Black Belt Systems Administration: Don't block with your face

Printer-friendly version

One of the Masters (6th Dan) at my Tae Kwon Do school, Master Robert Gross, has developed his _Ten Commandments of Martial Arts_. He has very graciously permitted me to use the first of his commandments, "Thou shalt not block with thy face" for one of my _Black Belt Systems Administration_ topics. The first corollary for this is "Don't drop your arms". From a martial arts viewpoint, this is pretty easy to understand. Your arms are used to block attacks. Your head is vital, if you get hit there, you are much more likely to loose.

From a systems administration perspective, we can think of this as "protect your vulnerable points". Look at your environment, what are the most vital points that if they get compromised will compromise your entire environment? This scales from the view of a single system, where you protect your administrative account up to the largest environments where you use firewalls to make sure that outsiders can only access your web server and only over the authorized web port.

When I was first starting in systems administration, and the web was a brand new thing, we often didn't give as much thought to security as we do now. I had just convinced the company I worked for to migrate from UUCP to a "high speed" dedicated PPP connection over a 56k modem. This allowed us to have "real time" email with our customers, rather than two or three times daily batch. It allowed us to put up a website where our clients could get information on our products. It allowed us to download software and patches without having to go through the FTPMAIL service (which, since our UUCP costs were metered, cut down our expenses significantly). Most importantly (to me, at least) it allowed me to access our systems remotely and fix problems if I were, for example visiting my girlfriend back at college. I was *excited* to show off this great advance we were making with our computing environment.

I brought our lead developer and the owner of the company over to my desk and showed them the new website (life was simple back then, our logo and a few links) that we could have. I showed them how I could log onto my account at school. I emailed back and forth from our mail to the University and showed them how fast it was. I found some information about a problem we'd been having with one of the pieces of software we used. They "oohed" and "aahed" at all the right places.

Then we got to my most important feature and I really got excited. I showed him how I could log back in from the University and fix things, and how our developers might be able to do some work from home. Then, I hooked him by pointing out how _he_ could work from home between surfing (real, on the ocean, with waves and everything) sessions. And he asked how I could stop someone else from logging on and stealing the source code to our software. I stopped. I stared. I stammered. I talked about all sorts of basic security, like passwords, and NFS netgroups, and turning off FTP.

And, he told me to put the UUCP link back until I came up with a way to protect his company's main asset. That night I went out and bought the then brand new Cheswick and Bellovin "Firewalls and Internet Security": and Garfinkel and Spafford's "Practical Unix & Internet Security": And, a few weeks later, I had a new firewall that the owner was comfortable with. Before that, I had unknowingly dropped my arms and was blocking with my face.