Security, like most things in computer science, is a trade-off. The trade-off for more security is usually less convienence or productivity. This coupled with the fact that security can never be perfect means that sysadmins need to make choices on how much security they wish to implement. In the long run, you are simply making things difficult enough so that attackers look elsewhere.
Also, you must realize that security threats can just as easily
come from an inside attack as an outside one. In other
words, it does no good if all of your security can be defeated by a
disgruntled employee.
Physical Security
One level to system security, and many times the simplest to
implement, is physical security. It is often much easier to break in
to a system by way of physical means then electronic means. There are
several over-the-counter solutions such as alarm and camera systems
that can be used to defeat physical threats. Other things such as safes
and bonded employees can be usefull in defeated attacks from within.
Network Security
The next layer of security to look at is the network layer.
Switches vs. Hubs
Both of these devices do the same thing; allow multiple computers, in a star topology, to connect to a LAN. However, they have some triditional differences.
Hubs, the older idea, share traffic generated from one computer to all other computers connected to the hub. The security issues here are the one user on a machine can see all traffic to and from all other machines on the hub. This is called sniffing, and is a common method to get passwords and other sensitive data over the network.
Switches, the newer idea, don't share traffic. This prevents sniffing of any machine except the machine the sniffer is running on.
Both can also provide other methods of security such as security
violations, these are commonly known as Secure hubs or
switches. The idea here is that each port on a hub or a switch has a
MAC address associated with it. This MAC address is specific to each
machine, the the hub or switch can do several things if it detects a
MAC address it did not expect. The most common thing to do is to
dissable the port.
Software Security
This is what most people think of when they think of computer
security. This dredges up images of a power-geek in the basement
under flourescent lights, eating Funions and drinking Mountain Dew
while virtually keeping evil at bay 24x7 with his mad programming
skills. Good thing that's not what it's really like.
Services
Much security revolves around the services that a system provides. You should be careful to only advertise the services that you really need to and no more. It will look really bad if you are hacked into via the comsat port, and your reponse was "I didn't know we used comsat".
How do you know what services a computer runs? The first place to look on a UNIX machine is in /etc/inetd.conf. This is the configuration file for the "super-server" inetd. What inetd does is to handle several services, (like telnetd, ftpd, fingerd, ...) from one process by listening to all the necessary ports and starting requested services. The idea is that instead of having several running processes that get little use, only one process needs to run; inetd.
The next place to look is running processes. Most services that can be called from inetd can also run stand-alone, that is a process that does not exit after being idle. Usually, processes the provide services are named in an obvious manner, i.e. in.fingerd or in.pop3d
Since programmers, UNIX programmers especially, are very lazy, UNIX has many shortcuts to avoid typing in your username and password all the time. One one hand, this is an increase in security because it prevents passwords from being sent over the network as often. On the other hand, anytime you simplify a process for yourself, you also simplify the process for a hacker as well.
Two good examples of this are the .rhosts file and the /etc/hosts.equiv file. These files provide a list of machines and usernames that can login to a system without typing a password. The first applies to a specific user, while the second applies to the entire system. It is very easy to add incorrect machines or usernames in these files that may allow a hacker to get in without a password.
The idea here is to give out as little information to potential attackers
as possible. A common set of information that you don't want to give out
is a list of valid usernames. Since it is often times just as easy to guess
a password for a username as it is exploiting some buffer overflow, hiding
your list of valid usernames make it much more difficult to guess a correct
username/password combination.
Security References