Re: The Morris worm to Nimda, how little we've learned or gained

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 7 Jan 2002, Rich Kulawiec wrote:

> On Sun, Jan 06, 2002 at 09:43:10PM -0500, Paul D. Robertson wrote:
> > Solaris is a three day exercise to unwind enough stuff and compile 
> > IPFilter into the kernel to block enough to be comfortable, futz with 
> > runlevels...  
>
> Yes, it is.  Repeating the exercise for other Unix/Linux OSs gets rather
> tedious as well, which is one of the reasons that I've mostly fixed on
> OpenBSD for "single-service boxes".

Linux, and *BSD don't tend to be as bad as everyone who swallowed the CDE 
worm and found that hook.  I can get a fairly novice admin to tighten 
things down in about 20 minutes for anything that isn't commercial.

> But on the upside, there are now enough tools to allow me to install
> J. Random Unix/Linux distribution and figure out what it's running,

I've been running Linux boxen since kernel .98p11, and I've resisted using 
distribution-specific tools until I had to come up with a "how do I 
configure this well" document and found RedHat's chkconfig.  It's fairly 
easy to emulate with scripts, but I find the combo of RC stuff and 
(x)inetd stuff all in one place invaluable for having a novice do the 
right thing.  I've installed lsof on anything I've had to administer for 
quite a number of years now, and it coupled with some greps will have even 
a novice admin looking at exactly the right things pretty quickly.

> The problem, though, as you pointed out elsewhere in your note, is that
> sometimes the requisite functionality (e.g. Solaris requiring rpcbind to
> serve fonts) is handled in a way that makes it hard to turn off everything
> that I'd really like to.

I'm working on a solution to this that I think will work out well, I just 
need to get the Solaris C compiler to cooperate with my cobweb'd mind :)  
If I can get it to work and I can get it released in source form, I'll 
announce it widely.

> A second problem is that I'd like to avoid this entire process; but I'm
> not aware of any Unix/Linux distribution whose install procedure includes
> taking the user through a dialog that advises them what they're opening
> vs. what they're closing.

It wouldn't be difficult to turn everything off and ask- it's just that 
while it's not the default, it'll not be used (MS Outlook Security patch 
anyone?)

> A third problem is that some distributions conflate the meaning of "install
> this piece of software" with "install and ENABLE this piece of software".
> There are often times I'd like to do one, but reserve the decision
> on the other until a later time (if at all).

Used Debian I take it? ;)  Machine-level risk assessments need to be 
something that's ingrained, or we need to have better ways to tune 
security without impacting *used* features.  I thought it was pretty 
telling when someone earlier posted about UUCP being enabled on Web 
servers, and having trouble shutting it down because (it seems to me) 
admins aren't used to knowing how things operate anymore.  The argument 
that Open Source changes that isn't strong enough- the argument needs to 
be that the understanding is necessary no matter what the platform, and 
let the models deal with the costs in their own ways.

> To be honest, I don't know of a really good approach to address this.
> One thought that occurs to me is that software authors might consider
> including, in addition to the ubiquitous "README" and "INSTALL" files
> that are part of many (most?) open-source packages, a file called...
> hmmm, let's call it "IMPACT" because it somewhat reminds me of an
> environment impact statement...which would detail what files/directories
> are modified when this package is installed, what network port(s) it
> listens on, what processes it will run, etc.  But I'm not sure if this
> is a useful idea or not.  Comments?

I think it's more useful to have a utility that figures it all out and 
makes things right- I'm constantly reminded of how easy "Zone Alarm" is to 
use- Yes, it has its faults, but it mostly does the right thing without 
the user having to think very hard.  Something more akin to that might be 
better in making an impact.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards