Re: Is anyone actually USING IP QoS?
On 06/16/99 10:55:40 AM Alex P. Rudnev wrote:
They (cisco) promised to realise ssh. Hope we'll see it in a few years, For now, install IPSEC, tunnel, bla-bla-bla, and may be you'll have a piece of security.
cisco *has* released code with ssh (ok, not released in the cisco-sense but you can get it)
Unix machine... drop all services you don't need, run your services not as the root, install secure level or read-onl.y file system - and no problems.
this is just rediculous. it's not as simple as "no problems". the things you state are rather obvious but for a system to be used as *anything* (cache, web server, video server, etc) you simply have to have certain ports open, many times simple udp ports. locking down down services/ports, and running anything you can as non-root certainly goes a long way in protecting the system but it's just not that cut and dried. i'll give you and vadim full credit for being math wizards, or scientists (which i clearly am not) but don't choose your next career in the computer/network security industry. :) -brett
> >Unix machine... drop all services you don't need, run your services not > >as the root, install secure level or read-onl.y file system - and no > >problems. > > this is just rediculous. it's not as simple as "no problems". the things > you state are rather obvious but for a system to be used as *anything* > (cache, web server, video server, etc) you simply have to have certain > ports open, many times simple udp ports. locking down down services/ports, > and running anything you can as non-root certainly goes a long way in > protecting the system but it's just not that cut and dried. The services is not the problem - use overflow-protected function stack (this exist now), use security-level to prevent any unaucthorised changes out of maintanance windows (exists now), and use the systems allowed to run non-root processes for the outer services (no www, no dns, no caching need high privileges; mail relaying don't need it too, pop or stream service don't need it too, etc). On the other hand, it's the open system - I can be sure the program stack is really overflow-protected (this means - you can't make wrong things even if you can overflow the stack), the file systems are really protected from the changes, the services really have not extra privileges. Non-open systems have some benefits for the first time because hacker's can't investigate the source codes, but then, a few years later, it appeared to have a huge problems. It's amazing to read about worms, mail viruses, etc working in the Unix environment, btw (through I can't blame mr. Gates for it). > > i'll give you and vadim full credit for being math wizards, or scientists > (which i clearly am not) but don't choose your next career in the > computer/network security industry. :) I can't speak about Vadim, but the security industry have often very strange approach to the security itself. They close the unexisting holes, but often keep open a very dangerous ways to intrude. And then, do you know the better firewall in the world? It's the scissors.
participants (2)
-
Alex P. Rudnev -
Brett_Watson@enron.net