Bugtraq mailing list archives

Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper)

From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Tue, 23 Nov 1999 20:25:06 +0000


Gary Flynn wrote:

Crispin Cowan wrote:

Thus, one could say that buffer overflows are the leading
cause of software vulnerabilities, and misconfiguration is the leading
operational problem.  Which problem dominates overall vulnerability is
unclear.


I'm digesting your paper but wanted to comment on the peripheral topic
of "operational" issues.

If we're going to add operational problems as a category, I'd
suggest that "usage" may be a more predominant problem than
"misconfiguration".

End user practices of downloading unknown software, running the unproven
"application of the week", and other risky behavior makes the vulnerabilities
due to misconfiguration and software defects that much more problematic.


I agree that configuration and operational issues are a hard problem to solve.
In general, I don't know how to solve them.  My (crass commercial) solution is
that folks who don't really know what they're doing should buy appliances
instead of general-purpose computers.  Then at least the configuration is done
by a professional.  The quality of the configuration then depends on the quality
of the vendor.  It is for this reason that WireX products are appliances:  I
have some trust that *I* applied my security tools correctly, but I'm not at all
sure that end-users can apply them correctly.

I'm rather amazed at the existance of the firewall *application* market, where
you buy a firewall product and install it on one of your server machines.  How
can such an application install take a pre-installed machine from an unknown
state to a secure state?  Does the install script for (say) Checkpoint do
extensive configuration checking and adjusting?  Or do they just assume a very
competent sys admin puts the machine into a "firewall" configuration?

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org

Current thread:

ANN: Bruce v1.0 Early Access 1 - Available for downloa, (continued)
- - - ANN: Bruce v1.0 Early Access 1 - Available for downloa Alec Muffett (Nov 22)
    - Re: local users can panic linux kernel (was: SuSE syslogd Alan Cox (Nov 22)
    - Re: local users can panic linux kernel (was: SuSE syslogd Savochkin Andrey Vladimirovich (Nov 23)
    - Re: local users can panic linux kernel (was: SuSE syslogd Darren Reed (Nov 23)
    - Re: local users can panic linux kernel (was: SuSE syslogd Savochkin Andrey Vladimirovich (Nov 24)
    - Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability Ussr Labs (Nov 24)
    - Remote DoS Attack in BisonWare FTP Server V3.5 Vulnerability Ussr Labs (Nov 24)
    - Re: local users can panic linux kernel (was: SuSE syslogd Darren Reed (Nov 24)
    - [w00giving '99 #5 and w00news]: UnixWare 7's su Matt Conover (Nov 25)
    - Buffer Overflow Survey Paper Crispin Cowan (Nov 22)
    - Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Crispin Cowan (Nov 23)
    - [ COBALT ] Security Advisory - Sendmail Jeff Bilicki (Nov 24)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Scott Zimmerman (Nov 24)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Simple Nomad (Nov 24)
    - Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 24)
    - Re: Netscape communicator 4.x Javascript security flaw Metal Hurlant (Nov 26)
    - Re: Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 26)
    - Windows NT 4.0 Service Pack 6A Breaks IP Forwarding Brendan Howes (Nov 25)
    - Oracle Web Listener Mnemonix (Nov 25)
    - [w00giving '99 #6]: UnixWare 7's Xsco Matt Conover (Nov 25)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Mark Seiden (Nov 24)

(Thread continues...)