Develop and implement a comprehensive yet unobstructive security plan
Although Windows NT and UNIX have many of the same security strengths and weaknesses, a new layer of complexity emerges when you use these two operating systems (OSs) on the same network. This complexity becomes even more prevalent when you connect your mixed network to the Internet. Thus, administrators of mixed NT and UNIX networks need to develop and implement a comprehensive security plan.
Many organizations' NT and UNIX security plans are ineffective. A common mistake is to assume that after you install a firewall and proxy server, your network is secure. This measure is important, but it is only one component in an effective plan. A comprehensive NT and UNIX security plan requires that you not only install firewalls and proxy servers, but also choose your applications carefully, secure your Web server, effectively manage passwords and logons, effectively manage user and group accounts, physically secure your network, ensure data integrity via backups, and monitor applications.
Install Firewalls and Proxy Servers
Firewalls and proxy servers are important tools for securing mixed networks that connect to the Internet. Firewalls use packet filtering to restrict external connections to a limited set of services. Proxy servers let internal users access the Internet but prevent external Internet users from connecting to the network. You can even get a proxy firewall, a hybrid of these two tools.
Although we recommend that you take advantage of the firewall technology, you need to know that firewalls and proxy firewalls aren't hackerproof. Firewall packet filtering is susceptible to router attacks. Frankly, anytime you can apply sophisticated sniffer technology to a router environment, there can be no guarantee that filters will be foolproof. To prevent these attacks, you can reconfigure your router. Although Telnet is a convenient reconfiguration tool, a more secure method is to manually reconfigure the router. (The next section contains more information about why you should not use Telnet.)
The firewall's Simple Network Management Protocol (SNMP) is also susceptible to attacks. An easy-to-guess password for read/write access can leave a router and other network gear vulnerable to reconfiguration, packet filter removal, and other abuses by hackers.
Using proxy services has a downside, but it isn't related to security. Proxy servers and proxy firewalls might degrade access speed to the Internet. You can avoid this performance decrease by using a proxy server or proxy firewall with a cache.
Choose Applications Carefully
Typically, NT and UNIX OSs rely on TCP/IP as the baseline network protocol. As a result, connecting NT and UNIX computers to each other and to the Internet is relatively easy. However, both OSs are prone to the same weaknesses inherent in TCP/IP. Potential security breaches can result when you use TCP/IP-based tools and utilities, such as FTP, Trivial File Transfer Protocol (TFTP), finger utility, Domain Name System (DNS), remote (r)-command utilities, Telnet, and NFS.
FTP. Systems administrators often use this protocol for the anonymous user accounts that don't require password protection. FTP lets most users, including hackers, access a system. Once inside, hackers can easily work their way throughout your network. To guard against FTP attacks, you need to set permissions to read only in the appropriate files in both NT and UNIX.
TFTP. This protocol is a relaxed version of FTP. Typically, users can transfer any file (even system files, such as NT's Registry and UNIX's equivalent, /etc/passwd) without a password. Unless you need TFTP, we strongly recommend that you remove or disable the tftpd file. In UNIX, you need to comment out the entry from the /inetd.conf file in the /etc directory. In NT, you need to check whether anyone has installed third-party software that includes a TFTP service. (NT ships with an FTP service, but not a TFTP service.) If your network has a TFTP service, disable it.
Finger. This utility, which is available for both UNIX and NT, outputs information about a system's users. If hackers provide a first or last name, the utility returns the logon names of users with matching first or last names. If hackers provide an email address, the utility returns user profile information (e.g., the user's full name) and specifies whether the user is currently logged on. After hackers have a list of usernames, the task of systematically discovering passwords becomes the game. Because of these security problems, avoid using this utility.