Slogging Wingots

By Paul Murphy, author of The Unix Guide to Defenestration

If you're running a bunch of Unix servers in a mixed environment, access security for your servers is usually at the mercy of the local Windows network administrators. If client data you're responsible for leaks your ability to show whether that happened because an authorized user leaked it or because some external agent stole it will usually be minimal.

Assuming that you run Solaris 2.7 or later, have some disk space, and aren't CPU bound, you can largely remedy this by installing a firewall on each of your servers. This lets you do basic housekeeping things like accepting connections only on specified ports and from specified IP ranges. More importantly, however, it lets you set-up an access log that can't be tampered with by people like a DBA working on one of your machines or a PCer "fixing" the external firewall.

Tell a minimum number of people --your boss, other Unix sysadmins on site-- what you're doing and then use the firewall to log everything; preferably to a separate filesystem not on the primary system disks.

Now, when the inevitable security crunch comes along and everyone else is running around pointing at each other, your logs will have the key information needed to determine if the leak went through the PC firewall or to an internal address.