RE: The Morris worm to Nimda, how little we've learned or gained

["Paul D. Robertson" <proberts () patriot net>]

On Sat, 5 Jan 2002, R. DuFresne wrote:

> It's even worse then that though.  Even your 'average' unix admin installs
> most every package on the vendors cd, and many even go through most all

Yep, part of the OBSD "not in a default install" success is that they 
don't install much by default.  It'd be interesting to see the same stats for 
every OS with the same services which come by default in OBSD.  I think 
there is value in the work that the OBSD team has done in providing 
platform assurance, but I think it needs to be tempered against 
application sets when comparisons are made.

> the 'ports' and install those too!  I've banged my head far too many times
> when trying to get policies to a point where admins were 'supposed' to do
> installs on systems based upon the specific services those machines were
> supposed to be placed to support, and only those service.  While at AT&T,

It gets worse when you go to things like Solaris where CDE abounds and the 
font server wants rpcbind.

> As long as cd's are put out with total distributions and full or 'port'
> code, getting systems up and running to support only the service the
> system was commisioned to support in a near impossibility.  This is not
> just an issue at the desktop level for sure...

It's worse though when the vendor mandates it through chaining code.  
Exchange is probably the current canonical example (it wants SQL Server, 
IIS...)  Solaris is a three day exercise to unwind enough stuff and compile 
IPFilter into the kernel to block enough to be comfortable, futz with 
runlevels...  Scripting helps, but it's a real pain the first time 
through.

> While Paul makes some good points about enduser 'education' being a lost
> cause, education at the admin level certainly needs to be regeared I
> think, and hiring practices re-examined.

Absolutely.  That's why despite my personal anti-certification stance[0], 
I've poured actual energy into my employer's "what a generic network admin 
needs to know about security" certification[1].

Paul
[0] Got none, want none, see little value in having them vs. experience.
[1] Ask me directly if you want to know and can't find it- the list 
doesn't need marketing material.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards