Firewall Wizards mailing list archives
Re: Worms, Air Gaps and Responsibility
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Fri, 7 May 2004 19:37:14 +0530
On 07/05/04 07:51 -0500, Thomas W Shinder wrote:
I don't think "Don't use Windows" is a viable option in the long term. Non-Windows OS servers have reached critical mass, especially in the enterprise space, making them tasty targets. When non-Windows client systems reach critical mass, exploits target against them will surely come fast and furious. And unless the non-Windows OSs are "Windows-ized"
Just because the exploits will come in faster, does not mean that they will all have the same targets numerically. One enterprise can standardise on a specific distribution and version. The next enterprise may choose something else. All that is needed is that they can exchange data in some standardised format(s). The biggest targets I can see in the Linux/BSD desktop are: OpenOffice Mozilla and Konqueror OpenSSL On the server side, Apache BIND DHCPD OpenSSL And these will be targets only if they are all compiled to the same binary. Desktops need not be running any services either. Additionally, you can put a firewall on each desktop that restricts communication to specific hosts and ports. Not everyone needs to run KDE/Gnome. Choice is a good thing. It can be confusing in the SOHO space. In a larger enterprise, the capability of Linux to be locked down in terms of installed and installable software is rather better. Standardise on IceWM and roll out your X servers. Intra enterprise diversity is bad. Inter enterprise diversity is good.
so that someone takes responsibility for fixing them, you'll end up
The nice thing about having source available is that you update your copy in CVS and just rebuild and push to your application servers. Not everyone needs to figure out patches either, you need one set of people doing that. Of course, with most Linux vendors making money from taking responsibility for getting fixes out, that question is considerably answered already. In case of emergencies, Linux systems can be firewalled off locally. With centralised application servers running applications, there is no need to patch a few hundred desktops. Just the one install (or as many as there are application servers).
having to pay even more to move back to an Microsoft solution, since Microsoft will have its security issues handled and the fledgling Linux vendors will just be ramping up their IR efforts.
Most Linux vendors already ship with all services disabled. The default out of the box install tends to be rather locked down. The cost for most enterprises is in having to retrain their employess to deal with a different OS and a different way of working. This leaves the SOHO space, which requires entirely different strategies for maintainance. A cron job that pulls down updates is quite feasible. A system with no listening ports is reasonably secure from remote attacks.
The Windows v. Linux security debate isn't about inhernet security issues, its about total attack surface. The per capita attack surface on Windows OSs continues to decrease while the Linux systems seem to stay about the same. But the aggregate attack surface for Windows systems is
Again, look at the roles played by the two systems. If they were in the same application space, then a comparison could be valid. How many attacks occur against MS Windows servers as against MS Windows desktops? Most of the worms hit *desktops*. How many corresponding attacks have their been against Linux desktops? I wonder if someone could get numbers from Tampa about their large Linux installation? <snip>
While recommending moving away from Windows might represent a security ploy in the short term, the long term costs would be prohibitive for larger organizations that move away, and then move back, to Microsoft.
Not necessarily. Not everyone needs to move to RedHat. There are also other players in the same space including but not limited to SuSE (now Novell), Mandrake, Debian and its spinoffs, Gentoo, FreeBSD (not a Linux distribution, but still in the same category), Sun's Java desktop..... http://www.infrastructures.org/ is a good way of making things work correctly. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Worms, Air Gaps and Responsibility, (continued)
- Re: Worms, Air Gaps and Responsibility David Lang (May 10)
- Re: Worms, Air Gaps and Responsibility George Capehart (May 07)
- RE: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 06)
- Re: Worms, Air Gaps and Responsibility Crispin Cowan (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Bennett Todd (May 07)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 07)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 07)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 07)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 07)
- Message not available
- RE: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 07)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)