Christopher B. Browne's Home Page

2. Unix and Network Security

There happen to be security problems with Unix-based systems fundamentally because:

  1. Securing computer systems is a nontrivial task, and

  2. Unix systems do get challenged when they are used for applications needing security.

People do not (or at least should not) use PC operating systems like MS-DOS or Windows 95 for applications that require information security, as they are extremely insecure for such purposes. (They have never been officially rated, but would fall into "D" level were there certifications for that level.) Microsoft is not a vendor of secure operating systems, even at their best. Windows NT is only secure for such purposes (e.g. - "C2 Certified") if:

Windows NT is largely useless for anything other than a network server, and thus removal of network connectivity makes it useless.

You can secure virtually any computer if you encase it in lead and concrete and place it at the bottom of the ocean. The computer is not likely to be too useful under such conditions, though.

A more recent security evaluation has been done; it may be best understood by making reference to Understanding the Windows EAL4 Evaluation which tells us:

Security experts have been saying for years that the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.

2.1. Kerberos

Kerberos is a distributed authentication system originally developed at MIT. It allows users and services to authenticate themselves to one another. It uses strong cryptography to transmit authentication tickets that allow users to assert their identities in an unequivocal manner to services in order to gain access.

Once the user logs in, and is authenticated by some scheme (password or otherwise), they can then request "tickets" for access to some service from an authentication server, which can then be submitted to the service to establish access permission.

Tickets have a limited lifetime; they may be used for an extended period of time, thus limiting the number of "ticket requests" that have to be made, but since the time is limited, a nefarious interloper does not have an unlimited time in which they might attempt to use a "stolen ticket."

A number of pieces of network-related software running on Unix are "Kerberized;" this means that you may (perhaps optionally) authenticate access using Kerberos rather than via the traditional "UserID/Password" combination. This commonly includes telnet, the Unix "rlogin" tool suite, and X11. Some commercial software, including SAP R/3 , can use Kerberos as their authentication protocol. It is also quite common for infrastructure services such as IMAP mail servers, wikis, and instant messaging systems to allow using Kerberos for authentication.

A number of vendors sell libraries to integrate Kerberos authentication support into Unix and Windows applications.

Kerberos has been one of the most heavily used of the "single sign-on" solutions; it allows a single authentication to be used against multiple services, and does so fairly securely since password validation is done only against the Kerberos domain server. Individual servers/services do not need to have access to sensitive authentication data - they merely need to be able to forward requests for "tickets" to the authentication server.

Of course, by centralizing authentication to Kerberos, one must accept some risks:

2.2. Linux Security Projects

Most of the design work associated with this will deal with the user tools (including packaging tools like RPM or dpkg), as it is useless to have sophisticated security components without sufficiently powerful tools to manage it...

Contact me at