ch17.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,284 行 · 第 1/5 页

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 17 -- UNIX: The Big Kahuna</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch16/ch16.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch18/ch18.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">17</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">UNIX: The Big Kahuna</FONT></H1>
</CENTER>
<P>Some things need to be said about this chapter and the way it was written. As
I sat before my machine, a blank page staring me in the face, I contemplated how
I would structure this chapter. There were shadows looming over me and I want to
discuss them here.</P>
<P>UNIX folks are a breed unto themselves. Some may know firewalls, some may know
scanners, some may know exploit scripts, and so forth. However, they all share one
common thing: They know their operating system exceedingly well. The average UNIX
system administrator has probably written his own printer drivers on more than one
occasion. He has also likely taken the source code for various stock utilities and
reworked them to his own particular taste. So this chapter--to be any good at all--has
to be filled with technical information of practical value.</P>
<P>Conversely, there are a lot of readers scouring these pages to learn about basic
UNIX system security. Perhaps they recently installed Linux or FreeBSD because it
was an inexpensive choice for a quick Web server solution. Perhaps they have had
a UNIX box serving as a firewall at their offices--maintained by some outside technician--and
they want to know what it actually does. Or perhaps this class of readers includes
journalists who have no idea about UNIX and their editors have requested that they
learn a little bit.</P>
<P>I considered all these things prior to writing even a single paragraph. What was
the end result? A long chapter. UNIX folks can cut to the chase by breezing through
each section. (There are tidbits here and there where important information appears,
so keep an eye out.) The rest of the folks can read the chapter as an entire block
and learn the following:

<UL>
	<LI>What security holes exist
	<LI>Where they exist
	<LI>Why they exist
	<LI>What utilities are available to plug them
</UL>

<P>I hope this chapter will be of value to all. Also, because UNIX security is so
complex, I am sure I have missed much. However, whole volumes are written on UNIX
security and these still sometimes miss information. Therefore, we venture forth
together, doing as best we can under the constraints of this book.
<H2><FONT COLOR="#000077"><B>The UNIX Platform Generally</B></FONT></H2>
<P>The UNIX platform has evolved over the years. Today, it can be defined as a 32-
(or 64-) bit multitasking, multiuser, networked operating system. It has advanced
security features, including discretionary access control, encryption, and authentication.
<H3><FONT COLOR="#000077"><B>Can UNIX Be Secure?</B></FONT></H3>
<P>UNIX can be secure. However, it is not secure in its native state (that is, out
of the box). Out-of-the-box weaknesses exist for every flavor of UNIX, although some
distributions are more insecure than others. Certain versions of IRIX (SGI), for
example, or most early versions of Linux have Class A or B holes. (Those holes allow
outsiders to gain unauthorized access.) These holes are not a terminal problem (no
pun intended); they simply need to be plugged at first installation. That having
been done, these versions of UNIX are not different from most other versions of nonsecure
UNIX.
<H3><FONT COLOR="#000077"><B>What Is &quot;Secure&quot; UNIX?</B></FONT></H3>
<P>What is secure UNIX (or as it is sometimes called, <I>trusted UNIX</I>)? Secure
UNIX is any UNIX platform that been determined by the National Security Agency (NSA)
to have excellent security controls. These versions must be on the NSA's Evaluated
Product List (EPL). Products on this list have been rigorously tested under various
conditions and are considered safe for use involving semi-sensitive data.</P>
<P>This evaluation process is under the Trusted Product Evaluation Program, which
is conducted on behalf of the National Computer Security Center, and both organizations
are elements of the National Security Agency. These are the people who determine
what products are &quot;safe&quot; for use in secure and semi-secure environments.</P>
<P>The products are rated according to a predefined index. This index has various
levels of &quot;assurance,&quot; or <I>classes,</I> of security. As described in
the TPEP FAQ:

<DL>
	<DD>A class is the specific collection of requirements in the Trusted Computer System
	Evaluation Criteria (TCSEC) to which an evaluated system conforms. There are seven
	classes in the TCSEC: A1, B3, B2, B1, C2, C1, and D, in decreasing order of features
	and assurances. Thus, a system evaluated at class B3 has more security features and/or
	a higher confidence that the security features work as intended than a system evaluated
	at class B1. The requirements for a higher class are always a superset of the lower
	class. Thus a B2 system meets every C2 functional requirement and has a higher level
	of assurance.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>&quot;TPEP FAQ: What
	Is a Class?&quot; can be found online at <A HREF="http://www.radium.ncsc.mil/tpep/process/faq-sect3.html#Q4"><TT>http://www.radium.ncsc.mil/tpep/process/faq-sect3.html#Q4</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The two UNIX products that are positioned highest on the list (levels B3 and B2,
respectively) are identified in Table 17.1. According to the National Security Agency,
these are the most secure operating systems on the planet.
<H4><FONT COLOR="#000077"><B>Table 17.1. Trusted, secure UNIX products.</B></FONT></H4>
<P>
<TABLE BORDER="1">
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT"><I>Operating System</I></TD>
		<TD ALIGN="LEFT"><I>Vendor</I></TD>
		<TD ALIGN="LEFT"><I>Class</I></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT">XTS-300 STOP 4.1a*</TD>
		<TD ALIGN="LEFT">Wang Federal, Inc.</TD>
		<TD ALIGN="LEFT">B3</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT">Trusted XENIX 4.0*</TD>
		<TD ALIGN="LEFT">Trusted Information Systems, Inc.</TD>
		<TD ALIGN="LEFT">B2</TD>
	</TR>
</TABLE>
</P>
<P>*These operating systems have earlier versions that have all been determined to
be in the same category. I have listed only the latest versions of these products.</P>
<P>To examine earlier versions (and their ratings), refer to <A HREF="http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html"><TT>http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html</TT></A>.
Wang Federal's XTS-300/STOP 4.1a is not just an operating system, but an entire package.
It consists of both hardware (Intel 80486 PC/AT, EISA bus system) and software (the
STOP 4.1a operating system). It sports a UNIX-like interface at lower levels of the
system. At higher levels, it utilizes a hierarchical file system. This operating
system has extreme DAC (data access control) and is suitable for sensitive work.
STOP 4.1a has the very highest rating of any operating system. As reported by the
EPL:

<DL>
	<DD>Beyond the minimal requirements for a B3 system, the XTS-300 provides a mandatory
	integrity policy, an extra subtype policy, and a familiar, UNIX-like environment
	for single-level applications. Integrity can be used for, among other things, virus
	protection. The UNIX-like environment supports binary compatibility and will run
	many programs imported from other systems without recompilation.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find this report
	by the EPL online at <A HREF="http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html"><TT>http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Some night when you have a little play time, you should visit Wang Federal's site
(<A HREF="http://www.wangfed.com/"><TT>http://www.wangfed.com/</TT></A>). The Technical
Overview of the XTS-300 system will dumbfound you. At every level of the system,
and for each database, application, user, terminal, and process, there is a level
of security. It operates using a construct referred to as &quot;rings of isolation.&quot;
Each ring is exclusive. To give you an idea of how incredibly tight this security
system is, consider this: Ring 0--the highest level of security--is totally unreachable
by users. It is within this ring that I/O device drivers reside. Therefore, no one,
at any time, can gain unauthorized access to device drivers. Even processes are restricted
by ring privileges, allowed to interact only with those other processes that have
the same or lesser ring privileges. Incredible. But it gets better. If a terminal
is connected to a process that has a very low level of ring privilege, that terminal
cannot simultaneously connect to another process or terminal maintaining a higher
one. In other words, to connect to the process or terminal with a higher privilege,
you must first &quot;cut loose&quot; the lower-privileged process. That is true security
(especially because these conventions are enforced within the system itself).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Wang Federal is the leading
	provider of TEMPEST technology, which is designed to defeat the interception and
	analysis of the electronic emanations coming from your computer. These electronic
	signals can &quot;leak out&quot; and be intercepted (even as far as several hundred
	yards away). TEMPEST technology can prevent such interception. This prevention generally
	involves encasing the hardware into a tight, metal construct beyond which radiation
	and emanations cannot escape. To see a photograph of what such a box looks like,
	visit <A HREF="http://ww.wangfed.com/products/infosec/pictures/tw3.gif"><TT>http://ww.wangfed.com/products/infosec/pictures/tw3.gif</TT></A>.
	It looks more like a safe than a computer system. 
<HR>


</BLOCKQUOTE>

<P>An interesting bit of trivia: If you search for holes in any of Wang Federal's
products, you will be searching a long, long time. However, in one obscure release
of STOP (4.0.3), a bug did exist. Very little information is available on this bug,
but a Defense Data Network (DDN) advisory was issued about it June 23, 1995. Check
that advisory for yourself. It is rather cryptic and gives away little about the
vulnerability, but it is interesting all the same.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find the DDN
	advisory about STOP online at at <A HREF="ftp://nic.ddn.mil/scc/sec-9529.txt"><TT>ftp://nic.ddn.mil/scc/sec-9529.txt</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The next product down is Trusted XENIX, an operating system manufactured by Trusted
Information Systems, Inc. You may recognize this name because this company creates
firewall products (such as the famous Firewall Tool Kit and a tool called Gauntlet,
which is a formidable firewall package). TIS has developed a whole line of not just
security products, but policies and theories. TIS has been in the security business
for some time.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Please take a moment
	to check out TIS at <A HREF="http://www.tis.com/"><TT>http://www.tis.com/</TT></A>
	or examine products at <A HREF="http://www.tis.com/docs/products/index.html"><TT>http://www.tis.com/docs/products/index.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Trusted XENIX is a very security-enhanced version of UNIX (and bears little resemblance
to the Microsoft XENIX product of years ago). This product's security is based on
the Bell and LaPadula model.</P>
<P>Many users may be wondering what the Bell and LaPadula model is. This is a security
model utilized by United States military organizations. It is described in <I>Department
of Defense Trusted Computer System Evaluation Criteria</I> (also known as the Orange
Book, out of the &quot;Rainbow Book&quot; series) as &quot;...an abstract formal
treatment of DoD (Department of Defense) security policy....&quot;</P>
<P>As reported in the Orange Book: