Question: How much Security is enough?
Posted by simonw on Wed 7 Sep 2005 at 08:32
To an extent the question is rhetorical, security depends on the risk, online banks needs more than sites offering archives of erotic stories for free, that is what security policies are all about.
What got me thinking was a comment on NANOG, that OpenBSD has x and y and z feature, and thus has more security features than the other BSDs.
I don't know the other BSDs so I can't comment if it is accurate, but I do know that most of the features mentioned (and some extras) are already in Redhat's latest releases of Fedora. Several are noticably absent from the stock Debian kernels.
The discussion was veering around routers, and embedded devices, but I guess there are minimum levels of security you need to establish to avoid being plagued by malware like a certain proprietary vendor's operating systems.
(BTW: The "blackhat" discussion of CISCO IOS mostly impressed on me what a good job CISCO had done in general, despite their somewhat hamfisted efforts to suppress the talk.)
Whilst I wouldn't want to have to try and secure Windows XP, in practice we have very few issues with security (one rooted and 'root kitted' Redhat box running a load of websites probably rooted before I joined, a couple of spyware trojans snook onto some Windows PCs, but nothing at all for about a year apart from a hosting customer who insist on leaving MS SQL listening to the world).
Do you guys harden your Debian boxes? Whilst Redhat seem to be walking the security walk, and Microsoft doing the security talk, is it important to you that Debian implement major new security features as opposed to other things the developers could be doing like better desktops. Or is it "good enough" for most practical purposes?