In <[EMAIL PROTECTED]>, Or Sagi
<[EMAIL PROTECTED]> writes:
> > ``Adequately protected'', in this case, refers to allowing a very specific
> > (and minimal) set of services to be reachable from the network. Because of
> > their small numbers, they can be inspected and secured.
>
> They can be inspected and secured ?
>
> Take SSH, for example. (I'm assuming that some form of outside login is
> wanted. The main two alternatives are SSH, and various OTP schemes (be it
> s/Key, SecurID ..)). What about the recent Kerberos SSH hole ? I'm not
> aware of anyone exploiting it, but given sufficient time, trust someone to
> find a hole.
The operative word being ``can''.
You can't make a system secure as is, because it contains too much
code and too much dependencies in the code to inspect. But if you
minimize and compartmentalize the services you offer, you are in a
position to inspect them and secure them.
SSH is a good example for a bad program; it's bloated and buggy, just
like Sendmail. No one is forcing you to use Sendmail, though; qmail
does exactly what I said: it's designed securely, and it takes the
system-related bloat out of the equation by implementing those
functions itself. That's arguably not very pretty, but in light of
software quality, that is what (sadly) has to be done.
There's no public qmail-like replacement for SSH, but that's because
nobody has released one; people apparently accept the risks involved.
(Plus, in all honesty, SSH is not a security disaster like Sendmail
is. It's just too big to comfort.)
The point being, again, that you probably can't rewrite you entire
system securely. But you can implement and verify a few select
services.
> Assuming sufficient skill on the intruders part, there isn't much you can
> do. There are precautions you can take to make things harder, and to help
> you analyze things after the event happened (Tripwire/ the likes).
Again, this relies on underestimating the attacker. Once root is
broken, anything (Tripwire included) can be fooled.
> However, the basic issue here (IMHO), is - Compare the percentage of
> people able to compromise the security of a vanilla RH5.0/Irix 5.3/<insert
> favorite insecure OS here> from the inside, to the percentage of people
> able to compromise a Secure OS, properly set up ?
That works for the specific case of dealing with unlucky losers. The
moment your attacker is either skilled, or just plain lucky
(i.e. manages to use the latest exploit in the small window of time
before you patch your system) then you've lost. That's fine, but I
just wanted to pointed out that you can have something more reliable.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
