BSDCon's BSD System Security tutorial

By Nathan Boeger

This year's BSDCon is being held at the Monterey Hyatt, in Monterey Ca. The first tutorial was a two-day tutorial covering BSD System Security. For the most part the classes are intensive and there was a lot of ground to cover. And attendees should have been fairly comfortable with at least one flavor of UNIX. However there was considerable mention of routers and their important role in overall network security.

Most of the attendees where system admins for ISP's and a few for universities (clutching their laptops like newborn babies). I did not take a role but it was quite an international crowd. Some of the attendees where from European countries. Others from Latin America and a few from Asian countries. Overall they seemed to be very knowledgeable and experienced with simular security problems.

The tutorial was taught by Alan Clegg, presently working for BSDi. He seemed quite knowledgeable in security procedures. Alan has been a system admin since 1982, so his experience with networking was very impressive. As a speaker, Alan was pretty good, and sometimes even funny. His presentation was very well thought out and organized. At the beginning of the tutorial, we were given a printed version of his presentation, which was great because I am not a good note taker.

The topics covered where pretty comprehensive. Alan started with an outline of what is computer crime and then ended up with a quick guide to the latest script kiddie software. He also showed an example of using Nessus on our local network set up inside the hotel, which discovered a few hosts that where ripe for an attack.

I found that a good amount of material covered was useful in my everyday job as a system admin. The most important was the "Technical Writing 101" , which took a good portion of the first day's afternoon. This was a comprehensive definition of a Security Policy. Most companies today don't have a proper policy of any kind for their computer systems. This is not only bad from a system admins' point of view but could also be harmful in a legal situation. Bottom line if you took this tutorial and only walked away with this policy outline then the class paid for itself many times over.

Another item stressed in this tutorial was the fact that the current legal system is unable to handle computer crime. This is not new news, and certainly not only a US problem but an international one as well. System admins should be very careful in reacting to computer abuse. Believe it or not some defensive actions can legally benefit the abuser. Alan advised us to become more familiar with the laws and regulations in our area, which I think system admins don't tend to take very seriously. This section showed how important it is to be advised on the legal ramifications of your actions as a system admin.

Other important items were basic Unix security. Alan gave a quick guide to shutting down non-used services, file permissions, passwords and password etiquette. He also discussed how to better secure your name servers, which looked at running BIND more securely and what not to include in your domain records. Alan also spent some time explaining the different encryption algorithms and how they work. He also went into good detail explaining IPsec and how it creates its secure pipe. Finally, Alan discussed how some newer distributed DOS attacks work, and what you can do to prevent them (if anything).

My overall impression of this class was that if you are a system admin experienced or not this tutorial was worth the time and money spent. Some of the topics were review for most experienced system admins. However this is a changing industry and a good review of basic security concepts is always needed. Not to mention that you might learn something new, or discover an area that you have previously overlooked and not payed much attention to. For new system admins, this class was a great introduction to practical Unix security. The information will help throughout your career as a system admin.

Nathan Boeger nathan (at someplace like) khmere.com is a senior system admin / systems developer for GetRelevant, a promotional Internet marketing company.