Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: "Mark Gumennik" <mgumennik () mitre org>
Date: Tue, 11 May 2004 10:49:25 -0400
What happened to the freedom of speech (opinions?). Personal humiliation is a very nice way to suppress the opponent, so now I have to write this email instead of painting my garage door (nice weather here). I have to restrict myself only to answering your (mostly personal) questions and promise not to reply to any more remarks on the subject. Gwendolynn ferch Elydyr: * Uhhhh. Too much coffee? Sugar? -----Sorry, I am doing Atkins at the moment, no coffee or sugar * That's quite a leap of logic you're making. You've basically gone: (1) Put Linux on the desktop [statement] (2) Install bells and whistles [presumption] (3) Linux is as vulnerable as Microsoft [conclusion] ----All three of the above are statements: we are discussing Linux on a desktop, bells and whistles is what users want (statement), and according to bqtrack the third statement is true with an equal amount of services installed ---Now if you, O' Great Teacher, want to watch my the logic (which I thought was obvious), read the next paragraph. Sorry for disobedience. * ...that you've left out NIS/NIS+, LDAP, Radius and Kerberos suggests to me that you're not very familiar with what's availible for AAA under Linux. -----I have done a good deal of administering firewalls, desktops, routers, email, remote access (everything you mentioned plus TACACS and Ace), never administered NIS, thanks GD. From http://www.linux-nis.org: "Linux machines ..can also act as full NIS+ clients, this support is in beta stage." Does this look like mature technology? Is it scalable? Is it stable? Running LDAP is mostly good for user lookup; Radius is a great tool for remote user administration. You forgot to mention more user databases: e-mail, printers, group permissions, share permissions, and more. Now you have half a dozen different databases which need to have connectors between them (oh, btw you have to customize some of the connectors and code the others, AND you have to administer them, so you need much more administrators and programmers, go IS!). You now have to enforce password policies on all of them. After that you obviously suspect the users to change their 25 letter passwords every month and on all (5) databases. The result: you end up with for-life passwords for e-mail, LDAP, network shares, and secure intranets. The fact that they are carried by Kerberos becomes almost irrelevant once they compromised So how do we synchronize the user names / passwords? X-500 (and X-400 connector) comes to mind (btw originated in Swiss, not US). The fact that you did not mention such important topic suggests to me that you're not very familiar with the process of user support and the X-500 technologies (sorry, I'm using your methods / terminology). Hence: AD and NDS. They do scale, they are stable and they provide much more than X-500 (statement) -----Years ago I developed a formula for successful network administration (when I was actually doing it): The fact that you CAN do it does not mean that you WILL do it. For example you can use a 300-line ACL on your internal router, it will work just fine for security, but you will kill your backbone (I do have some actual data from last year experimentation). Can you use Linux on a desktop? - yes; will you? - need real numbers, not the ones that come from rad Hat * That aside, if you're trying to suggest that government and corporate sponsorship is somehow putting malicious code in Linux, you should also suggest the same of Microsoft and Novell - and any number of other entities. While you're at it - do audit the windows source code. -----I have no doubt that ALL of them put some kind of backdoors in the software. The degree of responsibility is different (and the amount of potential lawsuit money). *I'm glad that the other folks that I know at Mitre aren't at your level ---- Thanks for measuring me. I have been measured against numerous standards and usually my level is not very high with ass-kissers, bureaucrats and demagogues. The rest of the world is fine. ----on the subject: Mitre is here to develop, absorb and promote the best technologies, sorry dunnow anybody at reptiles.org, nice to meet you *Can't handle AAA on Linux ---Did I say it? - very convenient substitution again. I said it takes much more effort to handle AAA in .nix environment on a desktop, that's why NDS and AD. And they are not free even on Linux *Are deeply suspicious of non-US governments -----Yes I am. Especially as an immigrant who had seen other governments to operate. The main function of any government is to suppress the freedom by definition; the difference is how they operate (source: Machiavelli, Plutarch, Guy Platonic, George Orwell, etc. Did not see it in the net admin guides) Paul D. Robertson * Now, the real point (since you obviously missed it) that everyone was making in regards to your original argument about vulnerabilities is that Linux only looks bad when you count all the silly things that nobody sane would install on a corporate desktop. Trying to turn that from "more vulnerabilities on bugtrack (sic) to "equal" is disingenious when you're trying to stand behind a point, since I already said "about equal." ..I don't need to open RPC to anything other than loopback for Linux on the desktop (and rarely even there.) In fact, I tend to turn *off* more things than I turn *on* for a Linux machine when I'm configuring it from a default install. Furthermore, I'm capable of running almost all services at a priv. level less than local administrator- which doesn't make the vulns equivalent. ----Do you consider yourself an average user? ---Sorry to inform you that under MS environment if you only give your users "User" rights instead of "local Admin" you don't need to bother about 99% of vulnerabilities of the OS since they (and a Joe Hacker) can not install any new code. You can run your patches under "run as" identity starting with w2k. I have done it during my consulting years and it worked even under NT. Also you probably are missing the point that users today want reach desktop. You can (and shall) take it away in a bank environment, but not in a general office, like their ability to point and click on the network (vs. ftp from a command line?). ----Slightly off topic but close: I've been watching RH to prepare an attack on the free software community for a long time and finally one more evil empire was born. Bow. Obey. Base your calculations on their "corporate" prices. Good boy. * Mitre never used to be so attention-starved- are you waiting on a clearance? ---- I do not represent Mitre here. -----I do have the clearance and am not due for review any time soon, will probably be on SSI by that time considering my age :-). *Since AD is based upon Kerberos for its default primary authentication mechanism, I don't see how you come to the conclusion that AD is any more "built-in FOR THE DESKTOPS" than Kerberos. Nice use of caps - NOT! Lose the baggage and bring some facts, ok? ----fact: you need to administer Kerberos in .nix environment. fact: You don't need to administer it in MS environment. Read the last statement twice. To the list: A couple of years ago I tried to sniff the difference between Kerb v.5 and MS and could not come up with meaningful data (did not have time). Anybody has more info? Ron DuFresne: the German government now directs linux security? you do have pointers to this to backup such a claim? -----"Sponsors" not "directs", and I said governments (plural) which you somehow dropped. From today's Goggle: http://www.heise.de/newsticker/meldung/6918 http://news.osdir.com/article149.html http://www.linux-kongress.org/helpus.html http://news.com.com/2104-1001_3-983204.html http://www.linuxsecurity.com.br/sections.php?op=imprime&artid=2 Devdas Bhagat With a Linux/Unix desktop running X and remote applications, the real requirements come down from 100 desktops to ten beefier boxes ----do you propose to give 10 boxes instead of 100 to 100 users? - back to mainframe? - again confusing the issues of security devices (servers) OS (MS is a no-no) and the desktop infrastructure. AAA at the perimeter is still different from the AAA at the desktop. ----- Cheers Mark _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Worms, Air Gaps and Responsibility, (continued)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Mark Gumennik (May 08)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 08)
- Re: Worms, Air Gaps and Responsibility Erick Mechler (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
- Re: Worms, Air Gaps and Responsibility Erick Mechler (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 08)
- RE: Worms, Air Gaps and Responsibility Mark Gumennik (May 11)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 11)
- AIX LPAR security hermit921 (May 25)
- Re: AIX LPAR security Paul D. Robertson (May 25)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 11)
- widnows vs unix and security Re: Worms, Air Gaps and Responsibility ArkanoiD (May 12)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 11)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- Re: Worms, Air Gaps and Responsibility R. DuFresne (May 10)
- RE: Worms, Air Gaps and Responsibility Mark Gumennik (May 10)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)