RE: Worms, Air Gaps and Responsibility

["Thomas W Shinder" <tshinder () tacteam net>]

I don't think "Don't use Windows" is a viable option in the long term.
Non-Windows OS servers have reached critical mass, especially in the
enterprise space, making them tasty targets. When non-Windows client
systems reach critical mass, exploits target against them will surely
come fast and furious. And unless the non-Windows OSs are "Windows-ized"
so that someone takes responsibility for fixing them, you'll end up
having to pay even more to move back to an Microsoft solution, since
Microsoft will have its security issues handled and the fledgling Linux
vendors will just be ramping up their IR efforts. 

The Windows v. Linux security debate isn't about inhernet security
issues, its about total attack surface. The per capita attack surface on
Windows OSs continues to decrease while the Linux systems seem to stay
about the same. But the aggregate attack surface for Windows systems is
much higher because of their market penetration. I do expect the market
penetration for Linux systems to increase in the next 5-10 years where
its aggregate attack surface will be much larger than Microsoft's . 

The "Windows-ized" vendors will try to play catch up while Microsoft
will have its systems in place. And this doesn't even take into account
the "OS by committee" for non-vendor Linux system. Anything that is
based on a  "depend on the kindness of strangers" approach isn't
something you can have a lot of faith in. At least it didn't work in
Tara ;-)

While recommending moving away from Windows might represent a security
ploy in the short term, the long term costs would be prohibitive for
larger organizations that move away, and then move back, to Microsoft.

Tom

Thomas W Shinder, M.D.
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Crispin Cowan [mailto:crispin () immunix com] 
Sent: Thursday, May 06, 2004 5:02 PM
To: Paul D. Robertson
Cc: Carson Gaspar; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Worms, Air Gaps and Responsibility


Paul D. Robertson wrote:

> With all the money spent on "security" solutions that aren't as
effective
> as "don't connect"- how many companies even look at their user
population
> risk profiles and architect for it?  Not connecting is *really* cheap
and
> *really* effective.
>  
Really effective I'll believe (it definitely is secure) but really cheap

I will challenge. IT facilities like e-mail and web do a lot to reduce 
operational costs. If you declare everyone's workstation to be 
"production" and disconnect them from the Internet then you may end up 
deploying a second set of workstations for Internet access, and that is 
not cheap.

OTOH, I advocate somewhat less drastic solutions like "don't use 
Windows", which is also "really cheap and really effective", and "adult 
supervision" tells me how unrealistic my proposal is with objections 
similar to my objections for disconnecting.

Crispin

-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards