Hardware

Security pitfalls of multiple servers

It can be the pits, but every box you add creates the potential for an additional security hole—or three or four! During this Guild Meeting TechRepublic's own IT staffers Alan Tooley and John Day helped you uncover traps and render them harmless.

It can be the pits, but every additional box that you add creates the potential for an additional security hole—or three or four! On February 22 TechRepublic’s own IT staffers Alan Tooley and John Day helped you uncover traps and render them harmless. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

It can be the pits, but every additional box that you add creates the potential for an additional security hole—or three or four! On February 22 TechRepublic’s own IT staffers Alan Tooley and John Day helped you uncover traps and render them harmless. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Note: TechProGuild edits Guild Meeting transcripts for clarity.

Welcome to the meeting
MODERATOR: Welcome to tonight's Guild Meeting! Tonight we'll be continuing our discussion of security.

JOHN DAY: Hello, all. John Day from TechRepublic signing in.

MODERATOR: Our first speaker to enter the room is John Day from TechRepublic.

JOHN DAY: Hey Jack.

ALAN TOOLEY: Howdy John, I'm here to start the discussion.

MODERATOR: And now Alan Tooley is here, as well! I want everyone to know that we encourage participation from the audience and hope to answer all your questions!

EINSTEIN: Let's get this party started.

ALAN TOOLEY: Hey, John, are we ready to start?

MIKKILUSA: So, any besides me who are not staff?

EINSTEIN: Not staff, technically.

JOHN DAY: Yeah, I was unsure about Einstein.

EINSTEIN: I write tips, but not a staffer.

KETCHAMS: Hello, this is Jim Ketcham.

It’s all about the TR boys
EINSTEIN: How can I be constructive when there is so far no topic? ;-)

MODERATOR: Well I believe I’ll hand the floor over to our speakers.

ALAN TOOLEY: What is the first question for John and myself?

JOHN DAY: I believe the topic is security concerns of multiple servers. (Sorry I'm a last minute sub.)

EINSTEIN: I have a question about the security of cable modems vs. a DSL line.

JOHN DAY: I'm on cable modem now and I'm concerned. DSL is more secure. What's your question?

JACK WALLEN: Run Linux and you won't have any problems with your cable modem.

ALAN TOOLEY: If you stay online all the time you are opening yourself to security risk.

JACK WALLEN: Sorry, I couldn't help myself.

JOHN DAY: Jack, I couldn't type fast enough to get you.

EINSTEIN: True, but what are some things you can do to heighten security (firewall, etc.)? What is THE BEST thing to do?

JOHN DAY: Yes, Alan I shut my modem off during non-use. I found things running while I was sleeping.

JACK WALLEN: When running multiple servers is it best to simple rely on a single 'firewall' type machine for their security or is it best to lock the individual machines down?

JOHN DAY: Very creepy.

ALAN TOOLEY: Yes, Linux is a very secure OS and it has its security risk as any other.

EINSTEIN: Not all of us use Linux, however.

JOHN DAY: Jack, I say both.

We’re on lock down
LEQUIN: Probably best to lock down one machine and let your other machines access that one using some form of NAT to get out.

MIKKILUSA: And the best firewall software for multiple servers and operating systems is?

JOHN DAY: A firewall for network security but there is no substitute for locking down each server using whatever OS security tools you have.

ALAN TOOLEY: Share the Net is a good package for Home Cable and DSL use.

EINSTEIN: What do you think of Black ICE?

JOHN DAY: I agree, any personal firewall is better than none.

ALAN TOOLEY: But the best defense is a tight security on your server and workstation.

JOHN DAY: Black ICE is new to me.

EINSTEIN: It's new to all.

JACK WALLEN: And what about using multiple servers for a single task, let's say redundancies for file serving, is there a way to secure them down without losing efficiency and security at the same time?

JOHN DAY: I agree Alan.

JACK WALLEN: And what about logging discrepancies? How do you deal with that on multiple servers?

JOHN DAY: Disable MS networking on your cable modem or DSL protocol.

LEQUIN: Black ICE picks up a lot of stuff. Works well, but not very flexible. Can't block individual ports. More of an all or nothing approach.

JOHN DAY: On the server disable HTTP unless needed and any other service not in use.

EINSTEIN: I see.

Let’s start with the basics
JOHN DAY: The basics first.

ALAN TOOLEY: There is always the Cisco PIX solution for a company.

JACK WALLEN: What is the Cisco PIX?

MIKKILUSA: So we run NT NetWare and Solaris servers. What would be the best for all 3?

JOHN DAY: PIX seems to be a good solution for small companies, I agree.

ALAN TOOLEY: Cisco PIX is a hardware solution that allows the user to block certain IP addresses and ports from access.

KETCHAMS: I wouldn't. PIX is just for small companies. It can scale up to 170 mb/sec in traffic.

JOHN DAY: PIX is a viable solution for all three, we use it in that environment.

JACK WALLEN: Sort of like the /etc/hosts.deny file in Linux. ;-)

ALAN TOOLEY: It is a good solution, but starts out around 9K.

JOHN DAY: Agree Jim, small companies or large. Just not for cable or DSL home users.

EINSTEIN: How much more secure is setting up a separate machine to use a firewall (a Linux box) than installing a firewall software package on the main machine?

ALAN TOOLEY: Yes ouch, but worth it when configured correctly.

JOHN DAY: Jack can you say CISCO = $$$

EINSTEIN: For a business, PIX and 9K is fine, but the individual user is not going to want all that (esp. the cost).

ALAN TOOLEY: There are other firewall solutions, but everything has a cost attached to it.

JOHN DAY: I will say that Raptor for NT is full of holes. The Linux version will be out and I'm waiting on that for my opinion on Raptor.

EINSTEIN: Of course.

Isn’t that redundant… redundant?
KETCHAMS: A full redundant Cisco solution runs about 15k.

JOHN DAY: But Raptor is high admin intensive vs. PIX, which seems to be less demanding.

ALAN TOOLEY: I use a Linux base firewall at home and it has done very well, but a good hacker would find some flaw.

MIKKILUSA: Presently we are thinking BorderManager for our firewall. Good answer or not?

EINSTEIN: A GOOD hacker is going to be able to get through no matter what you use.

JOHN DAY: But if the issue is security in general for multiple servers then we aren't just talking about protection from the outside world.

EINSTEIN: True.

ALAN TOOLEY: You have to keep up on all the fix packs to help block hackers, it is almost a daily chore.

EINSTEIN: Is there no easier way?

JOHN DAY: BorderManager came from the Novell side so I question its future presence in the market, just my opinion.

MIKKILUSA: Meaning you think Novell is on its way out goofy?

ALAN TOOLEY: Well security among multiple servers depends on the servers OSs.

EINSTEIN: Of course, Linux, being the most secure.

JOHN DAY: Einstein, I think easy and simple is block all unused ports, change port numbers where possible and lock down servers. Unless you really made someone mad you're probably safe, probably.

ALAN TOOLEY: You can tighten down the UNIX word with \etc\hosts.deny or allow if configured correctly.

JOHN DAY: And yes stick a fork in Novell.

Stick a fork in it, I think it's done
EINSTEIN: Reasonable advice.

JOHN DAY: Yeah, let's keep Jack from having to type too much.

ALAN TOOLEY: UNIX by nature is a very secure OS, well, I did see a friend hack a Sun server in 10 minutes.

EINSTEIN: That's impressive. I can only aspire to those types of accomplishments. :-)

ALAN TOOLEY: But the security holes had never been patched, patching is a key to a secure box as well turning off unnecessary ports and services.

JOHN DAY: I agree it takes skill to hack a non-GUI OS so that stops about 90% of the people I know.

JACK WALLEN: If you could outline an affordable yet usable and secure system for a small business wanting to run a LAN, POP server, file and print server, with heavy traffic, what would you lay out?

ALAN TOOLEY: Physical security is also necessary.

EINSTEIN: OK, so how does one go about turning off ports (forgive my ignorance)?

LEQUIN: Gw4, how do you hack a "GUI" OS remotely?

ALAN TOOLEY: I have used share the Net and it has worked fine, it is a Linux firewall, NAT, DHCP server on floppy disk with a Web interface.

JOHN DAY: Buy a Linux box and run a POP server and put it in front of a Cisco router. Disable all non-used ports open port 80 and us NAT on the Cisco for access to the Internet.

ALAN TOOLEY: It depends on the OS, you turn off services in NT.

JOHN DAY: Then I would put everything on DHCP on an NT server to get cheap admin and support staff and pass my POP mail to Exchange inside the firewall and try to go un-noticed.

JOHN DAY: Of course that means no MP3 from the Web.

JACK WALLEN: Gettin' personal. ;-)

Can we get personal?
JOHN DAY: I believe in keeping it simple, but for a small co. that is the best you can do.

MIKKILUSA: No MP3, oh no, what will users do, oh I know, WORK.

ALAN TOOLEY: You don't have to stop MP3s you just open another security hole to let it in.

JOHN DAY: To protect Web sites and a heavy online presence I would go with PIX and hire a security heavy.

JOHN DAY: Or just build your own MP3 server. ;O)

JACK WALLEN: That brings up a point, if in a company setting you had special needs. Let’s say a group of Linux users. What are your thoughts on setting up separate servers for separate needs like a Quake server or something? And how would you integrate that into your standard security plan?

EINSTEIN: Honestly, with all of the newfound free i-drives, x-drives, net-drives, etc., why would you want to host an MP3 server anymore?

JOHN DAY: But we haven't addressed the inside threat of multiple servers. While firewalls are great, NT by nature is open to all domain users unless you shut it down.

JACK WALLEN: I personally don't trust the Web storage. Not at all.

ALAN TOOLEY: Most corps wouldn't allow it, but a small company would probably allow it.

EINSTEIN: I think the ultimate solution involves getting rid of NT. :-)

JOHN DAY: Me either Jack, I just met today about a Web-based HR app and Alan and I both have security issues.

JACK WALLEN: It's something you, as a user, have no control over. They go down, or out of business, and you lose!

No one wants to be the looser
JOHN DAY: Here is my two and a 1/2 cents worth. NT is made to "work" out of the box without a lot of brains on the part of the admin staff.

ALAN TOOLEY: NT isn't bulletproof but its drawback is everyone has full access while UNIX is none and build from there. That latter is preferred by me.

JOHN DAY: While easy to install it needs tailoring to be secure.

JACK WALLEN: But don't you see how Linux is creeping up on NT's out of the box usability? Look at Red Hat 6.1 or Corel.

JOHN DAY: Novell and UNIX (read Linux) require expertise to set up but are secure because each service and access has to be made available so it is more secure by nature.

JACK WALLEN: And tying multiple servers together with the Linux OS is pretty simple, so I’ve heard.

EINSTEIN: I think a large problem is that businesses are hiring people with no brains that need NT, when good admins should have a strong UNIX background and be forced to use it for these issues.

JACK WALLEN: Bingo!

JOHN DAY: NT can be as secure in the hands of a very skilled admin (not that I am one), it just takes planning.

ALAN TOOLEY: It is getting greater acceptance from the small to medium company, but large companies still haven't embraced it yet.

WELL: Hi, are there any security/problems faced by Win NT 4?

JACK WALLEN: I'd think that larger companies would be sticking with Sun for their server needs.

EINSTEIN: Again, where is the skill.

You gotta have skills
JACK WALLEN: And is Win2000 going to do anything for the multiple server space?

EINSTEIN: Good question.

JACK WALLEN: Sorry... I hate to use that phrase 'space'.

JOHN DAY: I think Win2000 will address the multiple server issues but it creates as many security issues as it solves.

JACK WALLEN: Sounds familiar with M$.

EINSTEIN: Indeed.

ALAN TOOLEY: Win2000 will make it easier not to have multiply groups for different apps.

MIKKILUSA: 60000 errors, there might be a few in securities, you think?

EINSTEIN: Very possible. :-)

JACK WALLEN: Can you overcome Exchange's user limits by tying together multiple units?

JOHN DAY: 63000.

MIKKILUSA: I stand corrected, or did you find those other 3000 today, goofy?

ALAN TOOLEY: You have to be methodological in the design of security on any OS that you want to secure. If you only take the easy route, holes appear.

JOHN DAY: No, MS denies that I found them. ;O)

ALAN TOOLEY: Do you want a security nazi or the open system or the middle of the road?

EINSTEIN: A happy medium is what I want.

ALAN TOOLEY: Most people do. If you feel secure from the outside threat, do you feel secure from the inside threat?

MIKKILUSA: We have GTE peddling security to us doing it all firewall and reading all the log files. What, if anything, have you guys heard of their service?

What have you heard?
JOHN DAY: FYI to all, Alan and I are forming TechProGuild's security team, I come from the small shop jack of all trades background and work to stop the basic security holes while Alan works to stop the other 10%. Together we form a pretty good team. And I'll take the open system. Die security NAZI.

EINSTEIN: Alan takes the nazi?

JOHN DAY: No not really.

MIKKILUSA: Sure you’re not a comedy team also?

JACK WALLEN: What about log files. As an admin checking log files is tantamount to success. When running multiple servers is there a way to keep log files either located centrally or appended? I know many Linux apps can do things like mail log files to the admin.

JOHN DAY: And I feel more unsecured from an inside threat than outside.

EINSTEIN: :-) The world's first stand up security comedy team.

MIKKILUSA: I think maybe you're sitting down?

ALAN TOOLEY: Mail the logs to a central server and have a Perl script check for certain syntax.

MIKKILUSA: So I take it is no one hearing of GTE services?

EINSTEIN: There are some nifty Windows utilities that can e-mail log files without anyone being the wiser.

EINSTEIN: Not I.

JOHN DAY: Yes log files are important because they show you the unsuccessful attempts which help you block those holes.

JACK WALLEN: Do you use Perl a lot, in Winders-land, for log rotation and maintenance?

JOHN DAY: GTE's services are a new one on me, anyone?

EINSTEIN: Unfortunately, if you get the right hacker, log files of passwords and such can be e-mailed out as well. ;-)

Show me the money! If you have it.
LEQUIN: If your company has any money, use a tool like Axent or ISS's IDS programs. Based on SNMP or e-mail alerts you can collect all of the info you want.

ALAN TOOLEY: AT&T is another one with a healthy price tag.

LEQUIN: They will catch network attacks, host-based attacks, and stupidity from your SA community.

JOHN DAY: Very healthy as we know.

ALAN TOOLEY: We started using Perl to monitor our log files for UNIX and NT at my last company. It was doing a fine job.

JACK WALLEN: What about databases? SQL servers are so well known for having huge security holes! Especially when run on MS (I refer to the recent credit card number theft that proliferated on the Net).

EINSTEIN: Perl is, from what I hear, pretty powerful. True, Oracle is much more secure.

JOHN DAY: SQL and any database has security holes but most are caused by lazy application programming.

JACK WALLEN: Isn't that the case with most all security problems... lazy admins and programmers?

ALAN TOOLEY: It is, if the app or OS can produce an ASCII text file, it can be parsed by Perl. Forwarded to an e-mail address when an abnormal security issue appears.

JOHN DAY: Many rely on one account to access reporting tools or queries bypassing OS security UNIX or NT.

EINSTEIN: I think if a log file is being e-mailed at all, there is a whole new risk.

JOHN DAY: I always pound vendors on reporting tool security because this reporting is usually an afterthought.

Don’t be sloppy
ALAN TOOLEY: Sloppy admin work is the cause for a lot of security holes, but when they try to fix them people don't like it and complain.

JOHN DAY: Agree Alan, it's an ease of use vs. security issue.

ALAN TOOLEY: When we recently wanted to tighten down security, a lot of flack was raised.

EINSTEIN: Back to my previous statement of businesses hiring uneducated or lazy admins.

MIKKILUSA: Ouch Einstein.

EINSTEIN: Sorry, perhaps a bit harsh, but why hire someone if they can’t do the utmost for your company.

ALAN TOOLEY: Well Einstein, if we tried to tighten down the security and it caused you a few extra steps, would you complain?

EINSTEIN: Nope. Not to say that others wouldn't.

WELL: Anyone can answer my questions in the forum under e-mail?

ALAN TOOLEY: Well I'm glad to hear it. Most of the complaints come from upper management.

MIKKILUSA: OK with time short how about some good Web sites for us to use for continued education?

EINSTEIN: Don't they always in any case.

JOHN DAY: Einstein my only comment is that I agree about lazy but uneducated I don't know about. I have found that some admins take it too far and forget that IT has to meet the way users do business or we aren't fitting their business needs.

JACK WALLEN: www.techrepublic.com.

ALAN TOOLEY: Go to www.sans.org/snap.htm.

It’s almost over
MIKKILUSA: Jwallen that is obvious. Any more?

JOHN DAY: www.securityportal.com. Tell me what you think. It rocks.

JACK WALLEN: There's also security focus.

EINSTEIN: Sorry, www.securityfocus.com.

ALAN TOOLEY: www.microsoft.com/security.

JOHN DAY: What? MS and security an oxymoron?

EINSTEIN: Of course you would ALL know about security focus, if you subscribed to the Web Sentinel TechMail under TR.

WELL: The question is anyway to escape from capture by the log file in the Netscape Messenger Server?

ALAN TOOLEY: If you would like more, send to TechRepublic for a list. Paul Baldwin wrote an article on security sites.

WELL: Any input?

JOHN DAY: Sorry Well, I'm not Netscape savvy. I've been assimilated.

ALAN TOOLEY: I'm not familiar with Netscape server, sorry.

MODERATOR: 5 minute warning folks!

EINSTEIN: Let's not fizzle.

WELL: Any idea how to find the solutions?

EINSTEIN: Any last words of wisdom, gurus?

JACK WALLEN: LINUX.

WELL: Too fast, let's have another session for this topic, as I'm busy now.

MODERATOR: Actually we do have 3 more Guild Meetings this month on security. Tues. and Thurs. nights at 9 pm.

Join us next time
ALAN TOOLEY: UNIX or NT, security risk on both, you have to tighten them both down and patch.

MODERATOR: Thank you all for coming. Be sure to join us next week. Same time, same station, same bat channel.

EINSTEIN: Let’s hear it for Security!
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.