 | |
Solaris Live Transcripts Index January 11, 2001Chat Title: Security This is a moderated forum LizA: Hello, and welcome to Solaris Live. I'm joined today by Martin Hack, Alex Noordergraaf, and Keith Watson, who will answer your questions about Solaris security. Martin is the Product Manager for Trusted Solaris and has a strong background as a UNIX and network administrator who has devoted a lot of time to Solaris and security issues. Alex Noordergraaf has over nine years experience in the area of computer and network security. He is a Senior Security Architect in the Enterprise Engineering group at Sun, where he is developing, documenting, and publishing security best practices through the Sun BluePrints OnLine program. Keith Watson, please tell us a little about yourself. Keith W: Hi, I am a currently a project engineer with Professional Services and the Product Manager for core Solaris security. In February, I will be dedicated full-time to core Solaris security work. LizA: Thanks Keith. Now on to our first question. kev: Which packages can be removed from a core install when building a checkpoint FW? Keith W: I would suggest that you look at the BigAdmin site under the security link section... Keith W: It contains several links to various documents. Lance Spitzner has several documents regarding Firewall-1 installations... martinh: kev, Lance Spitzner (Sun) actually has some very valuable information on this topic... Keith W: http://www.sun.com/bigadmin/docs/indexSec.html Ben Lowers: Please differentiate between "core Solaris" and "Trusted Solaris". martinh: Ben, Trusted Solaris 8 is based on Solaris 8, Tsol8 has some security extensions to cover the needs for separation of data in a highly secure environment martinh: e.g. Mandatory access control, elimination of root, labeling. Basically it's a multilevel operating envrionment mkhan: Where do I go for security info. about solaris? Keith W: MKhan, http://www.sun.com/security/ , http://www.sun.com/blueprints/browsesubject.html#security , http://www.sun.com/bigadmin/ cygnus: what do you mean by "elimination of root"? How would you maintain the system? Keith W: Cygnus, elmination of root means decomposing administrative actions into roles assigned to "normal" users. sgayle: what is the best way to isolate a port off of an authentication server into a PIX? Keith W: sgayle, please provide some more detail... Russ: Wait... are there not applications that require a userid of 0? martinh: Russ, there's still 'root' but he just doesn't have the privileges since they are defined in 'roles' via RBAC DavidH: How widely used is NIS+ and would you recomend using NIS+? Keith W: DavidH, NIS+ offers features that no other naming service has... Keith W: However, there are higher administrative costs associated with it... Keith W: DavidH, if there is a security need for the naming service, then NIS+ is appropriate buns.o.steel: Where can one get information/docs on the profiles/roles which are used in Solaris 8? martinh: bunsos, the profiles already come with Solaris 8, however in the future we'll provide predefined roles, e.g. for web, db, application administration tasks, docs should be available at docs.sun.com sgayle: Can roles be established on Solaris 7 or is only on the solaris 8 version? Keith W: sgayle, roles are only available in Solaris 8. kev: how does the jass scripts hardening scripts compare to yasssp Keith W: kev, they do about the same number of things, but they have different goals... Keith W: kev, JASS focuses more on initial system hardening of Solaris... goals... Keith W: kev, while YASSP provides third-party tools and other scripts for securing systems. sgayle: What I want to do is use a unix box to Authenticate users and then allowing those users that it authenticates to move into a database. Once the user is authenticated on the unix box I want to specify a single port in which all information going to the pix must travel in order to eliminate any outside infultration. alexn: sgayle, Sounds as though you really have two questions. First the application authentication problem and then the port issue... alexn: sgayle, The authentication could be addressed with any number of things like radius, or opie... alexn: sgayle, the port forwarding / encapsulation can be done by most firewall products such as SunScreen, ipf, or Firewalls-1 alexn: sgayle, Does this answer your question? mkhan: What are the common mistakes organizations make in terms of security? Keith W: mkhan, the most common mistake is misunderstanding what needs protection... sgayle: alexn it gives me some resources to look into... Keith W: mkhan, a security policy is necessary to understand what needs protection and why... Keith W: mkhan, PS is often asked to look at security issues at an organization. Most often they have no policy, which makes our job difficult to do without knowing what needs protection. alexn: mkhan, I think that the most common mistake is to not address security at all. Transim: What are some good resources for creating asecurity policy? martinh: transim, it depends on your goals and how much know how you have avail. Keith W: Transim, the Global Enterprise Security Services team of PS can assist in creating security policies... Keith W: Transim, the best security policy is one that addresses 1) what needs protection 2) why it needs protection 3) who is responsible for providing that protection sgayle: what exactly is "PS"? Keith W: sgayle, PS stands for Professional Services, the consulting arm of Sun. alexn: transim, First off - don't make your policy too complicated. In addition, there are some books with samples. omermukthar: Why not SUN come out with built in finger print checking for all the files in an operating system. This might eliminate use of softwares like Tripwire. Can you comment please? Keith W: omermukt, this is actually research subject that Solaris engineering is looking in to... mkhan: Doesn't Sun have a firewall? Keith W: mkhan, yes Sun has the SunScreen firewall product... Keith W: mkhan, there is also the FREE SunScreen 3.1 Lite for Solaris. LizA: Martin, Keith, Alex, thank you for a very interesting chat. Do you have any closing comments? martinh: thanks Keith W: LizA, Thanks for inviting me. I have enjoyed this chat session and look forward to future ones. LizA: Thanks to everyone...we will be having more Security chats in the future. Join Solaris Live again on February 6 when our topic is NT Migration. alexn: Thanks to everyone who participated. January 11, 2001 | ||||||||
| |
| ||||||||||||
Print-friendly Version
