[54005] in North American Network Operators' Group
Re: The magic security CD disc Re: HTTP proxies
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Dec 8 21:51:50 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
Date: Sun, 08 Dec 2002 21:50:20 -0500
Errors-To: owner-nanog-outgoing@merit.edu
In message <Pine.GSO.4.44.0212081952200.11337-100000@clifden.donelan.com>, Sean
Donelan writes:
>
>
>Has anyone come out with a fix everything CD customers could use
>to clean up their systems? This isn't an operating system specific
>issue. Buggy and misconfigured software is running on Unix, Mac,
>Windows, etc.
>
It can't be done, at least not usefully.
It's easy to turn things off; the hard part is knowing what should be
left on, given your needs, the threat environment, and other protective
measures.
I forget which of the Rainbow Series of books said it -- the Yellow
Book, I think -- but one of them noted that the same LAN that was
insecure in an office might be quite secure in a submerged submarine
with a highly-cleared crew aboard.
It is possible, though, to write something that would analyze a
configuration and present you with a sensible menu of choices. It
could know, for example, that one can't disable rpcbind if other
RPC-based services are running. But getting that right for even a
single release of a single OS is hard enough, let alone many releases
of many OSes. And then, of course, you want to add advice to the user.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
