Re: Worms, Air Gaps and Responsibility

["Paul D. Robertson" <paul () compuwar net>]

On Sat, 8 May 2004, Mark Gumennik wrote:

> LINUX on a desktop? - I am going back to desktop administration right
> away. Hooray! - we will get paid more money than security gurus! And
> instead of getting 5 people per 1000 users (whatever the standard is
> right now) we will have to hire 25. Go employment for IS, I mean us !

I really don't see where you get 5x the number of administrators- a
desktop OS isn't all that difficult to administer, were I to do a Linux
one at this stage, I'd be pretty tempted to do all of my updates
centrally (our dev group does this for all their servers, and it works
well without much care and feeding) and remote admin is as easy as
anything else.  Better yet, for things like administrative assistant's
desktops, I'd be tempted to do a Knoppix-based distro where I had some
pretty good assurance of what's running there.

Got any data to back up the 5x figure, or is it just posturing?  I know
everywhere I've worked, we've always had less people running more AIX,
Solaris and Linux servers than Windows servers- and the folks running the
*nix stuff actually did other jobs full-time, so I'm curious as to what
exactly would take 5x the resources on a desktop system, which generally
doesn't do anything all that strenuous.

Most of the folks I've spoken to in the last year who've contemplated the
move to Linux desktops have cited support costs as one of the drivers, so
I'm  interested in where you get a 5x rise in cost.

> AND how the heck do you propose to manage AAA? Any replacement for
> domain infrastructure? - the only one I know today that is better then
> MS is Novell NDS (and btw it's 10 years more mature, and btw it works on
> LINUX ) Shall we use NDS? - Go back to that monster? Was it better
> under their dictatorship?

Personally, I'd do Secure-ID's ACE server for servers and important
desktops via RADIUS, and just plain RADIUS for the rest.  Many years ago,
when I ran Linux on my desktop[1], I had it set up to do RADIUS auth to an
ACE server, and it worked just fine for local and remote access.  It gave
me non-repudiation to a system that had a lot of access, and fit in well
with a corporately managed authentication scheme.

> AND: where do you get the info about LINUX being more secure than the
> Big Bad ? Read any serious info , like from bagtrack, LINUX had more
> vulnerabilities for the past 3 years than any given MS OS

Actually, it's about even if you look at what's normally run in a
corporate environment- I just got through proofing a study by someone that
proclaimed MS had a much better patch rate and fewer vulnerabilities, but
when you took the "vendor was notified" instead of "vendor notified world"
stuff out, and removed stupid things like nethack from the list of things
with a critical vulnerability, there really wasn't all that much
difference- with one exception- if you wanted to do better with Linux, you
could, because you could remove all the unnecessary functionality, add
things like stack guard, or better yet exec shield[2], and add in things
like MAC compartments if you wanted the administrative overhead, etc.

I've been through all of last year's vulns, and most of this years, and
it's pretty much a wash, especially when you pick and chose *what* gets
installed on a Linux system.  That's an extra day's work up front, if
you're keeping track.

> AND: I don't like the fact that LINUX security is mostly sponsored by
> German and some other governments, just don't like it. Do you seriously
> check all the code before installing the OS? Every distro?
> Mark G

Well, Microsoft's outsourcing code to India- not that American coders need
to be nefarious to introduce bugs wide enough to drive a truck through.

"Mostly sponsored" is FUD though- most Linux security stuff has come from
the community itself, not from government sponsorship, and to date, NSA
has probably been the biggest single sponsor.  Any idea who
wrote the GINA implementation you use?  Because I can get the name and
e-mail address and changes anyone's contributed to Linux.

Face it, the US doesn't have a monopoly on programmers, and you don't have
any idea where the components, drivers and libraries running on a
Microsoft system came from either.  This is, after all, the company that
couldn't *find* the source to one of its operating systems when a court
told them to.

You *can't* do it in a Microsoft environment, so it's a straw man anyway.

As far as "sponsoring" Linux security, it's more "bring what you want" -
things like RSBAC are user-contributed, things like SE Linux are US
Government-sponsored, and things like the capabilities stuff were just
folks who were interested in it.  It doesn't matter though, because you're
free to implement whichever one you trust the most, or do your own code-
if you care enough to not like the default options.  Want to deal with
PAM, fine- write your own PAM modules- don't trust PAM, fine implement
your own scheme- or validate what's there, or decide to live with the
risk.  It's about choice, and it's about responsibility- on a closed
system, you have neither.

I tend to look at the critical bits, or chose components where I trust the
development team when possible and I run source code scanners over lots of
things.  Do you run all the Microsoft code through IDA Pro and figure out
what it does?  Your Taiwanese graphics card drives?  The DLLs installed by
your AV company?  All it takes is one signed key, and a Microsoft system
will swallow anything sent to it.  Funny trust model there.

Again, there's "have the capability to do this relatively easily should I
care to" against "can't do this in a reasonable manner even if I want to."

Finally, you can always decide that you prefer the way one of the BSDs has
implemented security, and use the Linux compatibility layer that Net-,
Free- and Open- offer to run Linux things where you can't get native stuff.

Heck, spend what you're saving on license fees and have a code audit done-
it's not like you don't have the code to audit from!

Paul
[1] I still have Linux desktops, but do a lot from OSX at work.
[2] Exec Shield has the potential to negate stack and heap overflows.
While it's still "not quite there" for some applications, it's good enough
for others, and you won't see it in a Microsoft OS anytime soon.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards