On Fri, 2007-05-04 at 07:51 +0300, Shachar Shemesh wrote:
> Omer Zak wrote:
> > Why are you unifying all the Linux servers in one distribution?
> > Won't this expose your organization's computers to the dangers of
> > monoculture?
> >
> I cannot talk for Amos, but here is my experience. The dangers of
> monoculture mostly apply when you have a group from which you want the
> maximal survival (or minimal damage). A heterogeneous environment is the
> best way to achieve this, as the minimal number of item will be
> vulnerable to any specific attack.
>
> A single company, often, is not like that. In a single company the
> danger is often equally placed for ANY item failing. In other words, you
> are not trying to improve the average, you are trying to improve the
> worst case. It's a different problem and it has different optimization
> points.
I would say that the computer running the accounting software and the
Web server are more critical than the other computers in most companies.
> As far as the practical side goes, there is another consideration. Even
> with the first case, an environment of poorly maintained individuals, be
> them as heterogeneous as they might, is still more vulnerable than an
> environment of well maintained but uniform individuals. This is under
> the assumption that most attacks are based on vulnerabilities that have
> vendor patches at the time of the attack, and that all platforms are
> attacked to some extent.
You are right about this - a secure OS with poorly-trained sysadmin does
not form a secure system.
> > Won't it be a good idea to deploy different distributions/OSes on
> > computers through which crackers will have to break in order to break
> > into the organization's computers?
> >
> I think you are assuming two things:
> 1. It is possible to set up the environment so that the attacker has to
> break into ALL systems in order to gain access.
The attacker usually has to break through the firewall to access the
other systems. Hence, my suggestion to use a different OS for the
firewall.
> 2. It makes economical sense to invest the extra time to set up and
> maintain such a system.
There is also the question of transferring sysadmin skills from OSes
like Linux (in its Debian Etch incarnation) to OSes like Linux (in its
Fedora Core incarnation) and OpenBSD. Personally I do not believe it to
be that problematic, but who knows?
--- Omer
--
"Kosher" Cellphones (cellphones with blocked SMS, video and Internet)
are menace to the deaf. They must be outlawed!
(See also: http://tddpirate.livejournal.com/66782.html)
My own blog is at http://tddpirate.livejournal.com/
My opinions, as expressed in this E-mail message, are mine alone.
They do not represent the official policy of any organization with which
I may be affiliated in any way.
WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
