Connecting a Unix computer to the Internet is not an action that should be taken lightly. Although the TCP/IP protocol suite and the Unix operating system themselves have few inherent security problems, many security flaws have been found with their specific implementations and distributions. Before you place a Unix computer on the Internet, you must make certain that no security problems have been reported with the specific software release that you intend to use. Otherwise, you may find that your machine is identified, broken into, and compromised before you even have a chance to download the latest software patch! Generally speaking, there are two ways to assure the security of a Unix system that you intend to place on the Internet:
You can combine these two approaches if you wish. For example, you could purchase a SPARC-based computer, but instead of running Sun's Solaris, run a copy of OpenBSD. There are few known exploits for the OpenBSD operating system; if new exploits are discovered , it is likely that they will be developed for OpenBSD running on Intel, rather than OpenBSD running on SPARC-based systems. (Note, however, that using an unusual combination of software and hardware does not mean that you do not need to still watch for security vulnerability announcements and patch them as necessary. Furthermore, using unusual systems may make you vulnerable to exploits that have simply not been addressed on your system because nobody has gotten around to them yet.) No matter what underlying hardware and software you decide upon, you need to understand the specific services that your Unix-based computer is making available to the Internet. There are literally thousands of network servers available for hundreds of Internet protocols that run on Unix systems. Each of these servers has its own security issues. While this chapter cannot discuss them all, it does introduce the most popular ones, explore their security issues, and give you a framework for understanding other servers that we do not mention. For additional information on Unix Internet servers and their security issues, we especially recommend the following books:
Other references are listed in Appendix C. |