RE: [fw-wiz] terminal services

From: Marcus J. Ranum (mjr@ranum.com)
Date: 01/28/03


To: "R. DuFresne" <dufresne@sysinfo.com>, "Paul D. Robertson" <proberts@patriot.net>
From: "Marcus J. Ranum" <mjr@ranum.com>
Date: Tue Jan 28 21:08:01 2003

R. DuFresne wrote:
>Which seems to make a strong casepoint for the hardening of exposed hosts
>and the continued need for well defined security perimiters at this point
>in time still <security basics 101?>.

It's pretty much security 101 as you say. I think the most frequent
recommendation I've written in consulting reports reads something like
this:
"Establish a list of Internet-accessible perimeter systems. On those systems,
establish a list of Internet-accessible applications based on the boundary
firewall's 'permit' rules. For each of those applications, maintain a list of
the software packages that provide the service, and the revision level of
each package. Assign someone to perform a periodic check on each
package by revision level, to install security updates as necessary. Ideally,
this process should be as automated and proactive as possible."

"Geeze! That's a ton of work!" is the usual response. Yeah, well, it is.
But it's easy to fix: minimize services, minimize software release
dispersion (common release) and minimize administrators. Oddly
you'll find that security almost always improves as a result.

mjr.



Relevant Pages

  • TSLSA-2006-0024 - multi
    ... Trustix Secure Linux Security Advisory #2006-0024 ... Affected versions: Trustix Secure Linux 2.2 ... Package description: ... Mu Security has reported a vulnerability in Cyrus SASL ...
    (Bugtraq)
  • [Full-disclosure] SUSE Security Announcement: openwsman (SUSE-SA:2008:041)
    ... Security Vulnerability Resolved: ... Package Location and Checksums ... SUSE security announcements are published via mailing lists and on Web ... guaranteed by a cryptographic signature in each announcement. ...
    (Full-Disclosure)
  • [Full-disclosure] SUSE Security Announcement: novell-nrm remote heap overflow (SUSE-SA:2
    ... The affected novell-nrm package is only included in the Open Enterprise ... The preferred method for installing security updates on Open Enterprise ... Authenticity Verification and Additional Information ... guaranteed by a cryptographic signature in each announcement. ...
    (Full-Disclosure)
  • SUSE Security Announcement: novell-nrm remote heap overflow (SUSE-SA:2006:002)
    ... The affected novell-nrm package is only included in the Open Enterprise ... The preferred method for installing security updates on Open Enterprise ... Authenticity Verification and Additional Information ... guaranteed by a cryptographic signature in each announcement. ...
    (Bugtraq)
  • TSLSA-2006-0002 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... The package provides a flexible and scalable multi-threaded daemon, ... - SECURITY Fix: Fixes possible heap based buffer overflow in libclamav/upx.c. ... The Common Vulnerabilities and Exposures project has assigned the ...
    (Bugtraq)