RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Thomas W Shinder (tshinder_at_tacteam.net)
Date: 05/07/04

  • Next message: Melson, Paul: "RE: [fw-wiz] PIX Firewall, Help with nemask use in NAT and Global comands" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Fri, 7 May 2004 07:51:17 -0500

    I don't think "Don't use Windows" is a viable option in the long term.
    Non-Windows OS servers have reached critical mass, especially in the
    enterprise space, making them tasty targets. When non-Windows client
    systems reach critical mass, exploits target against them will surely
    come fast and furious. And unless the non-Windows OSs are "Windows-ized"
    so that someone takes responsibility for fixing them, you'll end up
    having to pay even more to move back to an Microsoft solution, since
    Microsoft will have its security issues handled and the fledgling Linux
    vendors will just be ramping up their IR efforts.

    The Windows v. Linux security debate isn't about inhernet security
    issues, its about total attack surface. The per capita attack surface on
    Windows OSs continues to decrease while the Linux systems seem to stay
    about the same. But the aggregate attack surface for Windows systems is
    much higher because of their market penetration. I do expect the market
    penetration for Linux systems to increase in the next 5-10 years where
    its aggregate attack surface will be much larger than Microsoft's .

    The "Windows-ized" vendors will try to play catch up while Microsoft
    will have its systems in place. And this doesn't even take into account
    the "OS by committee" for non-vendor Linux system. Anything that is
    based on a "depend on the kindness of strangers" approach isn't
    something you can have a lot of faith in. At least it didn't work in
    Tara ;-)

    While recommending moving away from Windows might represent a security
    ploy in the short term, the long term costs would be prohibitive for
    larger organizations that move away, and then move back, to Microsoft.

    Tom

    Thomas W Shinder, M.D.
    www.isaserver.org/shinder
    ISA 2004 Beta - Get it now!
    http://www.microsoft.com/isaserver/beta/default.asp
    ISA Server and Beyond: http://tinyurl.com/1jq1
    Configuring ISA Server: http://tinyurl.com/1llp

     

    -----Original Message-----
    From: Crispin Cowan [mailto:crispin@immunix.com]
    Sent: Thursday, May 06, 2004 5:02 PM
    To: Paul D. Robertson
    Cc: Carson Gaspar; firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] Worms, Air Gaps and Responsibility

    Paul D. Robertson wrote:

    >With all the money spent on "security" solutions that aren't as
    effective
    >as "don't connect"- how many companies even look at their user
    population
    >risk profiles and architect for it? Not connecting is *really* cheap
    and
    >*really* effective.
    >
    >
    Really effective I'll believe (it definitely is secure) but really cheap

    I will challenge. IT facilities like e-mail and web do a lot to reduce
    operational costs. If you declare everyone's workstation to be
    "production" and disconnect them from the Internet then you may end up
    deploying a second set of workstations for Internet access, and that is
    not cheap.

    OTOH, I advocate somewhat less drastic solutions like "don't use
    Windows", which is also "really cheap and really effective", and "adult
    supervision" tells me how unrealistic my proposal is with objections
    similar to my objections for disconnecting.

    Crispin 

    -- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Melson, Paul: "RE: [fw-wiz] PIX Firewall, Help with nemask use in NAT and Global comands"

    Relevant Pages

    • Re: [OT][STRIPS] Grim Tales - "Grown-Up Mandy"
      ... >> with some Linux systems) for some time now, since I got the feeling I ... > stable Windows ever released (stop giggling... ... since rebooting and loading up all the documentation ... > restarting the Explorer shell) MAYBE twice in the year or so I used it. ...
      (rec.arts.anime.misc)
    • Re: User Linux
      ... 'net connection but that's getting a little picky. ... > office you might as well go and buy windows to run your windows program ... updating and tweaking Win2K systems than I ever spent on Linux systems. ... > is poor who has three kids and and is still paying the bond. ...
      (Fedora)
    • Re: NIS: set default umask
      ... that are accessing them are Windows and Linux systems. ... Linux system creates a new file or directory, the umask is 002 and, as ... CIFS user name mapped to the local user). ...
      (comp.os.linux.networking)
    • Re: Amazon used lisp & C exclusively?
      ... their "free" as in "my time" Linux systems to run. ... I gave up Windows except for some games because I was sick and tired of problems with it. ... Where it started was some young Bolshevik, upon learning I was developing commercial software, demanded I give it away for the betterment of society and live off the crumbs in the FSF model of hoping someone would come to my cabin in the woods and ask me to revise it for a few dollars. ...
      (comp.lang.lisp)
    • tomcat instances on windows 2000 server
      ... I want to make several intsances of the apache tomcat server on a windows 2000 server system? ... I only found instructions for linux systems, but nowhere for windows server. ...
      (microsoft.public.win2000.general)
    • Quantcast