Re: Worms, Air Gaps and Responsibility

[Devdas Bhagat <devdas () dvb homelinux org>]

On 07/05/04 07:51 -0500, Thomas W Shinder wrote:
> I don't think "Don't use Windows" is a viable option in the long term.
> Non-Windows OS servers have reached critical mass, especially in the
> enterprise space, making them tasty targets. When non-Windows client
> systems reach critical mass, exploits target against them will surely
> come fast and furious. And unless the non-Windows OSs are "Windows-ized"
Just because the exploits will come in faster, does not mean that they
will all have the same targets numerically. One enterprise can
standardise on a specific distribution and version. The next enterprise
may choose something else. All that is needed is that they can exchange
data in some standardised format(s).

The biggest targets I can see in the Linux/BSD desktop are:
OpenOffice
Mozilla and Konqueror
OpenSSL

On the server side,
Apache
BIND
DHCPD
OpenSSL

And these will be targets only if they are all compiled to the same
binary. Desktops need not be running any services either. Additionally,
you can put a firewall on each desktop that restricts communication to
specific hosts and ports.

Not everyone needs to run KDE/Gnome. Choice is a good thing. It can be
confusing in the SOHO space. In a larger enterprise, the capability of
Linux to be locked down in terms of installed and installable software 
is rather better. Standardise on IceWM and roll out your X servers.

Intra enterprise diversity is bad. Inter enterprise diversity is good.

> so that someone takes responsibility for fixing them, you'll end up
The nice thing about having source available is that you update your
copy in CVS and just rebuild and push to your application servers.
Not everyone needs to figure out patches either, you need one set of
people doing that.
Of course, with most Linux vendors making money from taking
responsibility for getting fixes out, that question is considerably
answered already.
In case of emergencies, Linux systems can be firewalled off locally.
With centralised application servers running applications, there is no
need to patch a few hundred desktops. Just the one install (or as many
as there are application servers).

> having to pay even more to move back to an Microsoft solution, since
> Microsoft will have its security issues handled and the fledgling Linux
> vendors will just be ramping up their IR efforts. 
Most Linux vendors already ship with all services disabled. The default
out of the box install tends to be rather locked down.
The cost for most enterprises is in having to retrain their employess to
deal with a different OS and a different way of working.

This leaves the SOHO space, which requires entirely different strategies
for maintainance.
A cron job that pulls down updates is quite feasible. A system with no
listening ports is reasonably secure from remote attacks.

> The Windows v. Linux security debate isn't about inhernet security
> issues, its about total attack surface. The per capita attack surface on
> Windows OSs continues to decrease while the Linux systems seem to stay
> about the same. But the aggregate attack surface for Windows systems is
Again, look at the roles played by the two systems. If they were in the
same application space, then a comparison could be valid. How many
attacks occur against MS Windows servers as against MS Windows desktops?
Most of the worms hit *desktops*. How many corresponding attacks have
their been against Linux desktops?

I wonder if someone could get numbers from Tampa about their large Linux
installation?

<snip>
> While recommending moving away from Windows might represent a security
> ploy in the short term, the long term costs would be prohibitive for
> larger organizations that move away, and then move back, to Microsoft.
Not necessarily. Not everyone needs to move to RedHat. There are also
other players in the same space including but not limited to SuSE (now
Novell), Mandrake, Debian and its spinoffs, Gentoo, FreeBSD (not a Linux
distribution, but still in the same category), Sun's Java desktop.....

http://www.infrastructures.org/ is a good way of making things work
correctly.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards