Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

[unix security] Re: Is anyone actually USING IP QoS?

  • From: Alex P. Rudnev
  • Date: Wed Jun 16 14:55:45 1999

> >Unix machine... drop all services you don't need, run your services not
> >as the root, install secure level or read-onl.y file system - and no
> >problems.
> 
> this is just rediculous.  it's not as simple as "no problems".   the things
> you state are rather obvious but for a system to be used as *anything*
> (cache, web server, video server, etc) you simply have to have certain
> ports open, many times simple udp ports.  locking down down services/ports,
> and running anything you can as non-root certainly goes a long way in
> protecting the system but it's just not that cut and dried.
The services is not the problem - use overflow-protected function stack 
(this exist now), use security-level to prevent any unaucthorised changes 
out of maintanance windows (exists now), and use the systems allowed to 
run non-root processes for the outer services (no www, no dns, no caching 
need high privileges; mail relaying don't need it too, pop or stream 
service don't need it too, etc). On the other hand, it's the open system 
- I can be sure the program stack is really overflow-protected (this 
means - you can't make wrong things even if you can overflow the stack),
the file systems are really protected from the changes, the services 
really have not extra privileges. Non-open systems have some benefits for 
the first time because hacker's can't investigate the source codes, but 
then, a few years later, it appeared to have a huge problems. It's 
amazing to read about worms, mail viruses, etc working in the Unix 
environment, btw (through I can't blame mr. Gates for it).

> 
>  i'll give you and vadim full credit for being math wizards, or scientists
> (which i clearly am not) but don't choose your next career in the
> computer/network security industry.  :)
I can't speak about Vadim, but the security industry have often very 
strange approach to the security itself. They close the unexisting holes, 
but often keep open a very dangerous ways to intrude. And then, do you 
know the better firewall in the world? It's the scissors.






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.