Typically, NT and UNIX OSs rely on TCP/IP as the baseline network protocol. As a result, connecting NT and UNIX computers to each other and to the Internet is relatively easy. However, both OSs are prone to the same weaknesses inherent in TCP/IP. Potential security breaches can result when you use TCP/IP-based tools and utilities, such as FTP, Trivial File Transfer Protocol (TFTP), finger utility, Domain Name System (DNS), remote (r)-command utilities, Telnet, and NFS. FTP. Systems administrators often use this protocol for the anonymous user accounts that don't require password protection. FTP lets most users, including hackers, access a system. Once inside, hackers can easily work their way throughout your network. To guard against FTP attacks, you need to set permissions to read only in the appropriate files in both NT and UNIX. TFTP. This protocol is a relaxed version of FTP. Typically, users can transfer any file (even system files, such as NT's Registry and UNIX's equivalent, /etc/passwd) without a password. Unless you need TFTP, we strongly recommend that you remove or disable the tftpd file. In UNIX, you need to comment out the entry from the /inetd.conf file in the /etc directory. In NT, you need to check whether anyone has installed third-party software that includes a TFTP service. (NT ships with an FTP service, but not a TFTP service.) If your network has a TFTP service, disable it. Finger. This utility, which is available for both UNIX and NT, outputs information about a system's users. If hackers provide a first or last name, the utility returns the logon names of users with matching first or last names. If hackers provide an email address, the utility returns user profile information (e.g., the user's full name) and specifies whether the user is currently logged on. After hackers have a list of usernames, the task of systematically discovering passwords becomes the game. Because of these security problems, avoid using this utility. DNS. A typical DNS server has the primary function of translating computer names into IP addresses. This information can provide just enough data to a hacker to spoof a target system. The dilemma in dealing with the Internet is that IP address information, coupled with domain name resolution, is fundamental for communication. The only viable solution is to maintain discrete DNS servers for external and internal name and IP address resolution. The external DNS server needs to be accessible only to queries about public network data. The internal system needs to be firewall protected and retain all IP address information of the secured environment.
|
|
|
|
|
|
|
|