Securing Your Connections

Here's a list of things to consider in terms of securing data connections both on campus and off.

Don't Panic

Obviously, there's no point. ('

Computer and network security may seem a daunting subject, but as with some many things a little effort will get you a long way. As with the physical security of your home and car, simple solutions are generally pretty effective in most circumstances, so long as you don't make yourself an attractive target.

Keep anything that absolutely must be secured off of networked computers

There is no universal panecea, and if you have really sensitive data, it's best to keep it on a computer that's not networked to the internet. This kind of approach is called an "air firewall", and it's remarkably effective.

Choose good passwords, and change them regularly

Don't use easily guessed passwords, and avoid dictionary words or minor variants. And using the same password for everything you do is easy for you, but makes it easy for anyone who cracks it, too. Would you want to have only one key that worked in your car, house, office, all the locks you have?

Maintain good backups

Most breaches do not result in loss of data (you are much more likely to lose data in a drive failure), but it does happen. Backups are essential for any important data.

1. Backup regularly.
2. Keep a set off site--a fire or burglary can result in loss of the backups as well as primaries.
3. If you don't want to use backup software, syncing software works well.
4. If you have sensitive data, encrypt and password protect your backups.
5. Test your restore procedures--the classic mistake is to do the backups, but never check if the restores work.

Passwords

Avoid use of clear text passwords

Clear text passwords are trivial to read over network trunk lines by those who have physical access. This is particularly a problem for networking connections on shared media such as hubs, wireless networks, and cable modems.

Take the time to find and use software that uses encryption of the password. Examples include SSH terminal programs (instead of telnet) and SCP or SFTP (instead of ftp). Most mail clients and servers already support SSL connections, but you have to enable that feature in preferences.

Kerberized applications are also a good choice if you can't find SSL software, but they are a bit harder to set up and arguably not as secure.

Use tunnels or VPNs

If you have a terminal program that supports it, or if you use a Virtual Private Network, you can create a secure "tunnel" between your machine and a server on campus that can be used by other types of connections, such as ftp or nntp. We have some information on SSH tunnels, they are a good choice if you need to encrypt connections to multiple sites across the internet, but do require that you manually configure ports.

ITS here on the UNC campus has also purchased Cisco's VPN client, supporting Windows, Linux, and MacOS X. This software can be used to secure connections from anywhere in the internet, but only provides protection for connections to unc.edu sites. It is, however, the easiest way to secure all of your connections since everything sent to UNC will encrypted. See ATN's VPN FAQ for details. For additional details and workarounds, see the CS FAQ.

These kinds of connections have an additional advantage of encrypting the entire datastream, protecting not only your passwords, but also the data you are transmitting.

Consider use of a local firewall

A firewall can be used to "tune" your machine's network configuration to restrict access to services or ports to particular ip numbers or ranges of numbers. This is especially important if you're running daemons such as file or web services. More information on firewalls.

Don't forget physical Security

If your computer's not physically secure, you can't really protect it.

If someone gets your machine, they will likely have lots of time to try to get to your data if they are interested. For higher levels of security, use a disk or file encryption utility to protect sensitive data on the harddrive, and use a password with your screen saver and on startup.

Don't allow remote login as root or administrator if you can avoid it.

Obviously, a compromise of the root password is a very serious matter, so if you can turn off remote login to root, do so.

Review your system logs and checksum system files

Although a "good" intruder may be able to hide his or her activity by modifying your log files, it's still a good idea to review them regularly. In particular, look for access from unknown sites.

Also, it's a good idea to run software to checksum important system files (such as inetd.conf, your password file, login, etc.) There are some programs like tripwire for unix and Checkmate for OS X that can automate the process for you. Since intruders will often use modified systems program or alter key configuration files to create backdoors or obtain passwords, use of this kind of software can alert you to their activities (of course, if you modify these same files, you'll be alerted!).

Keep your software up to date

As security problems are found, vendors will typically release patches to close the holes. So it's important to keep your software, particularly your operating system, up to date. Most systems have options for automagically checking for updates and installing them. In general, it's a good practice to check for updates once a week. Most operating systems have provisions to check for updates automagically, but it's also best to have the system wait for you to authorize the installation (so that you can keep track of what's on your system).

Use anti-virus software and be careful about attachments

Viruses are possibly the single largest problem faced today, particularly those transimitted via email on Windows systems. You should install anti-virus software and set it up to scan your system daily. It's also important to regularly update your virus definitions, at least once each week.

Also take care when opening email attachments--that's the most common way viruses are propogated. In particular, you should not open attachments with extensions indicating executable code (on windows systems this means .exe, .vbs, .pif, for example. Do keep in mind sometimes these extensions are hidden by use of a second period in the file name, eg. picture.gif.exe). And you definitely do not want your mail program to open attachments automatically (this is a particular problem with Outlook, IMO the most dangerous user program currently on the planet).

Do not run services you do not need

Sure, it's fun to run all kinds of services on your machine, but in so doing you're opening up ports that can be used to access your system. Bottom line is, if you don't really need to run a service, don't. Web servers such as IIS and Apache are particularly attractive targets--if you're going to run these, take the time to learn how to secure them.

Additional Sources of Information

General Information

• UNC ITS Security
• The SANS Institute
• CERT
• Internet/Network Security
• Insecure.org (esp. their Tools list)
• Peter Gutman has an extensive list on security topics.

Windows

• Windows Security Guide
• Security Administrator
• Microsoft Baseline Security Analyzer (MBSA)
• eEye Security's freeware scanners

Linux

• Sys Admin article on securing Linux
• Linux Adminstrator's Security Guide

Macintosh

• Apple's Security Updates
• SecureMac  
• AFP548 Security Articles; this is oriented to server but most applies to client as well.