|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper)
Crispin Cowan (crispin
CSE.OGI.EDU)
Tue, 23 Nov 1999 20:25:06 +0000
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Brock Tellier: "Oracle 8i questions"
- Previous message: Jefferson Ogata: "Re: local users can panic linux kernel (was: SuSE syslogdadvisory)"
- In reply to: Cy Schubert - ITSD Open Systems Group: "Re: local users can panic linux kernel (was: SuSE syslogd advisory)"
- Next in thread: Scott Zimmerman: "Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper)"
- Reply: Scott Zimmerman: "Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper)"
- Reply: Mark Seiden: "Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper)"
Gary Flynn wrote:
> Crispin Cowan wrote:
> > Thus, one could say that buffer overflows are the leading
> > cause of software vulnerabilities, and misconfiguration is the leading
> > operational problem. Which problem dominates overall vulnerability is
> > unclear.
>
> I'm digesting your paper but wanted to comment on the peripheral topic
> of "operational" issues.
>
> If we're going to add operational problems as a category, I'd
> suggest that "usage" may be a more predominant problem than
> "misconfiguration".
>
> End user practices of downloading unknown software, running the unproven
> "application of the week", and other risky behavior makes the vulnerabilities
> due to misconfiguration and software defects that much more problematic.
I agree that configuration and operational issues are a hard problem to solve.
In general, I don't know how to solve them. My (crass commercial) solution is
that folks who don't really know what they're doing should buy appliances
instead of general-purpose computers. Then at least the configuration is done
by a professional. The quality of the configuration then depends on the quality
of the vendor. It is for this reason that WireX products are appliances: I
have some trust that *I* applied my security tools correctly, but I'm not at all
sure that end-users can apply them correctly.
I'm rather amazed at the existance of the firewall *application* market, where
you buy a firewall product and install it on one of your server machines. How
can such an application install take a pre-installed machine from an unknown
state to a secure state? Does the install script for (say) Checkpoint do
extensive configuration checking and adjusting? Or do they just assume a very
competent sys admin puts the machine into a "firewall" configuration?
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
- Next message: Brock Tellier: "Oracle 8i questions"
- Previous message: Jefferson Ogata: "Re: local users can panic linux kernel (was: SuSE syslogdadvisory)"
- In reply to: Cy Schubert - ITSD Open Systems Group: "Re: local users can panic linux kernel (was: SuSE syslogd advisory)"
- Next in thread: Scott Zimmerman: "Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper)"
- Reply: Scott Zimmerman: "Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper)"
- Reply: Mark Seiden: "Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper)"
This archive was generated by hypermail 2.0b3 on Wed Nov 24 1999 - 00:48:55 CST