talking about different flavors of UNIX it's clear that they are not created equal: have a very high respect for OpenBSD approach and that's what we should probably try emulate in Solaris environment.
The author feels that there is still a shortage of good Solaris hardening tools, but also (and what is more important) a shortage of highly qualified Solaris administrators. Security is usually a battle on two fronts: you fight both an external enemy and an internal enemy at the same time. And the internal enemy is not only what is usually called "insiders." It is often sysadmins themselves (we met our enemy, it's us :-), especially those who reached or exceeded their level of incompetence (see Peter Principle for details).
There are a couple of decent existing tools for Solaris hardening (Titan, Jass, RQ-Kit) but all of them are still pretty raw and require an excellent knowledge of Solaris to be implemented properly. That actually might be a good thing: there is not and never will be "An Administering UNIX Security for Dummies". And in the age of outsourcing this is a good news for both highly qualified system administrators and, on the other side appliance makers and appliance market ;-)
IMHO the percentage of clueless or redundant people in corporate IT is usually correlates with the square of the company revenue in billons (government is a special case ;-). And it's this internal enemy that represents real "fifth column" in computer security, the problem that should not be underestimated. As Richard Forno aptly noted in one of his SecuryFocus columns "much of what constitutes the 'cyberterror threat' comes down to the poor management of systems critical to the security and viability of the United States."
An often overlooked fact is that Unix is too complex an OS to be administered by dummies. Idiots sysadmins ( I mean here an incompetent sysadmin, who is not interested in Unix and does not work on improving his/her level of understanding of the system (an official definition "...a cretin, morpohodite, or old COBOL programmer selected to be the system administrator by a committee of cretins, morphodites, and old COBOL programmers." :-) by themselves are the biggest security risk to the system they administer, IMHO much bigger risk than hackers...
I can even reformulate this idea as "Softpanorama First Law of Security":
The level of security of any Unix environment can not be significantly different from the level of qualification of system administrator(s) responsible for this environment...
And you can easily guess The Second Softpanorama Law of Security:
If a large discrepancy between the level of qualification of system administrator(s) and the level of hardening of the system exists, the main trend is toward restoring equilibrium at some, not so distant, point...
It is important not to underestimate the human factor while working to improve the security of your intranet:
That actually means that learning of Solaris as a (very interesting) OS is probably the first and most important task that needs to be addressed. Not installation and running of some fancy security tool (or two), but general level of understanding of Unix in general and Solaris in particular is the most critical security resource.
Only those, who really understand "what is what" in Unix in general and Solaris in particular can successfully minimize their systems and understand compromises that are always involved in disabling services, changing settings and permissions recommended by hardening tools. There is no free lunch and tighter security makes the system less and less usable which in real world translates into "everybody uses root" situation which in turn completely defeats the measures implemented. So finding a point where to stop is very important. Too much security can be counterproductive and very harmful. Please keep in mind there are sadistic sysadmins and security analysts who use security to torture users just to increase their social status.
Here are several other things that I think are important in no particular order. We will call them tips.
You should use tools that permit you to create your own hardening policy
and you do need to understand what each script is doing while
writing such a policy. Again, you should never accept and use a recommendation
without thinking carefully and critically first! Too much (stupid) seal in security
is more dangerous that any hacker. An idiot with the security initiative can
paralyze the organization pretty quickly. Sometimes even sound recommendations
can be not that sound in real-life environment ;-) For example if X is blocked
by a firewall than the security gains from killing X environment are less and
might not outweigh losses of productivity... Also in many DMZ situations with
strict routing and switched segments the risk of eavesdropping is much less
than other risks and SSH just adds additional complexity. Password protection
policy is also non-trivial thing. See for example
Slashdot The Psychology of Passwords. I would repeat it again: if somebody
can steal your shadow file with encrypted passwords
and you have more than a dozen of users, then most probably you are a toast
anyway, so why to increase the level of hate toward security (and the number
of helpdesk tickets).
If the vendor's description appears to be confusing nonsense, it may very well be so, even to an expert in the field. One sign of technobabble is a description which uses newly invented terms or trademarked terms without actually explaining how the system works. Technobabble is a good way to confuse a potential user and to mask the vendor's own lack of expertise.
And consider this: if the marketing material isn't clear, why expect the instruction manual to be any better? Even the best product can be useless if it isn't applied properly. If you can't understand what a vendor is saying, you're probably better off finding something that makes more sense.
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: March, 12, 2019