summary - security for e-mail gateway?

From: David C. Kwong (dck@mink.mt.att.com)
Date: Tue Aug 18 1992 - 01:56:25 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks to all the responses to my original question on the security of
our e-mail gateway from:

From: love@Stars.Reston.Unisys.COM (Kim Love -- Paramax)
From: "Paul W. Fakler" <pwf@unet.umn.edu>
From: Ace Stewart <jstewart@mailbox.syr.edu>
From: stern@sunne.East.Sun.COM (Hal Stern - NE Area Systems Engineer)
From: Dan.Farmer@Corp.Sun.COM (d)
From: mikem@ll.mit.edu (Michael J Maciolek)
From: era@niwot.scd.ucar.EDU (Ed Arnold)
From: geertj@ica.philips.nl (Geert Jan de Groot)
From: kevins@kuma3.Japan.Sun.COM (Kevin Sheehan {Consulting Poster Child})

---------------------- original question --------------------------

David C. kwong
dck@mink.mt.att.com
----------------------- summary -------------------------------

The answers range from "fairly insecure" to "extremely insecure".
The recommendations are:

1. Install SunOS security patches.
(Somebody puts 22 as the latest number of patches. Does Sun
have a recommended list of security patches?)

2. Isolate all 'interesting" data inside the gateway, not on the gateway.
Someone suggested forwarding all email to another machine and
mount /var/spool/mail from that machine instead.

3. Run COPS and Cracks to do security audits.
(They are public domain SW that are avail at various FTP sites.)

4. Use /etc/netgroups and /etc/exports to restrict who can access the
/var/spool/mail.
(We do this already.)

5. Don't make this gateway an NIS server or other machines outside can
steal its maps. Someone suggested running secure NIS, but
another suggested waiting for NIS+.

6. Use "wrappers" for all the /etc/inetd.conf services avail on the
        gateway. Somebody even suggested replacing all the login
        commands to provide logging for all attempts.
        (Nobody mentioned the security products called "ARM" and "ASET"
        by Sun. Do they do a lot of the stuff above?)

7. Turn off IP forwarding on the email gateway.

----------------------- full details -------------------------------
>From att!ra.mcs.anl.gov!sun-managers-relay Fri Aug 14 14:49:04 1992
Sender: sun-managers-relay@ra.mcs.anl.gov
Date: Fri, 14 Aug 92 09:12:46 EDT
From: dck@mink.mt.att.com (David C. Kwong)
Reply-To: dck@mink.mt.att.com (David C. Kwong)
Followup-To: dck@mink.mt.att.com (David C. Kwong)
To: sun-managers@eecs.nwu.edu
Subject: security for e-mail gateway?
Status: RO

A question on e-mail and network security.
Our installation has a Sun server dedicated to do general word
processing and to act as an e-mail gateway to the Internet.
It has a separate /etc/passwd file as the other machines on our
network as a security measure (the rest uses YP).
However, everyones e-mail is stored on this e-mail gateway and
its /var/spool/mail is NFS over to the rest of our network.
Also, users can 'rlogin' to other machines if they choose to set
their own .rhosts file.
The e-mail gateway is running SunOS 4.1.1.
My question is how secure is this kind of setup?
What kind of danger is there if we change this gateway to use YP
and make it completely part of our local domain?
Thanks in advance.

David C. Kwong
dck@mink.mt.att.com

>From cbfsb!Stars.Reston.Unisys.COM!love Fri Aug 14 14:58:38 1992
To: -v@Stars.Reston.Unisys.COM.att.com, David.C.Kwong@att.com
Date: Fri, 14 Aug 92 14:56:00 EDT
From: love@Stars.Reston.Unisys.COM (Kim Love -- Paramax)
Original-To: -v, dck@mink.mt.att.com
Subject: security

David,

If I were you, I would make sure that you are not exporting
the /var/spool/mail directory so that anyone in the world
can mount it... You can set up netgroups and export
(NFS) directories to certain groups of machines.`

There is a utility called COPS that is available via
anonymous ftp from
cert.sei.cmu.edu

IF you run this on your system, it will tell you where potential
security problems are.

CERT (Computer Emergency Response Team) also maintains a
mailing list for know network/system security problems:
cert-advisory@cert.sei.cmu.edu

>From cbfsb!unet.umn.edu!pwf Fri Aug 14 16:11:46 1992
To: David.C.Kwong@att.com
From: "Paul W. Fakler" <pwf@unet.umn.edu>
Subject: Re: security for e-mail gateway?
Original-To: dck@mink.mt.att.com
Date: Fri, 14 Aug 92 14:28:39 CDT
X-Mailer: ELM [version 2.3 PL11]
Status: RO

It depends on the level of security you want. The mailbox system you
have described is very insecure. If you change it to use YP you will not
make it any less secure.

You have many loopholes as it stands:

  1) You allow users to set up .rhosts files. If you allow them to
      do this TO your mailbox server from unsecure machines, then the
      system is inherently unsecure.

  2) Unmodified Sun systems are full of security holes, and do not provide
      adequate protection, password validation, or logging. We have totally
      replaced all the login procedures, and all network programs have been
      modified to use our login system. It provides logging for all login
      attempts (successful or not), keeps track of times and machines from
      which the login attempts occurred, accounts logged into, etc... It
      also enforces password selection, so accounts are much more difficult
      to break into. It was also a lot of work to set up, since most network
      programs had to be modified slightly (telnetd, ftpd, popd, rlogind,
      rshd, etc...). We do not use YP, but rdist password files nightly from
      a server. One drawback is that you can only change your password on
      the master machine.

  3) Mounting /var/spool/mail over NFS to unsecure systems provides many
      more loopholes. If you wanted a secure mailbox machine, you could
      allow only IMAP and POP access to it. Mail clients used on other
      machines would have to use these protocols to access their mail.

etc...

Paul.

>From cbfsb!mailbox.syr.edu!jstewart Fri Aug 14 16:16:56 1992
To: David.C.Kwong@att.com (David C. Kwong)
Original-To: dck@mink.mt.att.com (David C. Kwong)
Subject: Re: security for e-mail gateway?
Date: Fri, 14 Aug 92 15:36:53 -0400
From: Ace Stewart <jstewart@mailbox.syr.edu>
Content-Type: text

> Our installation has a Sun server dedicated to do general word
> processing and to act as an e-mail gateway to the Internet.

Is it a regular gateway as well as email -- or just email?

> It has a separate /etc/passwd file as the other machines on our
> network as a security measure (the rest uses YP).

This gets kinda tricky -- because now you are having to manage two
/etc/passwd files as opposed to one, but I will say that it isn't
really a big deal.

> However, everyones e-mail is stored on this e-mail gateway and
> its /var/spool/mail is NFS over to the rest of our network.

How do u guys like that setup anyhow?

> Also, users can 'rlogin' to other machines if they choose to set
> their own .rhosts file.

I don't understand what this means -- how is it configured -- be more
specific --

> The e-mail gateway is running SunOS 4.1.1.

Patched I trust :)

> My question is how secure is this kind of setup?
> What kind of danger is there if we change this gateway to use YP
> and make it completely part of our local domain?

It depends on the type of gateway that it is -- is it email and
Internet or just email -- if it is just email there is no real
"change" if you make it part of the NIS provided you are running secure
NIS. If you aren't then you have a bigger problem on your hand anyhow.

You obviously had some ideas, and thought it might be insecure, if you
tell me more I will try and say more about it :)

John Stewart
Former: UNIX Security Manager
Syracuse University

Current: Security Team
NASA-Ames Research Center

>From cbfsb!sunne.East.Sun.COM!stern Fri Aug 14 16:27:23 1992
To: David.C.Kwong@att.com
Date: Fri, 14 Aug 92 15:45:41 EDT
From: stern@sunne.East.Sun.COM (Hal Stern - NE Area Systems Engineer)
Original-To: dck@mink.mt.att.com
Subject: Re: security for e-mail gateway?
Status: RO

this is *extremely* insecure.

put the mail files on a machine inside the gateway, and
leave nothing "interesting" on the gateway.

since you're running NFS, i could, if i wanted to,
decide to mount your mail spool from my machine
(on the internet) and look at whatever i want.

using NIS on this machine is also a bit of a hole,
since some machine outside your network could pose
as an NIS server for it. similarly, don't make this
machine an NIS server, or machines outside your net
can steal its maps

--hal

>From cbfsb!Corp.Sun.COM!Dan.Farmer Fri Aug 14 17:22:56 1992
To: David.C.Kwong@att.com (David C. Kwong)
Date: Fri, 14 Aug 92 14:19:52 PDT
From: Dan.Farmer@Corp.Sun.COM (d)
Original-To: dck@mink.mt.att.com (David C. Kwong)
Subject: security for e-mail gateway?

> A question on e-mail and network security.

Ok...

> Our installation has a Sun server dedicated to do general word
> processing and to act as an e-mail gateway to the Internet.

What? You *don't* want your gateway being used as a general purpose
machine, for word processing or anything else, except being used as
just the gateway function. Come on, you're at&t, you can afford another
machine :-)

> However, everyones e-mail is stored on this e-mail gateway and
> its /var/spool/mail is NFS over to the rest of our network.

Probably a bad move. NFS is not very secure (to put it mildly);
it would be better if you set it up to send mail to the user's
individual machine, or... well, it might be that you want to have a
machine that does the mail and word processing be entirely separate
machine; use the gateway to forward mail to that machine, and that way
you wouldn't have to change your set up too much.

> Also, users can 'rlogin' to other machines if they choose to set
> their own .rhosts file.

If you're saying that the gateway trusts any other machine, in rhosts,
hosts.equiv, whatever, then that's a bad idea. If you mean other
machines inside the firewall trust it, then that's no big deal.

> The e-mail gateway is running SunOS 4.1.1.

Upgrade to 4.1.2, or put in all the patches that sun has put out for
4.1.1, especially the security related ones.

> My question is how secure is this kind of setup?

As you describe it, not too secure. If you do all the things I've
told you, it's a better start. You might check out some papers on the
subject -- bill cheswick, your friendly at&t gatekeeper, wrote a nice
piece on this. Garfinkle and spaffords book -- practical unix security
-- is another good source of info.

> What kind of danger is there if we change this gateway to use YP
> and make it completely part of our local domain?

Barf. Don't even consider it until NIS+ is out.

g'luck --

-- d

>From cbfsb!ll.mit.edu!mikem Fri Aug 14 18:17:24 1992
To: David.C.Kwong@att.com
Date: Fri, 14 Aug 92 18:13:35 -0400
From: mikem@ll.mit.edu (Michael J Maciolek)
Original-To: dck@mink.mt.att.com
Subject: Re: security for e-mail gateway?

"How secure" is a tough question to answer; there isn't an absolute
grading system. There are two aspects of security - how hard is it
to break into this one machine, and how susceptible is the rest of
my network if this one machine is compromised?

For part 1 (how hard to break in), look at the number of different
ways that this server can be contacted. Which inetd services are
enabled? telnetd? ftpd? tftpd? rlogind? rshd? rexd? fingerd?

For part 2 (how susceptible is the rest of the network), look at the
accessibility of the rest of your machines from the mail server. Do
the other machines regard the mail server as a "trusted" machine? Do
your users create entries for the mail server in their .rhosts files?
Does the mail server contain a complete copy of your password file, or
are the passwords on the mail server different from the passwords used
on the rest of the network?

Have you turned off IP forwarding on the mail server, or can machines
on the internet still contact your internal network directly? If you're
forwarding IP, then the server isn't really helping in terms of security.

If your machine becomes a YP client, and it is breached, it will be
possible for the intruder to obtain a copy of your password file, and
a list of all your host names and addresses. Password cracking code
is available, using fast crypt routines and a list of commonly used
passwords, and is likely to discover several passwords out of even a
relatively small network. Revealing the host list is a comparatively
minor breach, since this information can be had via other means.

These are just a few thoughts on the subject, and probably not very well
organized. If you haven't been flooded with other people's thoughts on
security, drop me a line and I'll see if I can dig up some anonymous FTP
writeups on the subject. Enjoy!

-- Mike

-------------------------------------------------------------------------------
Michael Maciolek - mikem@ll.mit.edu --- VOICE (617)981-3174 - FAX (617)981-0189
Network Engineer - MIT Lincoln Laboratory - Computer Telecommunications Systems
-------------------------------------------------------------------------------
      In the fifteenth century, many people believed that the world was
      flat. Today, of course, we know that this is true only in heavily
      Protestant states such as Iowa. -- Dave Barry
-------------------------------------------------------------------------------

>From cbfsb!niwot.scd.ucar.EDU!era Fri Aug 14 18:23:30 1992
To: David.C.Kwong@att.com
From: era@niwot.scd.ucar.EDU (Ed Arnold)
Subject: Re: security for e-mail gateway?
Original-To: dck@mink.mt.att.com
Date: Fri, 14 Aug 92 16:21:34 MDT
Reply-To: era@ncar.ucar.edu
X-Mailer: ELM [version 2.3 PL11]

These comments only apply if you feel your system has something worthwhile
to steal; some aren't perceived as so.

If you use NIS, your system is less of a firewall. Make sure you've installed
all the security patches (there are about 22) which apply to 4.1.1.

Common services used by intruders are: DNS zone transfers, tftpd, RPC/NFS,
BSD "r" commands, lpd, uucpd, OW & X11, link. These services should not
be allowed on your interface to the internet.

Daemons like telnetd, fingerd, tftpd, ftpd, rlogind, rshd, rexecd
ought to be disabled, or wrapped if they can't be disabled.

You need to run COPS and Crack over your internet interface system's password
file regularly.

CERT has programs like COPS, wrappers, etc. available for anonymous ftp.

-- Ed Arnold * NCAR * POB 3000, Boulder, CO 80307-3000 * 303-497-1253(voice) 303-497-{1298,1137}(fax) * internet: era@ncar.ucar.edu * bitnet: era@ncario compuserve: internet:era@ncar.ucar.edu

>From cbfsb!ica.philips.nl!geertj Fri Aug 14 18:38:18 1992 To: David.C.Kwong@att.com Date: Fri, 14 Aug 92 23:52:48 +0200 From: geertj@ica.philips.nl (Geert Jan de Groot) Original-To: dck@mink.mt.att.com Subject: Re: security Status: RO

If you're using NFS, YP, or any RPC-based service I can crack your machine. Have you checked EVERYTHING from netstat -a and what a malicious user can do, if there is a bug on one? In short, totally unsecure.

Please talk to Steve <smb@research.att.com>, he runs the att gateway an can provide you with some interesting papers..

Geert Jan

>From cbfsb!kuma3.Japan.Sun.COM!kevins Sat Aug 15 00:56:15 1992 To: David.C.Kwong@att.com From: kevins@kuma3.Japan.Sun.COM (Kevin Sheehan {Consulting Poster Child}) Date: Sat, 15 Aug 1992 13:55:12 JST X-Mailer: Mail User's Shell (7.1.2 7/11/90) Original-To: dck@mink.mt.att.com Subject: Re: security for e-mail gateway?

[ Regarding "security for e-mail gateway?", kalli!fourx!mink.mt.att.com!dck@fourx.Aus.Sun.COM writes on Aug 14: ]

Not very - there are all kinds of ways that people can attack it. What you should to is set up a firewall - i.e. a very secure system to act as a wall between you and the internet. There are several papers available via FTP on how to do it.

> What kind of danger is there if we change this gateway to use YP > and make it completely part of our local domain?

Yes - you expose more information to the potential cracker for one thing.

l & h, kev

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:47 CDT