Benjamin Scott wrote:
>
> On Wed, 1 Nov 2000, Kenneth E. Lussier wrote:
> > Have more than one firewall script and run them often.
> [...]
> > Have your firewall scripts called from unmounted filesystems.
>
> These particular items strike me as security-through-obscurity. While it
> might stop a naive script-kiddie with a very simple root kit, it won't stop
> much more. There are about a dozen ways I can think of off the top of my head
> to neutralize both of these, and I'm far from an expert in such things.
These particular examples are definitly security through obscurity. But
there are two things to consider:
1) Security through Obscurity has it's place in any well-defined
security model. It is by no means the best or most effective measure,
but making things hard to find or even annoyingly hard to manuver is a
first-tier deterant.
2) Multiple layers of security. Each layer is a single stance, and if it
is defeted, then they hit the next brick wall. With enough layers, there
will be so many bells and whistles going off that you will know about
them long before they are able to do any real damage.
As a side note, I am talking about home systems and cable modems here.
The things that I am saying are just a small (*VERY* small) part of a
security plan for a company. Home systems do not need the same security
measures, but it is nice to have more then just one scheme in place.
> It also violates one of the fundamental rules of security, the KISS
> Principle. Keep It Simple! Simple systems are easier to deploy, easier to
> maintain, and easier to audit.
This is where the disagreement will begin..... ;-) Define "Simple". The
things that I mentioned are all simple. To me, anyway. Also, KISS has
been applied to many things, but network security is not one that I
would apply it too. I prefer the motto: " DON'T LET THE BASTARDS IN, AND
NEVER LET THEM WIN!". You are right in that simple security systems are
easy to impliment and easy to audit. They are also easy to rebuild when
they have been breached. I believe in multiple levels of security, with
equal parts of logic, common sence, planning, and paranoia.
> You are much better off, IMNSHO, really securing your system, in which case
> you don't need this sort of thing, and you reduce administrative overhead.
Again, this goes back to multiple levels of security. A well-secured
system should use different schemes and tactics mixed together. A good
administrator should be checking the system constantly anyway. It is
less effert to go the extra mile the first time and watch the logs then
it is to rebuild the system.
> Unfortunately, while this works very well for a firewall, it is much harder
> to do on, e.g., a system hosting dynamically-generated web content. :-(
That's why you put them *BEHIND* the firewall ;-)
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
Life is a lesson, you learn it at the end
Reality has become increasingly less accurate
***********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
