Practical UNIX and Internet Security: Securing Solaris, Mac OS X, Linux & Free BSD
When Practical Unix Security was first published more than a decade ago, it became an instant classic. Crammed with information about host security, it saved many a Unix system administrator from disaster. The second edition added much-needed Internet security coverage and doubled the size of the original volume. The third edition is a comprehensive update of this very popular book - a companion for the Unix/Linux system administrator who needs to secure his or her organization's system, networks, and web presence in an increasingly hostile world. Focusing on the four most popular Unix variants today—Solaris, Mac OS X, Linux, and FreeBSD—this book contains new information on PAM (Pluggable Authentication Modules), LDAP, SMB/Samba, anti-theft technologies, embedded systems, wireless and laptop issues, forensics, intrusion detection, chroot jails, telephone scanners and firewalls, virtual and cryptographic filesystems, WebNFS, kernel security levels, outsourcing, legal issues, new Internet protocols and cryptographic algorithms, and much more. Practical Unix & Internet Security consists of six parts:
  • Computer security basics: introduction to security problems and solutions, Unix history and lineage, and the importance of security policies as a basic element of system security.
  • Security building blocks: fundamentals of Unix passwords, users, groups, the Unix filesystem, cryptography, physical security, and personnel security.
  • Network security: a detailed look at modem and dialup security, TCP/IP, securing individual network services, Sun's RPC, various host and network authentication systems (e.g., NIS, NIS+, and Kerberos), NFS and other filesystems, and the importance of secure programming.
  • Secure operations: keeping up to date in today's changing security world, backups, defending against attacks, performing integrity management, and auditing.
  • Handling security incidents: discovering a break-in, dealing with programmed threats and denial of service attacks, and legal aspects of computer security.
  • Appendixes: a comprehensive security checklist and a detailed bibliography of paper and electronic references for further reading and research.
Packed with 1000 pages of helpful text, scripts, checklists, tips, and warnings, this third edition remains the definitive reference for Unix administrators and anyone who cares about protecting their systems and data from today's threats.
1140203397
Practical UNIX and Internet Security: Securing Solaris, Mac OS X, Linux & Free BSD
When Practical Unix Security was first published more than a decade ago, it became an instant classic. Crammed with information about host security, it saved many a Unix system administrator from disaster. The second edition added much-needed Internet security coverage and doubled the size of the original volume. The third edition is a comprehensive update of this very popular book - a companion for the Unix/Linux system administrator who needs to secure his or her organization's system, networks, and web presence in an increasingly hostile world. Focusing on the four most popular Unix variants today—Solaris, Mac OS X, Linux, and FreeBSD—this book contains new information on PAM (Pluggable Authentication Modules), LDAP, SMB/Samba, anti-theft technologies, embedded systems, wireless and laptop issues, forensics, intrusion detection, chroot jails, telephone scanners and firewalls, virtual and cryptographic filesystems, WebNFS, kernel security levels, outsourcing, legal issues, new Internet protocols and cryptographic algorithms, and much more. Practical Unix & Internet Security consists of six parts:
  • Computer security basics: introduction to security problems and solutions, Unix history and lineage, and the importance of security policies as a basic element of system security.
  • Security building blocks: fundamentals of Unix passwords, users, groups, the Unix filesystem, cryptography, physical security, and personnel security.
  • Network security: a detailed look at modem and dialup security, TCP/IP, securing individual network services, Sun's RPC, various host and network authentication systems (e.g., NIS, NIS+, and Kerberos), NFS and other filesystems, and the importance of secure programming.
  • Secure operations: keeping up to date in today's changing security world, backups, defending against attacks, performing integrity management, and auditing.
  • Handling security incidents: discovering a break-in, dealing with programmed threats and denial of service attacks, and legal aspects of computer security.
  • Appendixes: a comprehensive security checklist and a detailed bibliography of paper and electronic references for further reading and research.
Packed with 1000 pages of helpful text, scripts, checklists, tips, and warnings, this third edition remains the definitive reference for Unix administrators and anyone who cares about protecting their systems and data from today's threats.
54.95 In Stock
Practical UNIX and Internet Security: Securing Solaris, Mac OS X, Linux & Free BSD

Practical UNIX and Internet Security: Securing Solaris, Mac OS X, Linux & Free BSD

Practical UNIX and Internet Security: Securing Solaris, Mac OS X, Linux & Free BSD
Add to Wishlist
Practical UNIX and Internet Security: Securing Solaris, Mac OS X, Linux & Free BSD

Practical UNIX and Internet Security: Securing Solaris, Mac OS X, Linux & Free BSD

Overview

When Practical Unix Security was first published more than a decade ago, it became an instant classic. Crammed with information about host security, it saved many a Unix system administrator from disaster. The second edition added much-needed Internet security coverage and doubled the size of the original volume. The third edition is a comprehensive update of this very popular book - a companion for the Unix/Linux system administrator who needs to secure his or her organization's system, networks, and web presence in an increasingly hostile world. Focusing on the four most popular Unix variants today—Solaris, Mac OS X, Linux, and FreeBSD—this book contains new information on PAM (Pluggable Authentication Modules), LDAP, SMB/Samba, anti-theft technologies, embedded systems, wireless and laptop issues, forensics, intrusion detection, chroot jails, telephone scanners and firewalls, virtual and cryptographic filesystems, WebNFS, kernel security levels, outsourcing, legal issues, new Internet protocols and cryptographic algorithms, and much more. Practical Unix & Internet Security consists of six parts:
  • Computer security basics: introduction to security problems and solutions, Unix history and lineage, and the importance of security policies as a basic element of system security.
  • Security building blocks: fundamentals of Unix passwords, users, groups, the Unix filesystem, cryptography, physical security, and personnel security.
  • Network security: a detailed look at modem and dialup security, TCP/IP, securing individual network services, Sun's RPC, various host and network authentication systems (e.g., NIS, NIS+, and Kerberos), NFS and other filesystems, and the importance of secure programming.
  • Secure operations: keeping up to date in today's changing security world, backups, defending against attacks, performing integrity management, and auditing.
  • Handling security incidents: discovering a break-in, dealing with programmed threats and denial of service attacks, and legal aspects of computer security.
  • Appendixes: a comprehensive security checklist and a detailed bibliography of paper and electronic references for further reading and research.
Packed with 1000 pages of helpful text, scripts, checklists, tips, and warnings, this third edition remains the definitive reference for Unix administrators and anyone who cares about protecting their systems and data from today's threats.

Product Details

ISBN-13: 9780596003234
Publisher: O'Reilly Media, Incorporated
Publication date: 02/20/2003
Edition description: Third Edition
Pages: 986
Product dimensions: 7.00(w) x 9.19(h) x 2.06(d)

About the Author

Simson Garfinkel, CISSP, is a journalist, entrepreneur, and international authority on computer security. Garfinkel is chief technology officer at Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools. Garfinkel is also a columnist for Technology Review Magazine and has written for more than 50 publications, including Computerworld, Forbes, and The New York Times. He is also the author of Database Nation; Web Security, Privacy, and Commerce; PGP: Pretty Good Privacy; and seven other books. Garfinkel earned a master's degree in journalism at Columbia Universityin 1988 and holds three undergraduate degrees from MIT. He is currently working on his doctorate at MIT's Laboratory for Computer Science.

Gene Spafford, Ph.D., CISSP, is an internationally renowned scientist and educator who has been working in information security, policy, cybercrime, and software engineering for nearly two decades. He is a professor at Purdue Universityand is the director of CERIAS, the world's premier multidisciplinary academic center for information security and assurance. Professor Spafford and his students have pioneered a number of technologies and concepts well-known in security today, including the COPS and Tripwire tools, two-stage firewalls, and vulnerability databases. Spaf, as he is widely known, has achieved numerous professional honors recognizing his teaching, his research, and his professional service. These include being named a fellow of the AAAS, the ACM, and the IEEE; receiving the National Computer Systems Security Award; receiving the William Hugh Murray Medal of the NCISSE; election to the ISSA Hall of Fame; and receiving the Charles Murphy Award at Purdue. He was named a CISSP, honoris causa in 2000. In addition to over 100 technical reports and articles on his research, Spaf is also the coauthor of Web Security, Privacy, and Commerce, and was the consulting editor for Computer Crime: A Crimefighters Handbook (both from O'Reilly).

Alan Schwartz, Ph.D. is an assistant professor of clinical decision making in the Departments of Medical Education and Pediatrics at the University of Illinois at Chicago. He is also the author of Managing Mailing Lists and the coauthor of Stopping Spam (both from O'Reilly). He serves as a consultant on Unix system administration for several ISPs. In his spare time, he develops and maintains the PennMUSH MUD server and brews beer and mead with his wife, with whom he also develops and maintains their son. Turn-ons for Alan include sailing, programming in Perl, playing duplicate bridge, and drinking Anchor Porter. Turn-offs include spam and watery American lagers.

Read an Excerpt


Chapter 6: What Is Encryption?

Code Making and Code Breaking

As long as there have been code makers, there have been code breakers. And the two have been locked in a competition for centuries, with each advance one side being matched by counter- advances on the other.

For people who use codes, the code-breaking efforts of cryptanalysts pose danger that is potentially larger than the danger of not using cryptography in first place. Without cryptography, you might be reluctant to send sensitive i mation through the mail, across a telex, or by radio. But if you think that have a secure channel of communication, then you might use it to transmit sec that should not be widely revealed.

For this reason, cryptographers and organizations that use cryptography routinely conduct their own code-breaking efforts to make sure that their codes are resistant to attack. The findings of these self-inflicted intrusions are not always pleasant. The following brief story from a 1943 book on cryptography demonstrates this point quite nicely:

[The importance of the part played by cryptographers in military operations was demonstrated to us realistically in the First World War. One instructive incident occurred in September 1918, on the eve of the great offensive against Saint-Mihiel. A student cryptographer, fresh from Washington, arrived at United States Headquarters at the front. Promptly he threw the General Staff into a state of alarm by decrypting with comparative ease a secret radio message intercepted in the American sector.

The smashing of the German salient at Saint-Mihiel was one of the most gigantic tasks undertaken by the American forces during the war. For years that salient had stabbed into the Allied lines, cutting important railways and communication lines. Its lines of defense were thought to be virtually impregnable. But for several months the Americans had been making secret preparations for attacking it and wiping it out. The state was set, the minutest details of strategy had been determined-when the young officer of the United States Military Intelligence spread consternation through our General Staff.

The dismay at Headquarters was not caused by any new information about the strength of the enemy forces, but by the realization that the Germans must know as much about our secret plans as we did ourselves-even the exact hour set for the attack. The 'intercepted' message had been from our own base. German cryptographers were as expert as any in the world, and what had been done by an American student cryptographer could surely have been done by German specialists.

The revelation was even more bitter because the cipher the young officer had broken, without any knowledge of the system, was considered absolutely safe and had long been used for most important and secret communications.*

Cryptograpby and Digital Computers

Modem digital computers are, in some senses, the creations of cryptography. Some of the first digital computers were built by the Allies to break messages that had been encrypted by the Germans with electromechanical encrypting machines. Code breaking is usually a much harder problem than code making; after the Germans switched codes, the Allies often took several months to discover the new coding systems. Nevertheless, the codes were broken, and many historians say that World War II was shortened by at least a year as a result.

Things really picked up when computers were turned to the task of code making. Before computers, all of cryptography was limited to two basic techniques: transposition, or rearranging the order of letters in a message (such as the Spartan's scythe), and substitution, or replacing one letter with another one. The most sophisticated pre- computer cipher used five or six transposition or substitution operations, but rarely more.

With the coming of computers, ciphers could be built from dozens, hundreds, or thousands of complex operations, and yet could still encrypt and decrypt messages in a short amount of time. Computers have also opened up the possibility of using complex algebraic operations to encrypt messages. All of these advantages have had a profound impact on cryptography.

Modern Controversy

In recent years, encryption has gone from being an arcane science and the stuff of James Bond movies, to being the subject of debate in several nations (but we'll focus on the case in the U.S. in the next few paragraphs). In the U.S. that debate is playing itself out on the front pages of newspapers such as The New York Times and the San Jose Mercury News.

* Smith, Laurence Dwight. cryptography. The Science of Secret Writing. Dover Publications, New York, 1941.

On one side of the debate are a large number of computer professionals, civil libertarians, and perhaps a majority of the American public, who are rightly concerned about their privacy and the secrecy of their communications. These people want the right and the ability to protect their data with the most powerful encryption systems possible.

On the other side of the debate are the United States Government, members of the nation's law enforcement and intelligence communities, and (apparently) a small number of computer professionals, who argue that the use of cryptography should be limited because it can be used to hide illegal activities from authorized wiretaps and electronic searches.

MIT Professor Ronald Rivest has observed that the controversy over cryptography fundamentally boils down to one question:

Should the citizens of a country have the right to create and store documents which their government cannot read?*

This chapter does not address this question. Nor do we attempt to explore the U.S. Government's claimed need to eavesdrop on communications, the fear that civil rights activists have of governmental abuse, or other encryption policy issues. Although those are interesting and important question--questions you should also be concerned with as a computer user--they are beyond the scope of this book. Instead, we focus on discussion of the types of encryption that are available to most UNIX users today and those that are likely to be available in the near future. If you are interested in the broader questions of who should have access to encryption, we suggest that you pursue some of the references listed in Appendix D, Paper Sources, starting with Building in Big Brother, edited by Professor Lance Hoffman.

What Is Encryption?

Encryption is a process by which a message (called plaintext) is transformed into another message (called ciphertext) using a mathematical function* and a special encryption password, called the key.

Decryption is the reverse process: the ciphertext is transformed back into the original plaintext using a mathematical function and a key. The process of encryption and decryption is shown in basic terms in Figure 6-1. Here is a simple piece of plaintext:

Encryption can make UNIX more secure. ...

Rivest, Ronald, speaking before the MIT Telecommunications Forum, Spring 1994. * Or any other government! * Although it may not be expressed as such in every case....

Table of Contents

Preface; Unix “Security”?; Scope of This Book; Which Unix System?; Conventions Used in This Book; Comments and Questions; Acknowledgments; A Note to Would-Be Attackers; Computer Security Basics; Chapter 1: Introduction: Some Fundamental Questions; 1.1 What Is Computer Security?; 1.2 What Is an Operating System?; 1.3 What Is a Deployment Environment?; 1.4 Summary; Chapter 2: Unix History and Lineage; 2.1 History of Unix; 2.2 Security and Unix; 2.3 Role of This Book; 2.4 Summary; Chapter 3: Policies and Guidelines; 3.1 Planning Your Security Needs; 3.2 Risk Assessment; 3.3 Cost-Benefit Analysis and Best Practices; 3.4 Policy; 3.5 Compliance Audits; 3.6 Outsourcing Options; 3.7 The Problem with Security Through Obscurity; 3.8 Summary; Security Building Blocks; Chapter 4: Users, Passwords, and Authentication; 4.1 Logging in with Usernames and Passwords; 4.2 The Care and Feeding of Passwords; 4.3 How Unix Implements Passwords; 4.4 Network Account and Authorization Systems; 4.5 Pluggable Authentication Modules (PAM); 4.6 Summary; Chapter 5: Users, Groups, and the Superuser; 5.1 Users and Groups; 5.2 The Superuser (root); 5.3 The su Command: Changing Who You Claim to Be; 5.4 Restrictions on the Superuser; 5.5 Summary; Chapter 6: Filesystems and Security; 6.1 Understanding Filesystems; 6.2 File Attributes and Permissions; 6.3 chmod: Changing a File’s Permissions; 6.4 The umask; 6.5 SUID and SGID; 6.6 Device Files; 6.7 Changing a File’s Owner or Group; 6.8 Summary; Chapter 7: Cryptography Basics; 7.1 Understanding Cryptography; 7.2 Symmetric Key Algorithms; 7.3 Public Key Algorithms; 7.4 Message Digest Functions; 7.5 Summary; Chapter 8: Physical Security for Servers; 8.1 Planning for the Forgotten Threats; 8.2 Protecting Computer Hardware; 8.3 Preventing Theft; 8.4 Protecting Your Data; 8.5 Story: A Failed Site Inspection; 8.6 Summary; Chapter 9: Personnel Security; 9.1 Background Checks; 9.2 On the Job; 9.3 Departure; 9.4 Other People; 9.5 Summary; Network and Internet Security; Chapter 10: Modems and Dialup Security; 10.1 Modems: Theory of Operation; 10.2 Modems and Security; 10.3 Modems and Unix; 10.4 Additional Security for Modems; 10.5 Summary; Chapter 11: TCP/IP Networks; 11.1 Networking; 11.2 IP: The Internet Protocol; 11.3 IP Security; 11.4 Summary; Chapter 12: Securing TCP and UDP Services; 12.1 Understanding Unix Internet Servers and Services; 12.2 Controlling Access to Servers; 12.3 Primary Unix Network Services; 12.4 Managing Services Securely; 12.5 Putting It All Together: An Example; 12.6 Summary; Chapter 13: Sun RPC; 13.1 Remote Procedure Call (RPC); 13.2 Secure RPC (AUTH_DES); 13.3 Summary; Chapter 14: Network-Based Authentication Systems; 14.1 Sun’s Network Information Service (NIS); 14.2 Sun’s NIS+; 14.3 Kerberos; 14.4 LDAP; 14.5 Other Network Authentication Systems; 14.6 Summary; Chapter 15: Network Filesystems; 15.1 Understanding NFS; 15.2 Server-Side NFS Security; 15.3 Client-Side NFS Security; 15.4 Improving NFS Security; 15.5 Some Last Comments on NFS; 15.6 Understanding SMB; 15.7 Summary; Chapter 16: Secure Programming Techniques; 16.1 One Bug Can Ruin Your Whole Day . . .; 16.2 Tips on Avoiding Security-Related Bugs; 16.3 Tips on Writing Network Programs; 16.4 Tips on Writing SUID/SGID Programs; 16.5 Using chroot(); 16.6 Tips on Using Passwords; 16.7 Tips on Generating Random Numbers; 16.8 Summary; Secure Operations; Chapter 17: Keeping Up to Date; 17.1 Software Management Systems; 17.2 Updating System Software; 17.3 Summary; Chapter 18: Backups; 18.1 Why Make Backups?; 18.2 Backing Up System Files; 18.3 Software for Backups; 18.4 Summary; Chapter 19: Defending Accounts; 19.1 Dangerous Accounts; 19.2 Monitoring File Format; 19.3 Restricting Logins; 19.4 Managing Dormant Accounts; 19.5 Protecting the root Account; 19.6 One-Time Passwords; 19.7 Administrative Techniques for Conventional Passwords; 19.8 Intrusion Detection Systems; 19.9 Summary; Chapter 20: Integrity Management; 20.1 The Need for Integrity; 20.2 Protecting Integrity; 20.3 Detecting Changes After the Fact; 20.4 Integrity-Checking Tools; 20.5 Summary; Chapter 21: Auditing, Logging, and Forensics; 21.1 Unix Log File Utilities; 21.2 Process Accounting: The acct/pacct File; 21.3 Program-Specific Log Files; 21.4 Designing a Site-Wide Log Policy; 21.5 Handwritten Logs; 21.6 Managing Log Files; 21.7 Unix Forensics; 21.8 Summary; Handling Security Incidents; Chapter 22: Discovering a Break-in; 22.1 Prelude; 22.2 Discovering an Intruder; 22.3 Cleaning Up After the Intruder; 22.4 Case Studies; 22.5 Summary; Chapter 23: Protecting Against Programmed Threats; 23.1 Programmed Threats: Definitions; 23.2 Damage; 23.3 Authors; 23.4 Entry; 23.5 Protecting Yourself; 23.6 Preventing Attacks; 23.7 Summary; Chapter 24: Denial of Service Attacks and Solutions; 24.1 Types of Attacks; 24.2 Destructive Attacks; 24.3 Overload Attacks; 24.4 Network Denial of Service Attacks; 24.5 Summary; Chapter 25: Computer Crime; 25.1 Your Legal Options After a Break-in; 25.2 Criminal Hazards; 25.3 Criminal Subject Matter; 25.4 Summary; Chapter 26: Who Do You Trust?; 26.1 Can You Trust Your Computer?; 26.2 Can You Trust Your Suppliers?; 26.3 Can You Trust People?; 26.4 Summary; Appendixes; Unix Security Checklist; Preface; Chapter 1: Introduction: Some Fundamental Questions; Chapter 2: Unix History and Lineage; Chapter 3: Policies and Guidelines; Chapter 4: Users, Passwords, and Authentication; Chapter 5: Users, Groups, and the Superuser; Chapter 6: Filesystems and Security; Chapter 7: Cryptography Basics; Chapter 8: Physical Security for Servers; Chapter 9: Personnel Security; Chapter 10: Modems and Dialup Security; Chapter 11: TCP/IP Networks; Chapter 12: Securing TCP and UDP Services; Chapter 13: Sun RPC; Chapter 14: Network-Based Authentication Systems; Chapter 15: Network Filesystems; Chapter 16: Secure Programming Techniques; Chapter 17: Keeping Up to Date; Chapter 18: Backups; Chapter 19: Defending Accounts; Chapter 20: Integrity Management; Chapter 21: Auditing, Logging, and Forensics; Chapter 22: Discovering a Break-In; Chapter 23: Protecting Against Programmed Threats; Chapter 24: Denial of Service Attacks and Solutions; Chapter 25: Computer Crime; Chapter 26: Who Do You Trust?; Appendix A: Unix Security Checklist; Appendix B: Unix Processes; Appendixes C, D, and E: Paper Sources, Electronic Sources, and Organizations; Unix Processes; About Processes; Signals; Controlling and Examining Processes; Starting Up Unix and Logging In; Paper Sources; Unix Security References; Other Computer References; Electronic Resources; Mailing Lists; Web Sites; Usenet Groups; Software Resources; Organizations; Professional Organizations; U.S. Government Organizations; Emergency Response Organizations; Colophon;
From the B&N Reads Blog
Page 1 of

Related Subjects

Computers
Operating Systems
UNIX
Computers
Operating Systems
UNIX

Customer Reviews