On Thu, 20 Feb 1997, Pierre Beyssac wrote:
> It might be understood that you're saying that Unix and NT are
> _inherently_ less secure than MacOS (the same claim is made for Unix
> vs NT).
on the issue of IP related network security? yeah, I would say MacOS is
more secure. Here's why....
In a firewall environment, what would you say is common sense as far as
rules go....."deny all, allow what you need".
Most flavors of unix come outta the box with everything enabled (same for
NT), we all know that, I think. With the MacOS, if you want to activate
a IP related Network service, you have to install it and tell it to run.
It doesn't come outta the box enabled....which fits ...dare I say
..."accidently" into the same thought of proper network security. No,
noone designed this into the role of the MacOS for security needs, that
much is obvious. But that's how it works. And for people ranging from
Graphic shops to people like NASA, it works great, cause that's one less
sysadmin (*owch*...that's my job) they have to hire to install, configure
and maintain a Unix/NT box. Thus...there's the reasons for going with a
MacBased server in some shops.
> But it should be made clear that this is _only_ a consequence of the
> fact that many more services are available "out of the box" on Unix
> than on NT, and on NT than on MacOS. A cracker can't login on a machine
> if it allows no remote login. Even less it the OS doesn't allow that
> because you didn't purchase the option, of course.
>
Again....why buy an OS with all these fancy logins, daemons, & services,
when all you want to do is offer some doc's up on the web, securely?
With NT, you'd just end up trashing most of them in the recycle bin.
> But if you want to secure a Unix machine as much as possible, you
> can perfectly disable _all_ external services except the HTTP server,
> making it as secure as MacOS. And much more reliable. You can even
> remove rlogind, telnetd and the like if you're really paranoid.
>
Yeah, but with the MacOS, I still can leave things like filesharing, and
other networking services ON and not worry about security. Heck, I could
leave the Guest login with write permissions enabled on the Mac, and
still run a secure server on the Net. (AppleTalk doesn't route over the
net, without some very special plugins, which don't come standard.)
With a NT/Unix box, if I shutdown everything, ....except HTTP or
FTP...it's now a dedicated machine....and I can't even use it as a print
server or a file server.
> Then you need to choose a secure HTTP server, which is a different
> thing. Having a secure OS will not magically secure your HTTP server !
> Bugs recently discovered on NT servers (for example the ../.. stuff)
> have generally been fixed two or three years ago on Unix HTTP servers.
> They're just 2 or 3 years more mature...
Yes, but with the Mac, things get very complex, because typically, you
pass commands to a "command line interface" via the httpd.....where's the
command line interface?
If you know how to break that kinda security, I would suggest that you
take a look at the contest going on right now....at hacke.infinit.se (I
think is the addy), cause you can win a lotta money if you hack thier
Mac. :)
Okay...in consideration to everyone else on this list who could give a
damn...any further posts on this subject I would ask that we take it off
this list, as this has gotten WAY off subject, and I never meant for us
to get there....feel free to reply to me personally if you wish to
continue this discussion please. I'm sure at least half the people on
here could care less about further OS battles. I won't respond to
anything that is either TO: or CC:'d to this list, as long as it's this
subject. :)
Kevin
Kevin McPeake cowboy @
home .
byelex .
nl
Internet Consultant http://www.byelex.nl/
<< You know something's up when your Thought process is idle. >>
USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND
cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought
References:
|
|
