[huskerlug] Re: CERT Advisory

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> "one"
> perfect OS, "one"... And simply there is no such thing. It's all about =3D

Linux isn't perfect? :-)

>
> I like dividing up tasks across lots of systems and having different =3D
> flavors
> of OSs and programs...Like a Novell file server to store the files

I agree for the most part. It's a good common sense approach to security. =
=20
After all, how many banks use the same key to every door?

However, if this approach is taken to the extreme, it can make proper=20
administration more difficult due to complexity.  This in turn can lead to=
=20
mistakes that can compromise your security infrastructure.  In smaller shop=
s=20
with more local/limited infrastructures to protect, this isn't such a=20
problem, but I can understand why many large corporations stick to a small=
=20
selection of products.  If they didn't, it could get very difficult to mana=
ge=20
and result in a significant reduction in overall security.   Can you imagin=
e=20
trying to roll out a patch for the latest remote flaw in program xyz on 200=
0=20
servers running 5 different Linux distros (rpm vs dpkg vs tarball vs portag=
e=20
vs ????), 2 different BSD distros, and 3 different commercial versions of=20
Unix?

I think OpenBSD and Linux are a great combination for improving security.  =
pf=20
and iptables are totally different implementations of packet filtering, so=
=20
the chances of the exact same flaw affecting both is pretty small.  However=
,=20
since both or essentially *nix, it reduces the complexity required to=20
administer them (versus a Linux + MS ISA firewall, or an OpenBSD + Cisco PI=
X=20
for example). =20

Let's also not forget about the importance of monitoring either.  No securi=
ty=20
solution is complete without it.  Both host and network based intrusion=20
detections systems are quite valuable.  I personally think that some form o=
f=20
host based auditing is a must for any systems exposed directly to a hostile=
=20
environment.

> (ncpmount), a Linux system to front end apps (Apache, PHP, etc) and a
> Solaris system to backend (MySQL, etc) all behind a firewall with IP
> masquerading (NAT) and port forwarding.  Try to give each system =3D
> non-root
> access to each other so if one piece is compromised the entire setup =3D
> isn't
> loss.

Sounds like a pretty decent setup. =20

> I've always thought if they hacked my apache server that it wouldn't do =
=3D
> them
> much good #1 only port 80 goes to that system, ssh and the like go to a

Just keep in mind that if apache is compromised, port 80 is all the access =
an=20
attacker would need. Once inside the web server, the attacker can then use=
=20
the trust relationship with the other machines to attack them.  This is=20
definitely another layer of security though, and it sounds like you've take=
n=20
steps to reduce the risk (especially important is the non-root access to ea=
ch=20
other).  This is a great situation for a NIDS/HIDS setup so you are notifie=
d=20
of unusual behavior. =20

> different system the system many times use different flavors of Linux =3D
> and
> 80% share no passwds directly in common.

This is good too. =20

=2D --=20
Steve Bremer
RHCE,CCNA
=2D --
Real Men don't make backups. They upload it via ftp and let the world=20
mirror it. -- Linus Torvalds
=2D --
GnuPG Key fingerprint =3D 7F06 4D73 7963 BE96 5189  953A E285 CB2C BA03 2746
Available on key servers.

 =20
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Pc0t4oXLLLoDJ0YRAvPwAJ0ZbMeI/sHy+7Tf4a+nxrGr4UApwACeL3Td
x8EZmUmryopuybdoV2w2ePQ=3D
=3DXnkq
=2D----END PGP SIGNATURE-----


----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE

Other related posts: