Published: 27 Sep 2005
On a recent visit to Alaska, where nature manifests its power on an awe-inspiring scale, the unspoiled mountains, glaciers and clear air made me think about the basics, including the basics of security. Walking across glaciers is risky and requires constant vigilance to avoid cracks and crevasses. But, with the right tools and expertise, you can navigate the treacherous landscape with relative ease. The same holds true for security. In order to gain confidence and ensure vulnerabilities don't fall through the cracks, you'll need the proper instruments.
A precheck routine will provide an inventory of what's on the systems you want to protect--the OS, applications and services--and what services are visible.
A good set of scripts for checking host security from the inside is also important. The Center for Internet Security (CIS), at www.cisecurity.org, provides free system configuration guides and scoring scripts that cover Windows, Solaris, Linux, IOS and other platforms, and even a few critical applications such as Web servers and databases. It offers scripts that score how closely your system adheres to its guidelines. While not perfect, the CIS benchmarks can help elevate your system to a state of secure operational readiness.
If you are running Solaris, you should also try the Solaris Security Toolkit (formerly known as the JumpStart Architecture and Security Scripts), which provides a flexible and extensible mechanism to harden and audit Solaris OSes. The toolkit (www.sun.com/software/security/jass/) is based on security best practices and customer feedback, and can be used to secure SPARC-based and x86/x64-based systems.
Over time, the network landscape will change, and good change configuration control is required to ensure your security baseline doesn't become obsolete. Regularly perform discovery scans with tools such as Nmap and Nessus to determine any changes, and to know what the rest of the world can and cannot see on your Internet-connected network. It may also be to your advantage to have a DSL or cable modem account located off premises to get valid outside scan results.
Another free tool worth considering is the SAMHAIN file integrity and intrusion detection kit (http://la-samhna.de/samhain/), which provides centralized monitoring through a Web-based management console supporting multiple logging facilities, and tamper protection using PGP-signed databases and configuration files. It's designed to monitor multiple hosts with different OSes from a central location, although it can also be used as a stand-alone application on a single host. SAMHAIN isn't for the faint of heart, but you wouldn't be in the business of providing security if you didn't have some appetite for adventure.
Like any journey, it's often the process of the adventure and not the destination that is most exciting, and security is most certainly an ongoing process. To make sense of the scenery along the way, tools like Logwatch (www.logwatch.org), a customizable log analysis system that parses through the logs you specify to create a report based on selected criteria, can also help you along the way. Logwatch can be as verbose or as sparse as you'd like. It has built-in filters for a variety of programs and works out of the box on most systems.
These tools will get you started on your security journey. Of course, they are only as good as the people who run them. Nobody will attempt to cross a glacier without a good team--preferably with lots of experience in rough terrain--so choose yours wisely.