I'm primarily a
User Developer Sysadmin A mixture Something else entirely .. ( 687 votes ~ 10 comments )
You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.
To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.
This is the comment you were replying to, attached to the article Question: How much Security is enough?:
#1 Re: Question: How much Security is enough? Posted by Steve (82.41.xx.xx) on Wed 7 Sep 2005 at 09:14 When you talk about "security" there are a few different meanings: Security of the system itself. Security of the software installed upon the host. Security of information. Some of these can be addressed by the available "security frameworks", orthers by the actual setup of the machine (ie. forbidding anonymous accesses). When it comes to security frameworks PaX appears to be pretty much discredited as I understand things, so the only remaining major security frameworks are: GRSecurity SELinux - used in Fedora, IIRC? Russell Coker has been doing a lot of good work in the SELinux area, and a lot of progress has been made in this area - for example libselinux1 appears to be included in the base distribution nowadays. However I must admit I've used neither setup, and don't really feel that I need to have a full-blown security framework in place upon my hosts. I suspect that if you need a full setup you'll know already, although having these frameworks tested large-scale in distributions like Fedora is certainly a good thing. For me security comes down to the basics, which apply to pretty much any operating system: Strong passwords. Avoiding untrusted users - if possible. Minimal installed services upon hosts. Adequate firewalling rules to avoid services from being overly exposed. A firewall isn't a magical cureall, but especially on a LAN can do great things. Fast intrusion detection via filesystem checksums, SNORT sensors, and application specific monitorying. eg. mod_security for apache Regular patching via distribution, or upstream, supplied updates. Most of the currently exploited bugs can be kept track of via a subscription to Bugtraq, or similar mailing lists. (They seem to like unsubscribing my email addresses after a few months and it is never clear why ..) I would like to see further improvements to Debian's security which is part of the reason I started auditing code, and working on an SSP compiler for Debian. But honestly? Most system compromises could be prevented even without changes to the distribution itself. IMHO compromises usually result from one of two things: Outdated and insecure software, often for which patches are already available. Poor configuration upon the part of the installer. Basic improvements to Debian's base install would be useful, such as reducing the amount of software (eg. no gcc on firewalls), or the suggestion of a firewall at installation time. Other changes could be suggested such as "all installed services must be explicitly enabled" which would likely help, but many people would probably suggest these were more painful than helpful. Steve --
When you talk about "security" there are a few different meanings:
Some of these can be addressed by the available "security frameworks", orthers by the actual setup of the machine (ie. forbidding anonymous accesses).
When it comes to security frameworks PaX appears to be pretty much discredited as I understand things, so the only remaining major security frameworks are:
Russell Coker has been doing a lot of good work in the SELinux area, and a lot of progress has been made in this area - for example libselinux1 appears to be included in the base distribution nowadays.
However I must admit I've used neither setup, and don't really feel that I need to have a full-blown security framework in place upon my hosts.
I suspect that if you need a full setup you'll know already, although having these frameworks tested large-scale in distributions like Fedora is certainly a good thing.
For me security comes down to the basics, which apply to pretty much any operating system:
Most of the currently exploited bugs can be kept track of via a subscription to Bugtraq, or similar mailing lists. (They seem to like unsubscribing my email addresses after a few months and it is never clear why ..)
I would like to see further improvements to Debian's security which is part of the reason I started auditing code, and working on an SSP compiler for Debian.
But honestly? Most system compromises could be prevented even without changes to the distribution itself. IMHO compromises usually result from one of two things:
Basic improvements to Debian's base install would be useful, such as reducing the amount of software (eg. no gcc on firewalls), or the suggestion of a firewall at installation time.
Other changes could be suggested such as "all installed services must be explicitly enabled" which would likely help, but many people would probably suggest these were more painful than helpful.
Steve --
Posting Format:
Inappropriate comments will be removed.
Some help on entry formatting is available
Username:
Password:
[ Advanced Login ]
Register Account
