[12722] in bugtraq
Re: Operational Issues: Applications & Appliances (was: Buffer
daemon@ATHENA.MIT.EDU (Scott Zimmerman)
Wed Nov 24 13:55:19 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.991124062346.5097A-100000@earth.nexus.net>
Date: Wed, 24 Nov 1999 07:00:28 -0500
Reply-To: Scott Zimmerman <scott@earth.nexus.net>
From: Scott Zimmerman <scott@EARTH.NEXUS.NET>
X-To: Crispin Cowan <crispin@CSE.OGI.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <383AF822.275BCCFE@cse.ogi.edu>
On Tue, 23 Nov 1999, Crispin Cowan wrote:
> I agree that configuration and operational issues are a hard problem to solve.
> In general, I don't know how to solve them. My (crass commercial) solution is
> that folks who don't really know what they're doing should buy appliances
I firmly agree and I'm not even selling anything. <g> The problem here
lies in that many work users have systems at home and see no difference
between the complete control of their home machines and what they think
should be their complete control of their work machines. I worked in a
rather large computing facility earlier this year where we were using
NetApp filers for central storage. Users vehemently resented the multi-GB
quotas and complained by saying "I have a 20GB drive at home, why can't I
have one here?" If appliances are put on the desktops instead of real
standalone-capable machines, the appliance might be a sufficiently
different animal that the users may not be as tempted to make comparisons
to their home systems. (I'm speaking generally about PC folks here.)
> I'm rather amazed at the existance of the firewall *application* market, where
> you buy a firewall product and install it on one of your server machines. How
> can such an application install take a pre-installed machine from an unknown
> state to a secure state?
These applications help to solve a non-technical problem: liability. If
ABC Corp. installs a Double-Widget(tm) firewall then they can demonstrate
that they practiced 'due diligence' and made a 'good faith' effort to
secure the corporate assets; the darn software vendor must be at fault if
there is a malicious intrusion. The technical issues are sufficiently
obfuscated that the company probably won't be blamed [by the shareholders,
etc.] for the lax security: it will now be [in their eyes] the vendor's
fault. Sadly, it seems that covering one's own ass[ets] is functionally
equivalent to actually practicing real security without all that nasty
work and expense.
Cheers,
Scott
scott(a)earth.nexus.net