Unix network security (was "CERT Internet Security Advisory")
Barry Shein
bzs at bu-cs.BU.EDU
Mon Aug 21 04:27:51 AEST 1989
Rather than a list of hosts you can log in from (that makes me
uncomfortable, except for root and other priv'd accounts) why not
extend the rlogin .rhosts idea to three levels: No Password, Normal
login, Paranoid login.
By Paranoid login I mean implementing one of these various ideas using
challenges or secondary passwords etc. At least it can be used to
throw some more obstacles in the way.
The problem, ultimately, is that the crackers generally get in via
trap-doors, either out and out bugs or subtleties no one had thought
of before. Including non-computer attacks (like looking through
printouts.)
In addition, whatever you do just challenges the cracker to try a
different solution. Only allowing me to log into your system from
certain sites challenges me to fool your computer into thinking that
I'm coming from one of those sites (which is usually not very hard to
guess if I know anything about the topology of your network or even
just scan mailing lists and/or newsgroups for lists of machines you
seem use, or just finger around, or send mail to yourname at various and
see if I get an error return.)
The security biz is subtle, you have to pick your trade-offs
carefully.
--
-Barry Shein
Software Tool & Die, Purveyors to the Trade
1330 Beacon Street, Brookline, MA 02146, (617) 739-0202
Internet: bzs at skuld.std.com
UUCP: encore!xylogics!skuld!bzs or uunet!skuld!bzs
More information about the Comp.unix.wizards
mailing list