Usenet Security
Doug Gwyn
gwyn at brl-smoke.ARPA
Mon Feb 22 13:36:26 AEST 1988
In article <23504 at hi.unm.edu> kurt at hi.unm.edu (Kurt Zeilenga) writes:
>In article <2739 at codas.att.com> mikel at codas.att.com (Mikel Manitius) writes:
>>Very simple, if you've got a UNIX machine with a modem, it's not secure.
>It's simplier than that. If you got a UNIX machine and it's turned
>on, it's not secure. :*D
Come on; security comes in differing degrees. It is thought that UNIX
can be brought up to DOD B-2 level with some amount of effort, and
still look enough like UNIX to support most UNIX-based applications.
There are already at least two UNIX implementations approved at level
C-1 or higher (so I'm told; I don't have one).
One way to not lose an appreciable degree of security due to modem
access (assuming telephone line tapping is ruled out) is to have
the system check an incoming user ID against an internal list and
call back the phone number contained in the internal list to
establish the real working connection.
The weakest link in many installations is physical security -- for
example, on an Ethernet with lots of Sun workstations, unless the
cable and workstations have controlled access it is possible for
a workstation to be subverted and super-user access to the whole
local net to be obtained (assuming typical installation; at least
SOME unauthorized access would be obtainable in general).
Our favorite method of achieving acceptable security is to keep our
systems in controlled-access vaults. Of course they can't have normal
network connections to areas outside the vaults. This solves most
security problems very simply (but not simultaneous multi-level
compartmentalized access control).
If you're really concerned with computer security, get in touch
with the National Computer Security Center; they specialize in this.
More information about the Comp.unix.questions
mailing list