Re: [fw-wiz] Worms, Air Gaps and Responsibility

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 05/11/04

  • Next message: Gwendolynn ferch Elydyr: "RE: [fw-wiz] Worms, Air Gaps and Responsibility" 
    To: firewall-wizards@honor.icsalabs.com
Date: Tue, 11 May 2004 21:14:43 +0530

    On 11/05/04 10:49 -0400, Mark Gumennik wrote:
    Moderator, please let this through. Message quotation fixed. Very ling
    message with incline comments:

    > What happened to the freedom of speech (opinions?). Personal humiliation is
    > a very nice way to suppress the opponent, so now I have to write this email
    I don't see any issues of humiliation here, some rather strong
    objections though.

    > instead of painting my garage door (nice weather here). I have to restrict
    > myself only to answering your (mostly personal) questions and promise not to
    > reply to any more remarks on the subject.
    >
    > Gwendolynn ferch Elydyr:
    > > Uhhhh. Too much coffee? Sugar?
    > Sorry, I am doing Atkins at the moment, no coffee or sugar
    (This was sarcasm, I believe).
     
    > > That's quite a leap of logic you're making. You've basically gone:
    > >
    > > (1) Put Linux on the desktop [statement]
    > > (2) Install bells and whistles [presumption]
    > > (3) Linux is as vulnerable as Microsoft [conclusion]
    > All three of the above are statements: we are discussing Linux on a
    > desktop, bells and whistles is what users want (statement), and according to
    Uhm! You only need to convince management that bells and whistles are
    not necessary for the staff to do their work. (I have not yet seen my
    message about different desktops for different environments go through).

    > bqtrack the third statement is true with an equal amount of services
    > installed
    > Now if you, O' Great Teacher, want to watch my the logic (which I thought
    > was obvious), read the next paragraph. Sorry for disobedience.
    >
    > > ...that you've left out NIS/NIS+, LDAP, Radius and Kerberos suggests to me
    > > that you're not very familiar with what's availible for AAA under Linux.
    > I have done a good deal of administering firewalls, desktops, routers,
    > email, remote access (everything you mentioned plus TACACS and Ace), never
    > administered NIS, thanks GD. From http://www.linux-nis.org: "Linux machines
    > ..can also act as full NIS+ clients, this support is in beta stage." Does
    > this look like mature technology? Is it scalable? Is it stable? Running LDAP
    > is mostly good for user lookup; Radius is a great tool for remote user
    And RADIUS servers can look to LDAP for user information. You don't need
    to use NIS or NIS+, Linux will natively authenticate to LDAP via
    pam_ldap.

    > administration. You forgot to mention more user databases: e-mail, printers,
    > group permissions, share permissions, and more. Now you have half a dozen
    > different databases which need to have connectors between them (oh, btw you
    Not really. I have one for my users (human or machine) and one for the
    ACLs.
    The user information goes into a LDAP server. The ACL information goes
    to the filesystem.

    > have to customize some of the connectors and code the others, AND you have
    > to administer them, so you need much more administrators and programmers, go
    > IS!). You now have to enforce password policies on all of them. After that
    > you obviously suspect the users to change their 25 letter passwords every
    > month and on all (5) databases. The result: you end up with for-life
    > passwords for e-mail, LDAP, network shares, and secure intranets. The fact
    > that they are carried by Kerberos becomes almost irrelevant once they
    > compromised
    You can put them in a single replicated LDAP server. Then the question
    boils down to guarding this LDAP server, which is a lot easier than
    guarding a MS box.

    > So how do we synchronize the user names / passwords? X-500 (and X-400
    > connector) comes to mind (btw originated in Swiss, not US). The fact that
    > you did not mention such important topic suggests to me that you're not very
    > familiar with the process of user support and the X-500 technologies (sorry,
    > I'm using your methods / terminology).
    I don't see the relevance of the fact that the ITU is Geneva based here.

    > Hence: AD and NDS. They do scale, they are stable and they provide much more
    > than X-500 (statement)

    > Years ago I developed a formula for successful network administration
    > (when I was actually doing it): The fact that you CAN do it does not mean
    > that you WILL do it. For example you can use a 300-line ACL on your internal
    > router, it will work just fine for security, but you will kill your backbone
    Routers are not firewalls. Also, if you instrument the ACL properly so
    that frequently matched traffic is matched soon and goes through, you
    shouldn't hurt the network traffic at all.

    > (I do have some actual data from last year experimentation). Can you use
    > Linux on a desktop? - yes; will you? - need real numbers, not the ones that
    > come from rad Hat
    I certainly do.
     
    > > That aside, if you're trying to suggest that government and corporate
    > > sponsorship is somehow putting malicious code in Linux, you should also
    > > suggest the same of Microsoft and Novell - and any number of other
    > > entities. While you're at it - do audit the windows source code.
    > I have no doubt that ALL of them put some kind of backdoors in the
    > software. The degree of responsibility is different (and the amount of
    > potential lawsuit money).
    Uhm? I suggest reading the license that MS ships.
    <snip>
    > > Can't handle AAA on Linux
    > Did I say it? - very convenient substitution again. I said it takes much
    > more effort to handle AAA in .nix environment on a desktop, that's why NDS
    > and AD. And they are not free even on Linux
    No one said anything about free (beer or speech) here. As to more
    effort, I don't see that happening just yet. It takes effort to set
    things up correctly the first time. Once they are set up, they normally
    just keep working.

    > > Are deeply suspicious of non-US governments
    > Yes I am. Especially as an immigrant who had seen other governments to
    The USA! The land of the Free, the RIAA, MPAA , the DMCA and the PATRIOT
    act.

    > operate. The main function of any government is to suppress the freedom by
    > definition; the difference is how they operate (source: Machiavelli,
    > Plutarch, Guy Platonic, George Orwell, etc. Did not see it in the net admin
    > guides)
    >
    >
    > Paul D. Robertson
    > > Now, the real point (since you obviously missed it) that everyone was
    > > making in regards to your original argument about vulnerabilities is that
    > > Linux only looks bad when you count all the silly things that nobody sane
    > > would install on a corporate desktop. Trying to turn that from "more
    > > vulnerabilities on bugtrack (sic) to "equal" is disingenious when you're
    > > trying to stand behind a point, since I already said "about equal." ..I
    > > don't need to open RPC to anything other than loopback for Linux on the
    > > desktop (and rarely even there.) In fact, I tend to turn *off* more
    > > things than I turn *on* for a Linux machine when I'm configuring it
    > > from a default install.
    > > Furthermore, I'm capable of running almost all services at a priv. level
    > > less than local administrator- which doesn't make the vulns equivalent.
    >
    > Do you consider yourself an average user?
    Why would the average corporate user install *anything*? Why should they
    need to install anything themselves? That is a task for the system
    administrator.
    As an administrator, I can and do lock down Linux boxes. They have no
    services and/or tools installed other than those absolutely needed.

    > Sorry to inform you that under MS environment if you only give your users
    > "User" rights instead of "local Admin" you don't need to bother about 99% of
    And hopefully, all the applications they need will run.
    Oh, you need to lock down the Linux box even more? There is always
    SE-Linux, as made available from the National Security Agency of the US
    government.

    > vulnerabilities of the OS since they (and a Joe Hacker) can not install any
    > new code. You can run your patches under "run as" identity starting with
    > w2k. I have done it during my consulting years and it worked even under NT.
    > Also you probably are missing the point that users today want reach desktop.
    And I want a million dollars right now! It doesn't mean that I will get
    that.

    > You can (and shall) take it away in a bank environment, but not in a general
    > office, like their ability to point and click on the network (vs. ftp from a
    > command line?).
    Why do your users need to FTP? If they do, they can have a drag and drop
    application available for that. I personally would prefer to use scp
    instead (with attendant GUI for the users).

    > Slightly off topic but close: I've been watching RH to prepare an attack
    > on the free software community for a long time and finally one more evil
    > empire was born. Bow. Obey. Base your calculations on their "corporate"
    > prices. Good boy.
    http://www.debian.org/
    http://www.gentoo.org/
    http://www.suse.com/
    http://www.freebsd.org/

    <snip>
    > > Since AD is based upon Kerberos for its default primary
    > > authentication mechanism, I don't see how you come to the conclusion that
    > > AD is any more "built-in FOR THE DESKTOPS" than Kerberos. Nice use of
    > > caps - NOT! Lose the baggage and bring some facts, ok?
    > fact: you need to administer Kerberos in .nix environment. fact: You
    > don't need to administer it in MS environment. Read the last statement
    > twice.
    And you do not need to necessarily use Kerberos in a Unix environment.
    Or you can set it up once and let the systems run themselves.

    > To the list: A couple of years ago I tried to sniff the difference between
    > Kerb v.5 and MS and could not come up with meaningful data (did not have
    > time). Anybody has more info?
    Wasn't there an additional bit set in the MS implementation that is
    reserved in the original protocol?
    <snip>
    > Devdas Bhagat
    > > With a Linux/Unix desktop running X and remote applications, the real
    > > requirements come down from 100 desktops to ten beefier boxes
    > do you propose to give 10 boxes instead of 100 to 100 users? - back to
    > mainframe? - again confusing the issues of security devices (servers) OS (MS
    > is a no-no) and the desktop infrastructure. AAA at the perimeter is still
    > different from the AAA at the desktop.
    Not a mainframe, but a similar setup. There is no reason that casual
    users *need* access to everything. The less your exposed attack area,
    the better for your security needs. With fewer systems to guard, the
    better you can guard them. The lesser the unknown interaction between
    various applications, the better for security.

    Patch management becomes easier, data is less distributed and easier to
    backup, less hardware is needed at the desktop. Defense is depth is so
    much easier when you put your eggs in fewer but stronger baskets.

    I am not confusing the issue between servers, desktops and security
    devices.

    A desktop is a system which faces the end user directly.
    A server is a system that actually runs applications.
    A security device is an access control system. This may be hardware, or
    software and may reside on the desktop, the server or in between or
    elsewhere.

    As an aside, I met someone (management type) today who was whining about how
    their single Linux box was not providing them with enough business value
    because it didn't have a GUI and needed a competent administrator to run.
    That box runs their email and never gives issues unless their UPS fails.
    It also runs a caching proxy.
    They also have Windows servers which don't give as good service, do far
    less, but give more value to the organisation because they give lots of
    pretty management interfaces. For two Windows servers and 40 desktops
    and one firewall device, they have three system administrators.

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Gwendolynn ferch Elydyr: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"
    • Quantcast