nanog mailing list archives
Re: The magic security CD disc Re: HTTP proxies
From: "Steven M. Bellovin" <smb () research att com>
Date: Sun, 08 Dec 2002 21:50:20 -0500
In message <Pine.GSO.4.44.0212081952200.11337-100000 () clifden donelan com>, Sean Donelan writes:
Has anyone come out with a fix everything CD customers could use to clean up their systems? This isn't an operating system specific issue. Buggy and misconfigured software is running on Unix, Mac, Windows, etc.
It can't be done, at least not usefully. It's easy to turn things off; the hard part is knowing what should be left on, given your needs, the threat environment, and other protective measures. I forget which of the Rainbow Series of books said it -- the Yellow Book, I think -- but one of them noted that the same LAN that was insecure in an office might be quite secure in a submerged submarine with a highly-cleared crew aboard. It is possible, though, to write something that would analyze a configuration and present you with a sensible menu of choices. It could know, for example, that one can't disable rpcbind if other RPC-based services are running. But getting that right for even a single release of a single OS is hard enough, let alone many releases of many OSes. And then, of course, you want to add advice to the user. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
Current thread:
- The magic security CD disc Re: HTTP proxies Sean Donelan (Dec 08)
- <Possible follow-ups>
- Re: The magic security CD disc Re: HTTP proxies Steven M. Bellovin (Dec 08)
- Re: The magic security CD disc Re: HTTP proxies Sean Donelan (Dec 08)
- Re: The magic security CD disc Re: HTTP proxies Alex Bligh (Dec 09)
- Re: The magic security CD disc Re: HTTP proxies Sean Donelan (Dec 08)
- Re: The magic security CD disc Re: HTTP proxies Steven M. Bellovin (Dec 08)
- Re: The magic security CD disc Re: HTTP proxies David Howe (Dec 09)
- RE: The magic security CD disc Re: HTTP proxies Hunter Pine (Dec 09)
- Re: The magic security CD disc Re: HTTP proxies Florian Weimer (Dec 09)
- Re: The magic security CD disc Re: HTTP proxies Alex Bligh (Dec 09)
- Re: The magic security CD disc Re: HTTP proxies Scott Francis (Dec 09)