On Sun, 1 Jul 2001 [EMAIL PROTECTED] wrote:
> How secure is IRIX? I happen to have an an old sgi indigo 2 ...
Argghhhh!
Pardon me, but I am afraid you have hit a nerve with me, and I have to go
off on a rant now. Some less emotional information follows the rant.
<RANT>
It is not a matter of "this is secure" or "that is secure". It is matter of
security being a *PROCESS*. You cannot, under any circumstances, *WHAT SO
EVER*, install arbitrary product XYZ and consider your work done.
It does not matter if XYZ is IRIX, Linux, OpenBSD, Windows, SonicWall's
latest-and-greatest firewall appliance, or a carrier pigeon. Security is not
a state of being. It is something you *do*.
You have to understand what XYZ is designed to do, what it helps protect you
against, and what it does not protect against at all. You have to understand
how to configure that protection, and what that configuration means. And you
have to keep the configuration up-to-date, because the bad guys are always
coming out with new and improved ways to break though it all. That includes
being aware of new attacks, as well as keeping vendor updates current. You
have to apply this strategy to *the entire system*, from the firewall straight
on through to your mouse, because you can get hit *anywhere*.
Does all that sound hard? You're right. It *IS* hard. Security *IS* hard.
Anyone who says otherwise is trying to sell you something.
</RANT>
Ahhhh. Thank you. I feel better now.
I would recommend a couple things for your case:
First, lock down your system(s). That includes turning off unneeded
services, as well as installing all your vendor updates and patches. How to
do this varies considerably from OS to OS, and version to version. (There is
one reason to steer clear of IRIX: We can help you with Linux. Help for
Windows is readily available. IRIX likely requires a support contract.)
Second, use a dedicated firewall of some kind. This can be one of the free
Unix distributions targeted at this purpose. I would recommend against a
general-purpose OS distribution for this in your case -- while it is quite
possible to secure such a system, it takes considerably more effort, and
you're probably not interested in that.
Alternatively, you could buy a turn-key firewall appliance. These are
generally very easy to setup. However, they are not a panacea. You still
have to configure them, you still have to monitor for vendor updates, and you
still can be attacked through them. They are also fairly limited; if you need
to do something the device cannot, you have to buy a new device.
Third, and most of all: Watch for updates to every piece of hardware and/or
software you use in conjunction with the 'net. Anything that talks to the
outside world can be subverted. The name of the game is constant vigilance.
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or |
| organization. All information is provided without warranty of any kind. |
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
