North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: The magic security CD disc Re: HTTP proxies
In message <[email protected]>, Sean Donelan writes: > > >Has anyone come out with a fix everything CD customers could use >to clean up their systems? This isn't an operating system specific >issue. Buggy and misconfigured software is running on Unix, Mac, >Windows, etc. > It can't be done, at least not usefully. It's easy to turn things off; the hard part is knowing what should be left on, given your needs, the threat environment, and other protective measures. I forget which of the Rainbow Series of books said it -- the Yellow Book, I think -- but one of them noted that the same LAN that was insecure in an office might be quite secure in a submerged submarine with a highly-cleared crew aboard. It is possible, though, to write something that would analyze a configuration and present you with a sensible menu of choices. It could know, for example, that one can't disable rpcbind if other RPC-based services are running. But getting that right for even a single release of a single OS is hard enough, let alone many releases of many OSes. And then, of course, you want to add advice to the user. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
|