Security Resources: Solaris, Cisco, Firewall, Anti-Malware Resources

Malware Resources

New Resource: Using Static Routes to Block Malware and Spyware

Blocking IP networks associated with spyware and malware through the use of "null routes" have traditionally been limited to corporations with network administrators. This new draft describes an additional tool for a home or small business in the fight against spyware, a script which will "null route" IP networks on the local machine.

Centralized Spyware Detection: Detecting Malware Infections in a Corporate Environment

Malware infections on corporate networks is increasing. This paper briefly describes the role CLSIDs and Browser Helper Objects (BHOs) play in malware infections. It also announces a new Open-Source anti-malware scanner which scans a corporate network for malware infections by scanning remote registries for the presence of unauthorized Browser Helper Objects (BHOs).

It is this author's hope this remote spyware scanner will identify malware and adware installed on a users' desktop (detected by the presence of an unauthorized BHO) early in the infection cycle, before the machine is completely infested with malware "crud".

By identifying which malware has been installed despite corporate anti-malware measures taken at the firewall, router, URL-blocking proxies, and desktop, steps can also be taken to prevent other machines from becoming infected as well.

Securing Solaris 8
With an Emphasis on Solaris Packages, Metaclusters, Software Groups

Hardening a Solaris System

Install Minimal OS:
- Select which OS Packages/Software Group to install
  This article, written by us, is an introduction to Solaris OS Installation options. These two pages list all Solaris 8 packages sorted by Package Name and Software Group.
- Add optional Solaris Packages
  This article, written by us, is a meta-analysis of the extra Solaris packages that several experts suggest you should install.
Patch the system:
- Sun recommends installing patches BEFORE additional minimilization and hardening.
- Sun(tm) Patch Check ; http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage Solaris Patch Manager (also http://www.sun.com/service/support/sw_only/patchmanager.html Solaris Patch Manager Base Version 1.0
Harden the System:
- Run hardening tools such as Titan or YASSP, JASS Toolkit or harden OS manually. (Also examine Papillon)
  - Uninstall unnecessary packages
    This document, written by us, examines the packages installed with the SUNWCreq "core" installation of Solaris, and contains a meta-analysis of which packages the experts suggest you remove.
  - Disable unneeded startup services:
    Even if you performed a minimal Solaris install, there are a bunch of startup files which need to be disabled as part of your hardening routine. This paper lists each Solaris startup file, its associated package, along with checklists and scripts to delete (and modify/add) startup files designed to increase system security.
  - Modify files in /etc (including /etc/default/*,/etc/inetd.conf and other /etc/*.conf files, /etc/system and others)
  - Delete unneeded accounts and cron permissions
  - Change network settings:
    - (Read http://www.sun.com/blueprints/1200/network-updt1.pdf;
      download http://www.sun.com/solutions/blueprints/tools/nddconfig_license.html
  - and much more....
    --Follow checklists such as--
    - Solaris 8 and 9 Operating System Hardening Guideline Document
    - http://www.enteract.com/~lspitz/armoring.html (Or http://www.spitzner.net/)
    - http://www.boran.com/security/sp/Solaris_hardening.html
    - http://www.catastrophe.net/geek/docs/Hardening-Solaris2.6.txt (Note: Solaris 2.6)
    - http://fixsolaris.sunhelp.org/fixsolaris.txt(Note: Solaris 2.6)
    - http://www.sabernet.net/papers/Solaris.html (Note: Solaris 2.5)
    - http://www.sans.org/y2k/practical/Jeff_Campione_GCUX.htm (Note: Solaris 8)
    - http://www.usenix.org/sage/sysadmins/solaris/solaris/os.html#minimal
    - http://www.roble.com/docs/secure_solaris.html
    - http://www.giac.org/practical/Michael_Harris_GCUX.doc- "Step by Step Guide to Building a Secure Solaris 8 KDE Graphical Workstation"
- Install Sysadmin Tools:
  - Packet filtering software: ipfilter or Sunscreen Light (Also: Sunscreen How-To)
  - Host-based Intrusion Detection software:
  - Other Tools and Resources:
  - Visit BigAdmin and sunfreeware
    http://www.cert.org/tech_tips/security_tools.html- CERT Coordination Center's List of Security Tools
    http://www.insecure.org/tools.html- insecure.org's top 75 security tools
Run Security Audit/Vulnerability Assessment Scans/Penetration Tests (or whatever buzzword you wish to use):
- Open Source:
  - Tiger nessus,
    nmap, VLAD the Scanner (old),
    Nikto (Update to whisker ) SAINT, sara, Boran's audit2.pl,
    Center for Internet Security: CIS Benchmarks for Cisco IOS Routers,Win2000/NT, and Linux,
    TARA (update to original tiger)
- Scan from the outside (also tests your firewall, inform your firewall/IDT admin first!):
  - http://www.wilders.org/free_services.htm
    http://www.dslreports.com/scan- DSL Reports Scan
  - http://scan.sygate.com/probe.html - Sygate Online Services Security Scan
  - http://www.sdesign.com/securitytest/index.html
  - http://www.networkscan.com/ (Hackerwacker)
  - http://www.vulnerabilities.org/nessusfreehtml.html (down??)
    http://www.blackcode.com/scan/- Seems to perform a complete scan
  - Commercial Products:
Install your third party software
- Can your software be chrooted? (http://www.networkdweebs.com/chroot.html,
- Does it have any known Vulnerabilities? http://www.cve.mitre.org/cve/
- Re-run Security Audit/Penetration Tests: What ports has the software opened? Has the software created a new vulnerability?
Establish system audit/profile:
- Run commands such as:
  /usr/platform/sun4u/sbin/prtdiag -v
  /usr/bin/showrev [-p]
  /usr/sbin/prtconf
  /usr/sbin/psrinfo -v
- Run System Documentation (System Profiling):
- Don't forget about disk information under the control of Disksuite or Veritas....
Run Network profile (goal is to should show as few listening ports as possible):
- Run the following commands(More Information):
  netstat -an | grep LISTEN"
  lsof -i | egrep 'COMMAND|LISTEN|Idle'
  rpcinfo -p
- Run This Script from sunsolve to show all active tcp connections
Monitor the System
- monitor system performance
- Receive alerts and anomolies via email/pager: logcheck(offline?) or swatch
- http://www.setoolkit.com/ - SE Toolkit (Adrian Cockcroft)
- http://www.sarcheck.com/ -SarCheck
- Run network profile (above) and host-based IDS (below) to make sure nothing changes w/o your knowledge
Run Host-Based IDS:(Mentioned earlier, but it's important enough to repeat)
- http://www.psionic.com
- http://www.sun.com/software/security/tripwire/
- http://www.chkrootkit.org/
  http://www.sun.com/solutions/blueprints/0501/Fingerprint.pdf
Stay Current
- subscribe to Sun managersand security focus mailing lists
- Visit Solaris and Security Sites on a regular basis

Cisco Resources

http://www.cisco.com/warp/public/707/21.html - Improving Security on Cisco Routers
http://cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt3/scfirewl.htmCisco IOS Firewall Overview
http://www.cisco.com/warp/public/110/32.html - Cisco's IOS Firewall Feature Set ACLS
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/firewall.htm The Cisco IOS Firewall Feature Set and Context-Based Access Control
http://nsa2.www.conxion.com/cisco/download.htm
NSA Cisco Router Security Recommendations
http://www.sans.org/newlook/resources/idfaq/vlan.htm - Are there Vulnerabilites in VLAN Implementations? http://www.cisco.com/networkers/nw02/post/presentations/docs/SEC-202.pdf - Layer 2 Attacks and Their Mitigation
http://www.cisco.com/warp/public/473/90.shtml#pvlan Securing Networks with Private VLANs and VLAN Access Control Lists (Isolate each DMZ server within its own PVLAN)
http://www.treachery.net/articles_papers/hardening_ios.html - Building Bastion Routers Using Cisco IOS
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm - SAFE: A Security Blueprint for Enterprise Networks
http://www.cisecurity.org/bench_cisco.html- Center for Internet Security Benchmark and Audit Tool for Cisco IOS Routers

Other System Admin Tools:

Network Intrusion Detection:
- http://www.snort.org/-snort: the grandaddy of open-source NIDS
  - Snort's friends:
  - http://www.bleedingsnort.com- Bleeding Snort: Breaking Snort Signatures
  - http://www.intersectalliance.com/projects/RazorBack/index.html - Razorback: Snort real time visual notification/log analysis
  - http://freshmeat.net/projects/fwlogwatch/?topic_id=245,43,151,152- fwlogwatch: Analyze snort ids logs (and others)
- http://hogwash.sourceforge.net/-Hogwatch: Based on snort, will drop malicious packets
- http://www.enteract.com/~lspitz/intrusion.html - IDS script for CheckPoint Firewall1 (or http://www.spitzner.net/).
Distributed Intrusion Detection:
- mynetwatchman
- dshield
HoneyNets:
- http://www.all.net/dtk/- Deception Toolkit
  http://www.citi.umich.edu/u/provos/honeyd/, http://freshmeat.net/projects/honeyd/?topic_id=87%2C862, also http://project.honeynet.org/, and http://www.honeynet.org.uk/index.php - Honeyd
- http://ippersonality.sourceforge.net- ippersonality: Emulate another OS at network level... fool remote OS detection tools such as nmap that rely on network fingerprinting. (Not really a honeypot, but I wasn't sure how to categorize it... )
Track down the intruders (or spammers):
- http://samspade.org/- Sam Spade
- http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html-Track down sniffers on your local network
- Also install Host-Based IDS (above)
  http://www.network-tools.com
If this will be a fw1 server:
- Firewalls & VPN's :: The Firewall Hardening Guide
- http://www.enteract.com/~lspitz/armoring2.html- How to armor Solaris 2.8 for FW-1 NG
- http://www.phoneboy.com
- Deathstar
- fw1 analyzers
  - http://www.enteract.com/~lspitz/logger.html - fw1 log analyzer
  - http://www.enteract.com/~lspitz/fwtable.html - Examine CheckPoint's FW-1's stateful inspection table. Another of Lance's awesome resources.
IIS Headaches
- Labrea- Install with Trinux
Securing a Linux System (Tried on Red Hat, should work on others):
- http://www.bastille-linux.com- Bastille Linux
- http://www.linux-sec.net/Harden/harden.gwif.html-
- http://www.enteract.com/~lspitz/linux.html- Lance's "Armoring Linux"
- http://www.chkrootkit.org- Checks for rootkits; run it in a cron
- http://www.cisecurity.org/bench_linux.html- Center for Internet Security Benchmark and Scoring Tool for Linux
- linuxsecurity.com documentation: Security Quick Start- for Linux, For Red Hat
- http://devzone.stealthp.org/iptables-control- Iptables filter creator
Misc Goodies
- http://www.cymru.com/Bogons/index.html- Bogon List
- http://solarpack.sourceforge.net/ Solaris Solarpack project:prcompiled solaris binaries
- http://www.sunfreeware.com/Solaris freeware downloads
- Network Tools
- Misc Unix Resources
  - http://www.stokely.com/unix.sysadm.resources/index.html- General Unix Sysadm Resources
Note: Some items are mentioned more than once because they fall into more than one category.

If you know of a resource that should be added to this list, please email us at mgmg_interactive12345@12345hotmail.com
(remove all numbers from email address).

If you find this page useful, please link to us and let us know about it!
MGMG Articles:
- http://www.mgmg-interactive.com/
  Solaris, Cisco, Firewall, Security Resources
- http://www.mgmg-interactive.com/packages1.html
  An introduction to Solaris OS Installation options: Solaris Packages, Clusters, Software Groups
- http://www.mgmg-interactive.com/packages2.html
  A meta-analysis of the extra Solaris packages that several experts suggest you should install above and beyond your OS Core Install. These packages will increase your systems's logging and auditing, and aid in your other system administration tasks.
- http://www.mgmg-interactive.com/packages3.html
  An examination the packages installed with the Solaris SUNWCreq "end user" installation, and a meta-analysis of which packages the experts suggest you remove as part of the minimalization process in order to enhance system security.
- http://www.mgmg-interactive.com/solaris_startup_files.html
  An analysis of Solaris 8 startup files: Even if you performed a minimal Solaris install, there are a bunch of startup files which need to be disabled as part of your hardening routine. This paper lists each Solaris startup file along with its associated package, as well as checklists and scripts to delete (and modify/add) startup files designed to increase system security.
- http://www.mgmg-interactive.com/malware.html
  This paper describes the role that Browser Helper Objects (BHOs) play in malware infections and briefly outlines corporate anti-malware options. It also announces a new free enterprise malware scanner, which scans a corporate network for spyware infections by scanning remote registries for the presence of unauthorized Browser Helper Objects (BHOs).
(C) Copyright 2002-2007 David Glosser
mgmg_interactive12345@12345hotmail.com (remove all numbers from email address).
Please read disclaimer.
Last updated Sep 2007