Good network security article
There was recently a well done security article here. It's an interview with Dan Razzell, a security analyst.
Good information there, useful links etc. :: Quote :: NF: What is the first step that users should take in securing their systems?
DR: I'd say that the first step is to build a survivable system. Survival in system terms means knowing exactly where you are, how you got there, and how to go forward. It has a lot to do with modularity and configuration. In practical terms, it requires a clean separation between operating system, application software, and data, so that you can replace one of these elements without disturbing the others. It also means separating the process of installing the system from the process of managing its configuration. Configuration management is the primary means we have of building and reasoning about secure systems, so we want our configuration choices to survive even when the system itself doesn't. That's a really effective insight into system management as well. What's interesting in this article is that when he talks about what can and cannot be secured, he is clearly suggesting that windows will not ever meet the criteria laid out due to its initial design. This is the exact same issue we are seeing with internet explorer. Re firewalls: :: Quote :: Firewalls offer a manageable layer of defense without significant complexity. If I look at the history of a system and see a strong firewall appearing early in its design, that's also a useful litmus test. It tells me that the designers understood the principle of defense in depth and took it seriously.Note again here, if I look at the history of a system. What's he's talking about here is unix/linux. Windows clearly does not meet this criteria. And this means to him that this system was not in fact built with security in mind. Quite the contrary in fact. No matter how many service packs they release they can't change the fundamental design philosophy behind the product. Re: System Openness :: Quote :: It's just the same for system security. What happens if the software reveals a security flaw? If its design is secret, there is likely no alternate implementation that can be substituted. If the design is open, on the other hand, competing implementations may already exist, and in any case could be developed according to need. Such a design is thus inherently more secure than if it were closed.Again, as you can see, the ability to have direct access to the source code, or whatever other component the sytem is using, if there is no openness, there is no way to fix this yourself. You are relying on the vendor to fix it for you. One article referenced is here. That's a security handbook for securing website servers, but it applies to more broad subjects too of course: :: Quote :: This handbook is a guide to setting computer security policies and
procedures for sites that have systems on the Internet (however, the information provided should also be useful to sites not yet connected to the Internet). This guide lists issues and factors that a site must consider when setting their own policies. It makes a number of recommendations and provides discussions of relevant areas. Back to top |
|||||
Extremely interesting. Will you be posting snips of the "other side's" rebuttals (assuming availability), as well?
Back to top |
|||||
:: Quote :: Will you be posting snips of the "other side's" rebuttals (assuming availability), as well?If I can find something as coherent... only problem is, I think the general principles kind of are right, and so the secure system would need to meet those requirements, which requires a system built to be secure from the beginning. This article fits pretty well with what I've seen first hand working with windows machines on networks. You are always basically praying that nothing will happen, and when it does, you are not surprised. Of course he's talking from pure security vantage point. Everything he says made really good sense to me, the whole idea of having data/os/programs completely separated for example, I do that by default by always having the data and the os/program in separate partitions and so on. Of course he's advocating unix type systems, because those are the ones that were built from the ground up to be secure. Windows is easier for end users without any question, and because of the huge amount of software written for windows, that will always be a problem for many practical applications. Back to top |
|||||
All times are GMT - 8 Hours
|