[12708] in bugtraq
Operational Issues: Applications & Appliances (was: Buffer
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Wed Nov 24 01:51:51 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <383AF822.275BCCFE@cse.ogi.edu>
Date: Tue, 23 Nov 1999 20:25:06 +0000
Reply-To: crispin@CSE.OGI.EDU
From: Crispin Cowan <crispin@CSE.OGI.EDU>
X-To: flynngn@jmu.edu
To: BUGTRAQ@SECURITYFOCUS.COM
Gary Flynn wrote:
> Crispin Cowan wrote:
> > Thus, one could say that buffer overflows are the leading
> > cause of software vulnerabilities, and misconfiguration is the leading
> > operational problem. Which problem dominates overall vulnerability is
> > unclear.
>
> I'm digesting your paper but wanted to comment on the peripheral topic
> of "operational" issues.
>
> If we're going to add operational problems as a category, I'd
> suggest that "usage" may be a more predominant problem than
> "misconfiguration".
>
> End user practices of downloading unknown software, running the unproven
> "application of the week", and other risky behavior makes the vulnerabilities
> due to misconfiguration and software defects that much more problematic.
I agree that configuration and operational issues are a hard problem to solve.
In general, I don't know how to solve them. My (crass commercial) solution is
that folks who don't really know what they're doing should buy appliances
instead of general-purpose computers. Then at least the configuration is done
by a professional. The quality of the configuration then depends on the quality
of the vendor. It is for this reason that WireX products are appliances: I
have some trust that *I* applied my security tools correctly, but I'm not at all
sure that end-users can apply them correctly.
I'm rather amazed at the existance of the firewall *application* market, where
you buy a firewall product and install it on one of your server machines. How
can such an application install take a pre-installed machine from an unknown
state to a secure state? Does the install script for (say) Checkpoint do
extensive configuration checking and adjusting? Or do they just assume a very
competent sys admin puts the machine into a "firewall" configuration?
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org