On Sun, 28 Sep 2003, Paul Schmehl wrote:
> --On Sunday, September 28, 2003 10:20 PM -0400 "[EMAIL PROTECTED]" > <[EMAIL PROTECTED]> wrote: > > > I would add yet another take on this. > > > [sniipped a lot of good thinking] > > > > I think that the problem is not the protocol or the application. It is a > > fundamental lack of understanding of the security model and the network > > as a whole. > > > Yes, that is what I was trying to say, however lamely. The preponderance > of discussions and papers on security today focus on the network and how to > control the flow of data/packets. But in the final analysis, the problems > always come down to the individual machine, be it server or workstation. > Why aren't security ideas focusing on that problem primarily? Oh, we all > know you shouldn't run unnecessary services, but that's about as far as the > wisdom goes. > > SANS has made some efforts in this area with their best practices > documents, but where is the software development to address it? The > Bastille is about the only thing I can think of off the top of my head that > even attempts to address this area. The OS vendors are beginning to come > around to the off-by-default model (slowly), but protecting what *must* be > on (such as CIFS, SMB, NFS) is still a laborious (or outrageously > expensive) process when you're trying to do it on an enterprise level. > > IMO the vendors should be providing these types of tools as an integral > part of the OS in addition to shipping in an off-by-default model. It > should be trivial to "do security" in an OS. (It still blows my mind that > every WinXP box comes with UPnP on by default. RPC I can *almost* > understand, but UPnP???) I'm saying we need a paradigm shift in *thinking* > about how an OS should be configured out of the box *and* a paradigm shift > in the ease of configuration on an enterprise level. > > Paul Schmehl ([EMAIL PROTECTED]) Many computer programs are today: 1. unconscious 2. promiscuous 3. incontinent 4. unsupervised Most programs should be: 1. somewhat self-aware 2. almost chaste and quite delicate in their affections 3. tight-sphinctered 4. well supervised by programs with the power to detect and suppress bad behavior oo--JS. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
