Dailydave mailing list archives
Re: Media Excitement!
From: Cody Hatch <bytejump () gmail com>
Date: Thu, 21 Apr 2005 20:16:24 +0000
I've lurked long enough and need to participate rather than be a leech. <exasperation> Where do we go from here, though? Why aren't solutions such as PaX, grsecurity, systrace, etc. finding their way into commercial operating systems? Where is the hold-up? Customers certainly don't enjoy the patch-as-you-go model, but where are the commercial operating systems and solutions that make use of such proactive security measures? Cobbling together a solution that includes these things can be done, but finds itself on thin ice in an enterprise environment needing executive buy-off and enterprise-level manageability. RedHat has ExecShield, which is at least an attempt, but why are we moving in such a slow fashion? Where is everyone else? Cisco Security Agent makes an attempt, but isn't enough. What's the hold-up? </exasperation> Thanks, Cody
Patches are necessary. Holes need to be pluged. However, if the systems have adequate security mechanisms in place the rush to patch would not be as time critical. A security bug in a running software module should not lead to a total compromise of the system. We have been trying (unsuccessfully) to fit a square peg into a round hole. CAPP/DAC systems are not meant to stand up to directed malice. Without a policy, you can not have a policy violation. Without a full-time fine grained mandatory enforced policy (reference monitor concept), you might as well not have a policy at all. Where there is discretion, there is the potential for violation of the non-enforced policy. You can not model a non-enforced policy. Also, adding mechanisms after the fact to a faulty security base is invalid. Building a castle on a foundation of quicksand isn't wise. But that's what we do. I guess that's what customers are demanding... the whole practice just seems odd. "What we have here is a failure to communicate" :). What I mean to say is, "Defence in Depth" works. We use at least 7 firewalls from 4 different vendors (gateway and host based). Two host level anti-virus and a gold corporate edition gateway anti-virus program. Also our IPS makes us immune to all attacks (known and unknown). ..... Damn it, why does my website now say: "Hacked by chinese!" Robert -- Robert E. Lee CEO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Media Excitement!, (continued)
- Re: Media Excitement! Sean Batt (Apr 21)
- Re: Media Excitement! halvar (Apr 21)
- Re: Media Excitement! Eduardo Tongson (Apr 22)
- Re: Media Excitement! Chris Kuethe (Apr 21)
- Re: Media Excitement! Jason Falciola (Apr 21)
- ISEAGE Competetion Arun Koshy (Apr 22)
- RE: ISEAGE Competetion Chris Eagle (Apr 22)
- RE: Media Excitement! Kohlenberg, Toby (Apr 21)
- RE: Media Excitement! Anton A. Chuvakin (Apr 21)
- Re: Media Excitement! robert (Apr 21)
- Re: Media Excitement! Cody Hatch (Apr 21)
- Re: Media Excitement! robert (Apr 21)
- Re: Media Excitement! pageexec (Apr 22)
- Re: Media Excitement! robert (Apr 22)
- Re: Media Excitement! pageexec (Apr 22)
- Re: Media Excitement! Cody Hatch (Apr 24)
- Re: Media Excitement! robert (Apr 24)
- Re: Media Excitement! Cody Hatch (Apr 25)
- Re: Media Excitement! Jack (Apr 25)
- Re: Media Excitement! Cody Hatch (Apr 26)
- Re: Media Excitement! pageexec (Apr 26)