Re: The magic security CD disc Re: HTTP proxies
In message <Pine.GSO.4.44.0212081952200.11337-100000@clifden.donelan.com>, Sean Donelan writes:
Has anyone come out with a fix everything CD customers could use to clean up their systems? This isn't an operating system specific issue. Buggy and misconfigured software is running on Unix, Mac, Windows, etc.
It can't be done, at least not usefully. It's easy to turn things off; the hard part is knowing what should be left on, given your needs, the threat environment, and other protective measures. I forget which of the Rainbow Series of books said it -- the Yellow Book, I think -- but one of them noted that the same LAN that was insecure in an office might be quite secure in a submerged submarine with a highly-cleared crew aboard. It is possible, though, to write something that would analyze a configuration and present you with a sensible menu of choices. It could know, for example, that one can't disable rpcbind if other RPC-based services are running. But getting that right for even a single release of a single OS is hard enough, let alone many releases of many OSes. And then, of course, you want to add advice to the user. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
On Sun, 8 Dec 2002, Steven M. Bellovin wrote:
I forget which of the Rainbow Series of books said it -- the Yellow Book, I think -- but one of them noted that the same LAN that was insecure in an office might be quite secure in a submerged submarine with a highly-cleared crew aboard.
As far as I know, we don't have a big problem with zombie computers on submarines DOSing the Internet. It takes a lot of time to talk individual users through fixing their computers. Especially when they didn't break it. They just plugged the computer in, and didn't spend 4 hours "hardening" it. Most of the time we're not talking about very complex server configurations, with full-time system administrators. The "magic" CD would be for people who don't know they are sharing their computers with the Internet. When they find out (or someone else reports it), they don't want to share their computers with everyone the Internet. They just want it fixed.
--On 08 December 2002 23:16 -0500 Sean Donelan <sean@donelan.com> wrote:
It takes a lot of time to talk individual users through fixing their computers. Especially when they didn't break it. They just plugged the computer in, and didn't spend 4 hours "hardening" it. Most of the time we're not talking about very complex server configurations, with full-time system administrators. The "magic" CD would be for people who don't know they are sharing their computers with the Internet.
How unfortunate that the magic CD you refer is not the one with "Microsoft Windows" written on the front :-p Seriously, it is faintly ridiculous that we have operators talking about a magic CD to fix the broken default installations of various operating systems (I include Linux etc. here too). If OS vendors shipped, by default, less broken configs (or at least configs that turned services off - e.g. port 137 - when not required), much, though not all, of this problem would go away. Just like it is (now) considered irresponsible to ship a PABX/Voicemail system with open dialthrough, the same should be true of operating systems. In many such OS's, like it or loath it, automatic or semiautomatic update mechanisms already exist. This would seem to be a good use to put them too. Perhaps NIPC etc. should start talking to OS vendors. Concrete example (not to pick on MS for a change) - every time I've installed a Linux machine I spend 10 or 20 minutes rewriting the (kernel) firewall rules for the box to suit the apps I have installed. It's a completely automable task. Someone unfamiliar with either IP or UNIX would find writing such a script very hard and it would take them much longer. Do mainstraim distributions include such an automatically built script by default? Not to my knowledge. Alex Bligh
participants (3)
-
Alex Bligh
-
Sean Donelan
-
Steven M. Bellovin