Firewall Wizards mailing list archives
Re: Worms, Air Gaps and Responsibility
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 8 May 2004 17:32:14 -0400 (EDT)
On Sat, 8 May 2004, Mark Gumennik wrote:
LINUX on a desktop? - I am going back to desktop administration right away. Hooray! - we will get paid more money than security gurus! And instead of getting 5 people per 1000 users (whatever the standard is right now) we will have to hire 25. Go employment for IS, I mean us !
I really don't see where you get 5x the number of administrators- a desktop OS isn't all that difficult to administer, were I to do a Linux one at this stage, I'd be pretty tempted to do all of my updates centrally (our dev group does this for all their servers, and it works well without much care and feeding) and remote admin is as easy as anything else. Better yet, for things like administrative assistant's desktops, I'd be tempted to do a Knoppix-based distro where I had some pretty good assurance of what's running there. Got any data to back up the 5x figure, or is it just posturing? I know everywhere I've worked, we've always had less people running more AIX, Solaris and Linux servers than Windows servers- and the folks running the *nix stuff actually did other jobs full-time, so I'm curious as to what exactly would take 5x the resources on a desktop system, which generally doesn't do anything all that strenuous. Most of the folks I've spoken to in the last year who've contemplated the move to Linux desktops have cited support costs as one of the drivers, so I'm interested in where you get a 5x rise in cost.
AND how the heck do you propose to manage AAA? Any replacement for domain infrastructure? - the only one I know today that is better then MS is Novell NDS (and btw it's 10 years more mature, and btw it works on LINUX ) Shall we use NDS? - Go back to that monster? Was it better under their dictatorship?
Personally, I'd do Secure-ID's ACE server for servers and important desktops via RADIUS, and just plain RADIUS for the rest. Many years ago, when I ran Linux on my desktop[1], I had it set up to do RADIUS auth to an ACE server, and it worked just fine for local and remote access. It gave me non-repudiation to a system that had a lot of access, and fit in well with a corporately managed authentication scheme.
AND: where do you get the info about LINUX being more secure than the Big Bad ? Read any serious info , like from bagtrack, LINUX had more vulnerabilities for the past 3 years than any given MS OS
Actually, it's about even if you look at what's normally run in a corporate environment- I just got through proofing a study by someone that proclaimed MS had a much better patch rate and fewer vulnerabilities, but when you took the "vendor was notified" instead of "vendor notified world" stuff out, and removed stupid things like nethack from the list of things with a critical vulnerability, there really wasn't all that much difference- with one exception- if you wanted to do better with Linux, you could, because you could remove all the unnecessary functionality, add things like stack guard, or better yet exec shield[2], and add in things like MAC compartments if you wanted the administrative overhead, etc. I've been through all of last year's vulns, and most of this years, and it's pretty much a wash, especially when you pick and chose *what* gets installed on a Linux system. That's an extra day's work up front, if you're keeping track.
AND: I don't like the fact that LINUX security is mostly sponsored by German and some other governments, just don't like it. Do you seriously check all the code before installing the OS? Every distro? Mark G
Well, Microsoft's outsourcing code to India- not that American coders need to be nefarious to introduce bugs wide enough to drive a truck through. "Mostly sponsored" is FUD though- most Linux security stuff has come from the community itself, not from government sponsorship, and to date, NSA has probably been the biggest single sponsor. Any idea who wrote the GINA implementation you use? Because I can get the name and e-mail address and changes anyone's contributed to Linux. Face it, the US doesn't have a monopoly on programmers, and you don't have any idea where the components, drivers and libraries running on a Microsoft system came from either. This is, after all, the company that couldn't *find* the source to one of its operating systems when a court told them to. You *can't* do it in a Microsoft environment, so it's a straw man anyway. As far as "sponsoring" Linux security, it's more "bring what you want" - things like RSBAC are user-contributed, things like SE Linux are US Government-sponsored, and things like the capabilities stuff were just folks who were interested in it. It doesn't matter though, because you're free to implement whichever one you trust the most, or do your own code- if you care enough to not like the default options. Want to deal with PAM, fine- write your own PAM modules- don't trust PAM, fine implement your own scheme- or validate what's there, or decide to live with the risk. It's about choice, and it's about responsibility- on a closed system, you have neither. I tend to look at the critical bits, or chose components where I trust the development team when possible and I run source code scanners over lots of things. Do you run all the Microsoft code through IDA Pro and figure out what it does? Your Taiwanese graphics card drives? The DLLs installed by your AV company? All it takes is one signed key, and a Microsoft system will swallow anything sent to it. Funny trust model there. Again, there's "have the capability to do this relatively easily should I care to" against "can't do this in a reasonable manner even if I want to." Finally, you can always decide that you prefer the way one of the BSDs has implemented security, and use the Linux compatibility layer that Net-, Free- and Open- offer to run Linux things where you can't get native stuff. Heck, spend what you're saving on license fees and have a code audit done- it's not like you don't have the code to audit from! Paul [1] I still have Linux desktops, but do a lot from OSX at work. [2] Exec Shield has the potential to negate stack and heap overflows. While it's still "not quite there" for some applications, it's good enough for others, and you won't see it in a Microsoft OS anytime soon. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Worms, Air Gaps and Responsibility, (continued)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Mark Gumennik (May 08)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 08)
- Re: Worms, Air Gaps and Responsibility Erick Mechler (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
- Re: Worms, Air Gaps and Responsibility Erick Mechler (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 08)
- RE: Worms, Air Gaps and Responsibility Mark Gumennik (May 11)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 11)
- AIX LPAR security hermit921 (May 25)
- Re: AIX LPAR security Paul D. Robertson (May 25)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 11)
- widnows vs unix and security Re: Worms, Air Gaps and Responsibility ArkanoiD (May 12)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 11)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- Re: Worms, Air Gaps and Responsibility R. DuFresne (May 10)
- RE: Worms, Air Gaps and Responsibility Mark Gumennik (May 10)