This issue (proper installation and administration) is not unique to Unix
systems. I can give you a perfectly secure system (no nits here please! :-)
and if it is not administered properly, it will not work. Period.
To add to my list of misconceptions, a BIGGIE is that a single security
policy will work for a large proportion of the world. Security policies
are composed of MUCH more than the configuration of the system. They are
primarily dependent upon the makeup and mission of the organization. One
size won't fit all. If this fact is not recognized, then the site will
probably not be secure.
HOWEVER, there are some basic issues that should be dealt with by vendors
(including us, sigh ....). These include:
o If the proper functioning of the firewall requires that an OS
parameter have a certain value, then the installation procedure
should ask to set it to thatr value, explaining the ramifications (or
pointing you to the page that explains the ramification in the
installation manual).
o Administration tools should embed the security specific knowledge
into the management tools, and set up the system security policy
based upon business considerations in a language that meer mortals
can understand (would you guess that one of these is on the way??? :-)
>
> Randy Marchany writes...
> >Steve Kotsopoulos writes...
> > >Most Unix systems are unfortunately insecure out of the box.
> > >We should expect all good firewalls to be highly secure out of the box.
> > I agree 100%. The true test of a firewall package is to see what it does when
> > you DON't follow the vendor recommended procedures. How does it handle stupid
> > user tricks? What state does it leave your network when something like that
> > happens? There's a gap between the people who really read the instructions and those who
> > just scan the instructions. Unfortunately, I believe the scanners outnumber the
> > readers...:-).
>
> I'm sorry, I disagree 100%. There are dabblers, and there are professionals.
> Dabblers always just scan the instructions. Professionals do, too, but
> they know when they need to go back and read them. If you don't follow
> the recommended procedures, you assume some of the responsibility for the
> consequenses. Or would you rather all UNIX systems shipped with a random
> root password so you don't have to worry about forgetting to set one?
>
> --
> Mike .
Jones @
unifiedtech .
com
> Make no mistake about it: Operation Desert Storm truly was a victory
> of good over evil, of freedom over tyranny, of peace over war.
> - Dan Quayle, in remarks at Arlington National Cemetary
>
--
Jon F. Spencer spencerj @
rtp .
dg .
com (uunet!rtp.dg.com!spencerj)
Data General Corp. Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108
Research Triangle Park, NC 27709 Office RTP 121/9
Reality is an illusion - perception is what counts.
No success can compensate for failure at home.
President David O. McKay
***** UCC 1-207 ********
References:
|
|
