Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The magic security CD disc Re: HTTP proxies

  • From: Steven M. Bellovin
  • Date: Sun Dec 08 21:53:08 2002

In message <Pine.GSO.4.44.0212081952200.11337-100000@clifden.donelan.com>, Sean
 Donelan writes:
>
>
>Has anyone come out with a fix everything CD customers could use
>to clean up their systems? This isn't an operating system specific
>issue. Buggy and misconfigured software is running on Unix, Mac,
>Windows, etc.
>

It can't be done, at least not usefully.

It's easy to turn things off; the hard part is knowing what should be 
left on, given your needs, the threat environment, and other protective 
measures.

I forget which of the Rainbow Series of books said it -- the Yellow 
Book, I think -- but one of them noted that the same LAN that was 
insecure in an office might be quite secure in a submerged submarine 
with a highly-cleared crew aboard.

It is possible, though, to write something that would analyze a 
configuration and present you with a sensible menu of choices.  It 
could know, for example, that one can't disable rpcbind if other 
RPC-based services are running.  But getting that right for even a 
single release of a single OS is hard enough, let alone many releases 
of many OSes.  And then, of course, you want to add advice to the user.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.