Re: Is anyone actually USING IP QoS?
On 06/16/99 10:31:03 AM Vadim Antonov wrote:
Brett_Watson@enron.net wrote:
i'll give you that. however, caches tend to run under unix-like os's which are multi-user and multi-service machines. they can be susceptible to DoS attacks, and can be running services listening on a port which can potentially be "hacked". my only point is that you are trading a set of security issues in multicast for *different* security issues with a cache.
A Unix machine can be secured a lot better than any commercial router.
i don't believe that at all. i say this from operational experience, not just generalizing.
For one, you can get a source code from it and see what the hell it is doing and fix discovered security holes ASAP.
in some cases, yes you can. but the fact that i (someone who doesn't crack systems) can get source code to some flavors of unix doesn't stop the hackers from getting it either. no *real* gain here. and if you don't think that some of the more elite hackers in the world don't have access to proprietary source code, both systems and router vendors.... if you're not scared, you don't understand.
Second, just run SSH or Kerberos. SSH on cisco, anyone? Nyah.
maybe i just misunderstand you but you seem to portray these issues as black and white. they're not. ssh has had known security problems, and kerberos, while i like it myself, is damned easy to misconfigure which opens all kinds of holes. -brett
Brett_Watson@enron.net wrote: | in some cases, yes you can. but the fact that i (someone who doesn't crack | systems) can get source code to some flavors of unix doesn't stop the | hackers from getting it either. no *real* gain here. and if you don't Actually, there's quite a bit of gain. If something is discovered, usually the patch is fairly trivial and can be written by just about anyone with a little coding experience. Once it's written, anyone can apply it-- perhaps MONTHS before the vendor releases a patch. I'd say having my systems patched in less than half the time would have to go on the 'gain,' list, wouldn't you? Also, consider the fact that the script kiddies usually haven't the slightest clue how to do a real code review with an eye towards potential security flaws. | think that some of the more elite hackers in the world don't have access to | proprietary source code, both systems and router vendors.... if you're not | scared, you don't understand. Proprietary source leaks are not particularly uncommon, no...scary? Not really. The type of people who manage to pick up, say, complete IOS source trees, generally aren't the type who distribute them and aren't particularly reckless in how they use them. I think his point is simply this: Proprietary source -may- leak, but that isn't neccessarily a big incentive to the vendor to ensuring that their code is bulletproof; a vendor that is distributing source far and wide will go much further to ensure that they have a secure, reliable product than one that doesn't. Ultimately, you have to assume that -everyone- attacking your systems has full source code...and therefore, if you can swing it, you should probably have it too. It is for this reason alone that security through obscurity -does not work-. It may occaisionally be neccessary, but choosing it as your front line defense is less than wise. | maybe i just misunderstand you but you seem to portray these issues as | black and white. they're not. ssh has had known security problems, and | kerberos, while i like it myself, is damned easy to misconfigure which | opens all kinds of holes. K4, maybe. K5? Not quite so easily. Either is not nearly as bad as open telnet. And "has had known security problems" is not the same as "has known security problems," and the former does not strenghen your argument nearly as much as you seem to think it does. Perhaps you should follow your own career advice. --msa
For 99.9% percents of networks, SSH/SLOGIN at the cisco (in conjuction with S/KEI or simular if you want extra protection) is enougph for the routers. May be, ssh have some security problems, but I hardly imagine where they can be important except some bank system when intruder can get 100,000$ at once in case of success. On the other hand, for now, 99% or routers over the world are configured withouth any security except simple access lists and simple multi-used passwords. Just because something though _ssh is not enougph and is not nessesary at all_. As usial - you should start from the small steps (ssh) and then go to the big ones (IPSEC) if nessesary, not vice versa. K4, K5 - Kerberos was killed by the USA's goverment, unfortunately... -:) No any interest.
K4, maybe. K5? Not quite so easily. Either is not nearly as bad as open telnet. And "has had known security problems" is not the same as "has known security problems," and the former does not strenghen your argument nearly as much as you seem to think it does.
Perhaps you should follow your own career advice.
--msa
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
participants (3)
-
Alex P. Rudnev
-
Brett_Watson@enron.net
-
Majdi Abbas