Bugtraq mailing list archives
Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper)
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Tue, 23 Nov 1999 20:25:06 +0000
Gary Flynn wrote:
Crispin Cowan wrote:Thus, one could say that buffer overflows are the leading cause of software vulnerabilities, and misconfiguration is the leading operational problem. Which problem dominates overall vulnerability is unclear.I'm digesting your paper but wanted to comment on the peripheral topic of "operational" issues. If we're going to add operational problems as a category, I'd suggest that "usage" may be a more predominant problem than "misconfiguration". End user practices of downloading unknown software, running the unproven "application of the week", and other risky behavior makes the vulnerabilities due to misconfiguration and software defects that much more problematic.
I agree that configuration and operational issues are a hard problem to solve. In general, I don't know how to solve them. My (crass commercial) solution is that folks who don't really know what they're doing should buy appliances instead of general-purpose computers. Then at least the configuration is done by a professional. The quality of the configuration then depends on the quality of the vendor. It is for this reason that WireX products are appliances: I have some trust that *I* applied my security tools correctly, but I'm not at all sure that end-users can apply them correctly. I'm rather amazed at the existance of the firewall *application* market, where you buy a firewall product and install it on one of your server machines. How can such an application install take a pre-installed machine from an unknown state to a secure state? Does the install script for (say) Checkpoint do extensive configuration checking and adjusting? Or do they just assume a very competent sys admin puts the machine into a "firewall" configuration? Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- ANN: Bruce v1.0 Early Access 1 - Available for downloa, (continued)
- ANN: Bruce v1.0 Early Access 1 - Available for downloa Alec Muffett (Nov 22)
- Re: local users can panic linux kernel (was: SuSE syslogd Alan Cox (Nov 22)
- Re: local users can panic linux kernel (was: SuSE syslogd Savochkin Andrey Vladimirovich (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogd Darren Reed (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogd Savochkin Andrey Vladimirovich (Nov 24)
- Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability Ussr Labs (Nov 24)
- Remote DoS Attack in BisonWare FTP Server V3.5 Vulnerability Ussr Labs (Nov 24)
- Re: local users can panic linux kernel (was: SuSE syslogd Darren Reed (Nov 24)
- [w00giving '99 #5 and w00news]: UnixWare 7's su Matt Conover (Nov 25)
- Buffer Overflow Survey Paper Crispin Cowan (Nov 22)
- Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Crispin Cowan (Nov 23)
- [ COBALT ] Security Advisory - Sendmail Jeff Bilicki (Nov 24)
- Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Scott Zimmerman (Nov 24)
- Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Simple Nomad (Nov 24)
- Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 24)
- Re: Netscape communicator 4.x Javascript security flaw Metal Hurlant (Nov 26)
- Re: Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 26)
- Windows NT 4.0 Service Pack 6A Breaks IP Forwarding Brendan Howes (Nov 25)
- Oracle Web Listener Mnemonix (Nov 25)
- [w00giving '99 #6]: UnixWare 7's Xsco Matt Conover (Nov 25)
- Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Mark Seiden (Nov 24)