Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 11 May 2004 13:35:39 -0400 (EDT)
On Tue, 11 May 2004, Mark Gumennik wrote:
What happened to the freedom of speech (opinions?). Personal humiliation is
When it's represented as fast, it gets attacked by other speech. You didn't say "I think..." Let's look: " And instead of getting 5 people per 1000 users (whatever the standard is right now) we will have to hire 25." Strong assertion, no rationale, no backup data- not even marketing numbers... Then you said: "Read any serious info , like from bagtrack, LINUX had more vulnerabilities for the past 3 years than any given MS OS" Well, I happen to have actually *looked* at vulnerabilities in Linux, and I've proofread, analyzed and commented on both them, and studies about them, as well as the Microsoft ones. For instance, some study data I have for a market research firm from June, 2002 through May, 2003 shows a total of 480 vulnerabilities, including CVE and Bugtraq numbers where appropriate. 137 of these are listed as "Microsoft" vulnerabilities- while all the cross-platform ones, like PHP are listed as Linux vulnerabilities. The "Linux" ones include Fax packages, documentation archiving and creation packages, Web proxies, IPSec implementations, bug tracking systems, instant messenger programs, mail transfer agents, programming languages, network diagnostic utilities, databases, and games. Here's a sample of a "High" severity "Linux" vulnerability: CAN-2002-1307 mhonarc Cross-site scripting vulnerability (XSS) in MHonArc 2.5.12 and earlier allows remote attackers to insert script or HTML via an email message with the script in a MIME header name. Whee, an XSS attack against a specific Web archiving package- yeah, that' so balances out Sasser. So, can you substantiate your claim? Better yet, want to look not just at vulnerabilities, but risk, and quantify the cost of those vulnerabilities to the average organization over that same period? [snip]
* ...that you've left out NIS/NIS+, LDAP, Radius and Kerberos suggests to me that you're not very familiar with what's availible for AAA under Linux. -----I have done a good deal of administering firewalls, desktops, routers, email, remote access (everything you mentioned plus TACACS and Ace), never administered NIS, thanks GD. From http://www.linux-nis.org: "Linux machines ..can also act as full NIS+ clients, this support is in beta stage." Does this look like mature technology? Is it scalable? Is it stable? Running LDAP
NIS+ support in Linux is likely older than AD support- given the changes the last round of patches (you know, the one that fixed Sasser made to AD authentication, mature and stable isn't exactly what I'd be throwing around.
is mostly good for user lookup; Radius is a great tool for remote user administration. You forgot to mention more user databases: e-mail, printers, group permissions, share permissions, and more. Now you have half a dozen different databases which need to have connectors between them (oh, btw you have to customize some of the connectors and code the others, AND you have to administer them, so you need much more administrators and programmers, go
You keep missing the fact that you don't need more administrators- the ones you're calling names work just fine. Once again, you ignore (a)_ the fact that you can choose whichever technology is most suitable *including* AD/domain stuff, and (b) you can script 99% of the stuff quickly *once* if you can't already find someone who's already done it.
IS!). You now have to enforce password policies on all of them. After that you obviously suspect the users to change their 25 letter passwords every month and on all (5) databases. The result: you end up with for-life passwords for e-mail, LDAP, network shares, and secure intranets. The fact that they are carried by Kerberos becomes almost irrelevant once they compromised
Funnily enough, everyone I know who's done this hasn't had this problem. Maybe your experience isn't as relevant to analyzing these technologies as you believe?
So how do we synchronize the user names / passwords? X-500 (and X-400 connector) comes to mind (btw originated in Swiss, not US). The fact that
Uh oh! Those Swiss people keep doing that World Wide Web thing too, with some Brit guy- we should definitely watch out for that!
you did not mention such important topic suggests to me that you're not very familiar with the process of user support and the X-500 technologies (sorry, I'm using your methods / terminology).
Maybe it's because nobody uses x.500 to do what you suggest?
Hence: AD and NDS. They do scale, they are stable and they provide much more than X-500 (statement)
So use Samba do do it all- it runs just fine on Linux.
-----Years ago I developed a formula for successful network administration (when I was actually doing it): The fact that you CAN do it does not mean that you WILL do it. For example you can use a 300-line ACL on your internal router, it will work just fine for security, but you will kill your backbone (I do have some actual data from last year experimentation). Can you use
I've had to deal with routers with 300-line ACLs that didn't kill backbones, it's all about the ordering and traffic patterns.
Linux on a desktop? - yes; will you? - need real numbers, not the ones that come from rad Hat
What do you mean real numbers? Most of the other people in this discussion *use* Linux on the desktop- some of them might even work at companies where it's a common practice.
* That aside, if you're trying to suggest that government and corporate sponsorship is somehow putting malicious code in Linux, you should also suggest the same of Microsoft and Novell - and any number of other entities. While you're at it - do audit the windows source code. -----I have no doubt that ALL of them put some kind of backdoors in the software. The degree of responsibility is different (and the amount of potential lawsuit money).
You'd do well to take a copy of the Windows license agreement to an attorney and get a real legal opinion on that "potential lawsuit money." For all the looking at the code done by at least a few competent people, nobody seems to have found a government sponsored back door in the Linux source code.
*Can't handle AAA on Linux ---Did I say it? - very convenient substitution again. I said it takes much more effort to handle AAA in .nix environment on a desktop, that's why NDS and AD. And they are not free even on Linux
Nobody said they had to be free (hmmm, our crops should be safe!)- heck- I wouldn't recommend it, but you could even run a Windows AD server with Linux desktops. [snip]
Paul D. Robertson * Now, the real point (since you obviously missed it) that everyone was making in regards to your original argument about vulnerabilities is that Linux only looks bad when you count all the silly things that nobody sane would install on a corporate desktop. Trying to turn that from "more vulnerabilities on bugtrack (sic) to "equal" is disingenious when you're trying to stand behind a point, since I already said "about equal." ..I don't need to open RPC to anything other than loopback for Linux on the desktop (and rarely even there.) In fact, I tend to turn *off* more things than I turn *on* for a Linux machine when I'm configuring it from a default install. Furthermore, I'm capable of running almost all services at a priv. level less than local administrator- which doesn't make the vulns equivalent. ----Do you consider yourself an average user?
You put in administrators, now you're going to let the users configure their own desktops? Please- let's try for some consistency! It takes a complete newbie about 20 minutes to configure a Linux machine to the same standard I do assuming they can use a text editor and have administrative permissions. That's a one-time thing- and if they want to understand the process- it's faster if you just do it, and it'd be all of 25 minutes to script the whole thing.
---Sorry to inform you that under MS environment if you only give your users "User" rights instead of "local Admin" you don't need to bother about 99% of vulnerabilities of the OS since they (and a Joe Hacker) can not install any
Um no- that'd be for _application_ vulnerabilities, for MS, the browser is in the OS- you get the OS vulns anyway, see Sasser, Slammer, et al. FWIW, you don't have to give Linux users administrative rights either.
new code. You can run your patches under "run as" identity starting with w2k. I have done it during my consulting years and it worked even under NT. Also you probably are missing the point that users today want reach desktop.
Just because they want it doesn't mean they automatically get it, it's dependent on a company's security policy, risk assessment and culture.
You can (and shall) take it away in a bank environment, but not in a general office, like their ability to point and click on the network (vs. ftp from a command line?).
There are *lots* of GUI FTP clients for Linux- and guess what? Browsers still do point and drool FTP too!
----Slightly off topic but close: I've been watching RH to prepare an attack on the free software community for a long time and finally one more evil empire was born. Bow. Obey. Base your calculations on their "corporate" prices. Good boy.
Oh joy! Another strawman- this is scarecrow alley! With MS, you have *no* choice! With Linux, you can switch to Debian, SuSE, White Box, Immunix, EnGarde, Turbo, YellowDog, or any of a dozen or so others- many of them Linux Standards Base complaint to make for easy cutover!
*Since AD is based upon Kerberos for its default primary authentication mechanism, I don't see how you come to the conclusion that AD is any more "built-in FOR THE DESKTOPS" than Kerberos. Nice use of caps - NOT! Lose the baggage and bring some facts, ok? ----fact: you need to administer Kerberos in .nix environment. fact: You don't need to administer it in MS environment. Read the last statement twice.
Fact: You need to worry about AV in an MS environment, you can take the money you spend on AV, switch it to some policy enforcement and Kerberos admin if you'd like and still come out ahead.
To the list: A couple of years ago I tried to sniff the difference between Kerb v.5 and MS and could not come up with meaningful data (did not have time). Anybody has more info?
MS sends pre-auth info during login, RC4 is the default instead of DES, MS uses SIDs in its authorization data, DNS is required, MS caches the password for ticket renewal - a few other things, nothing too major.
Ron DuFresne: the German government now directs linux security? you do have pointers to this to backup such a claim? -----"Sponsors" not "directs", and I said governments (plural) which you somehow dropped. From today's Goggle: http://www.heise.de/newsticker/meldung/6918 http://news.osdir.com/article149.html http://www.linux-kongress.org/helpus.html http://news.com.com/2104-1001_3-983204.html http://www.linuxsecurity.com.br/sections.php?op=imprime&artid=2
You know, in Linux, as with most Unicies, we have this neat little tool called "diff"- it's really, really useful for figuring out what someone added to the source code- once again, how, pray tell, do you validate your graphics card driver under Windows?
Devdas Bhagat With a Linux/Unix desktop running X and remote applications, the real requirements come down from 100 desktops to ten beefier boxes ----do you propose to give 10 boxes instead of 100 to 100 users? - back to mainframe? - again confusing the issues of security devices (servers) OS (MS is a no-no) and the desktop infrastructure. AAA at the perimeter is still different from the AAA at the desktop.
That depends on the organization's requirements. Lots of places who've either recently switched to, or are in the middle of planning a switch to Linux desktops seem to not need as much "groupthink" services, probably because they're not trying to apply a hammer to unscrew a screw- it's oft said that when all you have is a hammer, everything looks like a nail. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Worms, Air Gaps and Responsibility, (continued)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Mark Gumennik (May 08)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 08)
- Re: Worms, Air Gaps and Responsibility Erick Mechler (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
- Re: Worms, Air Gaps and Responsibility Erick Mechler (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 08)
- RE: Worms, Air Gaps and Responsibility Mark Gumennik (May 11)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 11)
- AIX LPAR security hermit921 (May 25)
- Re: AIX LPAR security Paul D. Robertson (May 25)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 11)
- widnows vs unix and security Re: Worms, Air Gaps and Responsibility ArkanoiD (May 12)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 11)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- Re: Worms, Air Gaps and Responsibility R. DuFresne (May 10)
- RE: Worms, Air Gaps and Responsibility Mark Gumennik (May 10)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 10)