[10855] in bugtraq
Re: Diversity
daemon@ATHENA.MIT.EDU (David)
Fri Jun 18 12:49:08 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3769B6C3.94F6BCCF@kalifornia.com>
Date: Thu, 17 Jun 1999 20:02:27 -0700
Reply-To: david@kalifornia.com
From: David <david@KALIFORNIA.COM>
X-To: Ian Carr-de Avelon <avelon@EMIT.PL>
To: BUGTRAQ@NETSPACE.ORG
Ian Carr-de Avelon wrote:
> We can think about it, but what can we do about it? Just as in farming
> there are reasons why we have the monoculture, and just like they buy
> more pesticides, we buy virus scanners to fix our solution rather than
> designing another solution. In fact we have even less ability to move
> away from it than farming. If a farmer bucks the trend and therebye has
Not so. The most simple form of diversity I recommend to clients is a
multi-tiered network structure. Different segments are isolated by
differing systems.
Border firewalls are built with two different operating systems. I never
recommend m$ on the border..go figure. Having differing IP stacks for a
packet to travel through increases the chances that malicious packets will
get trapped on one of them and the internal network remains protected.
In *nix land, we don't rush out and buy more virus scanners, we fix the
problem. Matter of fact, virus scanning on *nix networks tends to fall into
the "I'll do it when i get around to it" area. *nix is a perfect example of
diversity. Unix type people didn't buy virus scanners, they have fathered
the varied groups of systems that we have today. An amazing amount of
forethought has gone into the development of each flavor of *nix. Different
theories are implemented in different stacks. Sometimes this has caused
problems, but overall it engenders a resilliency to faulting.
*nix programmers typically build in reliability and security in the design
which makes the base structure sound. Yes, a lot of buffer overflows are
found and quickly fixed however one must consider that this is a system
where you have walls inside the server. Sometimes even root can't get
around those walls. There is precious little on an m$ system that cannot be
had once priviledged access is gained.
Diversity can certainly be thought about. The open source model encourages
program development. Many people writing differing versions of software.
Naturally this diversity means an exploit in one program is unlikely to be
found in another.
Diversity is certainly alive and flourishing, make no mistake.
If major Cisco bug came out, your customers will complain due to the
widespread use of Cisco equipment. Not everyone uses Cisco however and not
every Cisco machine is going to be reachable to crash. Some of your
customers wouldn't even notice, some of your customers would see a few slow
or dropped sites. Some would find their favorite place unreachable. The
internet is an extremely diverse culture of equipment and people and short
of a humanitarian disaster, nothing is going to take the whole thing down.
Encourage diversity. No one operating system should dominate. Only OS
zealots would differ with this view.
-d
--
This is Linux Country. On a quiet night, you can hear Windows NT reboot!
Do you remember how to -think- ? Do you remember how to experiment? Linux
__ is an operating system that brings back the fun and adventure in computing.
\/ for linux-kernel: please read linux/Documentation/* before posting problems
