0

Would you run an AV on Linux or FreeBSD or Solaris, etc? Of course not, so why run one for NT which has at least the security capabilities of those other systems? The only systems that benefit from AVs are those with poor architecture that allows random processes unmitigated access, like the Windows (SUE)line Single User Edition. Restrict administrative accounts from running untrusted applications and isolate/restrict standard users in a manner that prevents the virus from being able to propigate.This has the advantage of being immune to new viruses and trojans while requiring no upgrades. Besides, if you have your system setup in a manner that makes virus propigation not possible, why waste the time scanning?


Secondly, I would hope you are all aware that ALL firewalls are software, some just run on very limited operating systems rather than general purpose opersting systems and on specialized hardware rather than general hardware. Firewalls should be divided by type or generation, since this actually allows for a sane comparison. Lastly,before we get some replies, are you to take the word of the masses here? Something about the "least common denominator" should ring true.

9
Contributors
24
Replies
25
Views
12 Years
Discussion Span
Last Post by kc0arf
0

Hi,

I've split this post off into its own topic, as it was not directly related to the topic in which it was posted.


Your contention is based upon flawed reasoning. That's understandable, because a lot of people follow the same flawed reasoning. They contend that Linux is 'safe' because malicious software can only effect the particular user's files and not the system root. That reasoning is unsound, as was explained quite a long time ago at linuxquestions.org

Here we go again :rolleyes: This very topic has been discussed to death and I'm sure you would find more than enough information to keep you reading for a long time, simply by using the forum search function.

Any way, the answer is that most operating systems are the same as far as security. The reason that Windows has a lot more viruses, worms, and malicious code in general is because it's a very popular OS run by a huge number of people as both a personal OS and on servers. This means that if you write a worm for Windows, it's very likely to infect a lot of hosts and get a lot of attention.

There are many times few Linux systems deployed than Windows systems, so right away it's a much less tempting target for malware writers, and add to that the fact that each Linux distro does things differently, some times very differently, and this makes it difficult to write malware that will affect most Linux-based OSs at once. Since the install base of Linux is split up very widely between at least dozens of major variants (out of the hundreds available), this makes it even more difficult to make a big splash with a Linux worm.

The last major difference is that with Linux OSs there isn't a single, dominant e-mail client like on Windows. Since there are so many different e-mail clients, and almost none of them have direct links to web browsers, and because there are so many different browsers used by Linux users, it's extremely difficult to write an e-mail virus/worm for Linux (because most e-mail malware counts on a specific vulnerability in an e-mail client that's tied to a specific browser). Part of this has also been pointed out, that so far Open Source e-mail clients down allow automatic execution of an attachment simply by clicking on it; however it should be noted that many of them display images by default, and with the recent BMP buffer-overflow vulnerability, this should be an eye-opener.

Any reasons other than the above are likely to be a red herring, in particular one argument that you often hear goes like this:
"On Linux user accounts aren't allowed to affect the entire system, so this prevents malware."

The fact that user accounts can't alter core OS files by default has nothing to do with malware on Linux. First of all, the most important "stuff" on a computer is the user data, and that can be altered if the user is comprimised by malware. Reinstalling the OS is easy (it's very possible to reinstall the OS while keeping user data intact), but user data is irreplacable. Second, you don't need root access to do the evil stuff that most malware does, i.e. participate in DDoS attacks, send spam, host scam websites, store illegal files, scan networks, repropagate itself, host an open proxy, be a "jump box" for crackers to attack other boxes, etc. Since malware can do everything it needs to with simple user permissions, this argument is almost completely false.

The only added benefit of root would be to alter firewall rules to allow inbound connections (for hosting scam sites and/or proxies), but everything else is either an outbound connection, or can be done with reverse tunnels. Also, assuming the identity of the user allows the attack to observe that user, such as hijack su or sudo and record the password the user types (which would give root access). Also, there are a large number of Linux kernel and other Open Source Software vulnerabilities which can only be exploited by local users, but once you've compromised a user account, the road is open for those exploits and a disturbing amount of them result in root access.

So in summary, Linux is currently relatively free of viruses and worms because it's not popular enough and not standardized enough to attack with automatically propagating malware. On the other hand, there are a very large number of "rootkits" that take automatically compromise a Linux system once the initial break-in has been made (using some vulnerability, or a guessed password, or some other method). There are a number of instances in the wild of automatic scans for known OSS vulnerabilities (such as with Apache, PHP, SSH, etc) and will automatically launch an exploit or alert an attacker who then manually conducts the exploit.

Yes, Linux is more 'secure' because it does not use Remote Procedure Calls in the fundamental way that Windows does, but this does not mean that it's inherently 'safe'. The predominant reason that few Linux systems get compromised by viruses and other malicious software is that Linux is not a standardised operating system that is in almost universal use. Should Linux ever become standardised and 'idiot proofed' to the extent that it becomes suitable for use as an everyday OS for 'Joe public' to use, then it WILL be compromised.

It is ridiculous to suggest that people should not use protective software on their PCs. It is even more ridiculous to suggest that Windows users should not use such software because you, as a Linux user, do not.

0

Hi,

I've split this post off into its own topic, as it was not directly related to the topic in which it was posted.

Sure it was, he just doesn't know that application level security doesn't exsist. But I've pointed him in the right direction now. Plus, he learned how to label firewalls for a sane comparison so he could get more accurate help.

Your contention is based upon flawed reasoning. That's understandable, because a lot of people follow the same flawed reasoning. They contend that Linux is 'safe' because malicious software can only effect the particular user's files and not the system root. That reasoning is unsound, as was explained quite a long time ago at linuxquestions.org.

I truly find it funny that you brought a tiff from another site to this one (I've never seen that before)!
I'm new here, and you don't really know me, so you have no idea how funny this is. Your new to security aren't you? I am arguably the biggest advocate of NT security you'll ever meet. I freely and frequently state that NT security is superior to UN*X security. People like to take one of two aruments back:

1. Counting exploits.
2. Claiming exotic configurations and major architectual modifications in UN*X/Linux should be just considered the norm.

Do to this fact, I've stopped arguing the point for a while now... still funny that you'd think I meant UN*X to be more secure. My point was in fact that AV solutions for UN*X essentially don't exist. Odd considering that the NT security is in fact superior to UN*X at the commercial level.

So why is AV not needed on UN*X? Even the argument that less viruses efect UN*X... well no AV software, wouldn't every virus that does exist effectively be a 0-day since no AV countermeasures exist?

Yes, Linux is more 'secure' because it does not use Remote Procedure Calls in the fundamental way that Windows does, but this does not mean that it's inherently 'safe'. The predominant reason that few Linux systems get compromised by viruses and other malicious software is that Linux is not a standardised operating system that is in almost universal use. Should Linux ever become standardised and 'idiot proofed' to the extent that it becomes suitable for use as an everyday OS for 'Joe public' to use, then it WILL be compromised..

Enjoy failing a lot of questions on the CISSP, SSCP, and CISA exams and just looking overall ignorant on the subject, however no reason to drag the naive down with you.

It is ridiculous to suggest that people should not use protective software on their PCs. It is even more ridiculous to suggest that Windows users should not use such software because you, as a Linux user, do not.

I'll say it... the NCSC says it, the NSA says it, the good people at ISO say it, the CISSP exam says it, the real world says it.
"Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems."
- The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments ( http://www.nsa.gov/selinux/papers/inevit-abs.cfm )

You see what that says? Adequate security cannot be provided by applications... it must be accomplished at the OS level. What does this mean? Application security DOSE NOT MATTER!

Unless your application is PERFECT sooner or later it will be exploited, and all applications get exploited in the same way.


cheers

catch

0

Hi,

All I am going to say is this: the only secure computer out there is the one that is encased in cement with no power or network connections.

I would rather secure a Linux box than a Windoze box.

Christian

0

Hi,

All I am going to say is this: the only secure computer out there is the one that is encased in cement with no power or network connections.

I would rather secure a Linux box than a Windoze box.

Christian

Secure from what, everything but attacks?

System security is _not_ measured by the configuration, it is measured by capabilities and assurances. These are highly quantitative and not all abstract like lockdown-securing-admin skill.

0

There is no amount of application security, NT or otherwise, that will prevent you from receiving viruses on a Windows machine. They come as an attachment some people actually inadvertently run, or even as a TEMPORARY INTERNET FILE off of a site you may visit, without you even knowing, and do not need for you to run them for them to do what they are going to do. Some just report back to the person's server information about you, like what sites you've visited from your history logs, and don't affect applications or application security at all. Some disrupt network communication - which can affect ANY computer, not just Windows PCs. To say that NT application security will protect you is definitely a giving in to a false hope, especially without a firewall that lets that nasty traffic right in. Have fun getting your trojans.

0

There is no amount of application security, NT or otherwise, that will prevent you from receiving viruses on a Windows machine.

Wrong, hence, lower assurance systems.

They come as an attachment some people actually inadvertently run, or even as a TEMPORARY INTERNET FILE off of a site you may visit, without you even knowing, and do not need for you to run them for them to do what they are going to do.

Wrong, your failure to read is affluently made clear. Restrict administrative accounts from running untrusted applications and isolate/restrict standard users in a manner that prevents the virus from being able to propagate.

Some just report back to the person's server information about you, like what sites you've visited from your history logs, and don't affect applications or application security at all.

It's indisputably luculent; you haven't a clue what you're talking about.

Some disrupt network communication - which can affect ANY computer, not just Windows PCs.

I'll give you that one, even though you've left out thousands, if not millions of high assurance systems with their own super-networks. ;)

To say that NT application security will protect you is definitely a giving in to a false hope

This is the only (somewhat) sensible thing you've said here. Not that you meant to. :)

especially without a firewall that lets that nasty traffic right in.

I don't and won't give bad advice regardless of how uneducated a user is. So please stop spreading your bad, uneducated information on the Internet! It's apparent that someone else has drug the naive, like yourself, down to applying bad habits when it comes to computer security.

Have fun getting your trojans.

Seriously, it's not your fault you were misinformed, but read a book or two. *please*

0

Misinformed? How about the fact I have seen things firsthand? Can you say that you are an administrator of a network that has seen such things as non-application oriented scripts that will run regardless of the permissions you lock down on your computer? How about UNIX scripts that are not bound by Windows permissions? I've seen it happen on both my home network and the one I work on at work where things are not bound by simple Windows NT permissions. Where do you get off at? What experience do you have? Are you actually a legitimate Systems Administrator, or are you just a hobbyist?

You can't lock down your Temporary Internet Files folder to have only read permissions to it or you'd never get internet pages (they are downloaded off the internet for you to view them, after all, requiring "write" permission somewhere). And little good restricting a user's account would do if they are already a standard user. And how can you restrict an admin account without reverting it to a standard user account? Far as I know, unless you know something I don't, at least with XP, it's only either/or, nothing in-between. I know there are those that would say never log in as an admin unless you're going to install stuff. Yes, that is why they were created like this in the first place. But that is inconvenient and inefficient, and will not stop scripts that don't use normal install channels from running unblocked if the person is logged in under a standard user account, anyway, so what good does it serve a person other than to inconvenience themselves for nothing?

And all of the sudden I know nothing because I bring up viruses you obviously know nothing about:

Originally Posted by me:

They come as an attachment some people actually inadvertently run, or even as a TEMPORARY INTERNET FILE off of a site you may visit, without you even knowing, and do not need for you to run them for them to do what they are going to do.

Your response:

Wrong, your failure to read is affluently made clear. Restrict administrative accounts from running untrusted applications and isolate/restrict standard users in a manner that prevents the virus from being able to propagate.

The specific issues I was talking about at the end of my quote aren't "applications" per se that will be picked up as such to be blocked from running. They come in the form of trojan scripts. Scripts are text-files, not applications. This is why they are called scripts. A script can run regardless of user privileges, and can fake a signature of a dll that is trusted. And all a virus needs is network connectivity and to have part of their script ran in order to propagate. I had a virus once that propagated through files I used just by me double-clicking and opening them before I realized what it was doing. All I could see right away was that it changed the file-extension to all-caps. After I went back to a file I had opened before and couldn't open it again, only then did I know something was wrong. But this opening of files action can be done by a standard user or admin user. People like you that rely on account privileges to solve everything are not living in reality, so yes, I do know better. Kinda funny how if someone has seen something you obviously haven't that it seems to automatically make them a liar and not know what they are talking about with you. Arrogance is not your best friend when it comes to the security threats that are out there, my friend.

0

... You see what that says? Adequate security cannot be provided by applications... it must be accomplished at the OS level. What does this mean? Application security DOSE NOT MATTER!

Unless your application is PERFECT sooner or later it will be exploited, and all applications get exploited in the same way.


cheers

catch

Oh dear! Your argument seems to be Because no security application is perfect, it naturally follows that no such application is worthy of implementation and use! Seems a rather irrational argument to me!

No doubt you have achieved learning and/or qualifications, dude, but the simple factor of commonsense seems to be somewhat lacking in there. Effectively, you've told people that, because Security software for use on a Windows machine isn't perfect, they shouldn't bother using any of it.

Now I'm not sure if that was your intention, but it most certainly is the effect of your comments to date. And it's downright silly. While you're busy waiting for Utopia to come along, we'll just keep right on advising people to use the protections which ARE available to them, thanks!

0

Oh dear! Your argument seems to be Because no security application is perfect, it naturally follows that no such application is worthy of implementation and use! Seems a rather irrational argument to me!

Misinformed? How about the fact I have seen things firsthand? Can you say that you are an administrator of a network that has seen such things as non-application oriented scripts that will run regardless of the permissions you lock down on your computer? How about UNIX scripts that are not bound by Windows permissions? I've seen it happen on both my home network and the one I work on at work where things are not bound by simple Windows NT permissions. Where do you get off at? What experience do you have? Are you actually a legitimate Systems Administrator, or are you just a hobbyist?
You can't lock down your Temporary Internet Files folder to have only read permissions to it or you'd never get internet pages (they are downloaded off the internet for you to view them, after all, requiring "write" permission somewhere). And little good restricting a user's account would do if they are already a standard user. And how can you restrict an admin account without reverting it to a standard user account? Far as I know, unless you know something I don't, at least with XP, it's only either/or, nothing in-between. I know there are those that would say never log in as an admin unless you're going to install stuff. Yes, that is why they were created like this in the first place. But that is inconvenient and inefficient, and will not stop scripts that don't use normal install channels from running unblocked if the person is logged in under a standard user account, anyway, so what good does it serve a person other than to inconvenience themselves for nothing?

And all of the sudden I know nothing because I bring up viruses you obviously know nothing about:

The specific issues I was talking about at the end of my quote aren't "applications" per se that will be picked up as such to be blocked from running. They come in the form of trojan scripts. Scripts are text-files, not applications. This is why they are called scripts. A script can run regardless of user privileges, and can fake a signature of a dll that is trusted. And all a virus needs is network connectivity and to have part of their script ran in order to propagate. I had a virus once that propagated through files I used just by me double-clicking and opening them before I realized what it was doing. All I could see right away was that it changed the file-extension to all-caps. After I went back to a file I had opened before and couldn't open it again, only then did I know something was wrong. But this opening of files action can be done by a standard user or admin user. People like you that rely on account privileges to solve everything are not living in reality, so yes, I do know better. Kinda funny how if someone has seen something you obviously haven't that it seems to automatically make them a liar and not know what they are talking about with you. Arrogance is not your best friend when it comes to the security threats that are out there, my friend.

Just because something happened for you doesn't mean that is the norm. It could mean that you have hardware damage, it could mean that cosmic rays had it in for you, it could even mean that you are just not educated enough to do something the right way. ;) *cringe* I hate to say it, but it is clear to me that you have either never used a well documented OS or have just not been aware of the documentation available for it.Trusted facilities manuals (TFMs) : they are written in the design stage and tuned during QA. This gives the document a completely different spin than you'd find in something written by someone who is basing their knowledge on use of the system rather than involvement in its actual design.


"Hobbyist" :lol:

I have been on independent auditing teams for the NT B feasibility papers, the Standard Mail Guard and its parent system LOCK. I have been an assistant moderator on the ACM's OS SIG for quite a while now. I have consulted on the KSOS ASIC port project and am currently working on an R12k PSOS under IRIX project. And for my day job I'm on the Sr. design team for AITOS (the first OS since LOCK to formally target the NCSC A1 criteria) I've wrote more security white-papers than you've obviously read!

This is going to be very arrogant of me... but really most system admins (like yourself) know very little about computer security. Sure they know about patches and user profiles, but how many system administrators do you know that monitor for transitive rights? Or even know what transitive rights are and how they occur in single command/multi actioned systems? These are very important security concepts. Most system admins can't even comprehend how MAC, DBAC, and RBAC work, so why would we expect them to take concepts from these and apply them to lesser functional systems?

Let's make a little scenario here. Why don't you go to an AIX community and tell them that they need to run AV software on their systems and report back your findings.

AV software is bad... it is only useful on single user systems like Win9x/Me since none of typical security issues associated with running additional, privileged software are not present since the computer lacks the concept of permissions and privileges to begin with. AV software increases the complexity of the system, as stated above doesn't actually resove the underlying security issues, don't resolve new viruses, and require constant upkeep. What is more, many AV tools actually introduce new tools by running at such a low level on the system while allowing any user to have interactive session. How is this different than say... running Apache as root?

Why does this make more sense? Again remember, anything a virus can do, an attacker can do as well. It's not like viruses have special abilities to bypass process protections, so if you are relying on an AV, what is protecting you against an attacker, internal or external doing the same actions?

Running more software (which by definition under DOD-5200.28-STD is a bad idea since you are placing security related software which not only needlessly increases complexity AND falls outside of the systems assurance audit, but also exists outside of the TCB). Doesn't make it the best or most correct solution.

To understand these and other important security related aspects.....well, they are best left to the experts. Admins(you) are intended to implement policy, not to create it. People like the idea of talent because it makes them feel more important. Everyone(you) wants to be a star and no one seems to appreciate that doing their job to fit into an overall system well will yield far greater results. This also tends to lead to a lack of understanding from history and mistakes are made over and over again. the whole idea of procedures is that they are made by people who know how to do it, so no one else needs to learn. IT people just have this love for reinventing the wheel though... quite puizzling and hurts the industry as a whole.

Computer security is about a single universal principal... assurance. The more you have the more secure any system is. Fact of the matter is some OSes offer more assurance than others.


Fact of the matter is that an infrastructure based on policies, standards, guidelines, procedures, CCMS, role rotation, and dedicated risk management is going to offer far greater assurance than a few talented admins working ad hoc. The admins should merely follow procedures and have limited knowledge of the systems themselves, this is why many security focused organizations use role rotation specifically for admin roles. This way the admins never have too long on any given system, plus the admin that takes their spot after audits their work, though with a proper change control management system (ccms) this is less of an issue.

Remember: Viruses can be defeated with proper configuration, I use no anti-virus software, neither does my work and neither of us have ever had a problem. It's just a matter if dealing with process propagation and trusted resources correctly.

Most people know f@ck-all about security until they get into an InfoSec graduate program and personally I find that to be a silly situation.

0

Most people know f@ck-all about security..........

Others, however, now f@ck-all about contributing to hep forums. So far the sum total of your contributions has been entertainment value only, without a single piece if practical advice offered.

If all you have to say is "Security software is not needed, only I know how to set up a system and I'm not going to tell you how" then I'm afraid you're simply wasting space making comment!

0

If all you have to say is "Security software is not needed, only I know how to set up a system and I'm not going to tell you how" then I'm afraid you're simply wasting space making comment!

Couldn't have said it better myself.

I will agree that much, if not all, of what you said, catch, was stuff us as admins were not taught in our bachelor's or MCSA courses and would have to do graduate/specialized IT security training to learn (i.e. DBAC, RBAC, etc.), however - that does not make it foolproof as far as practicality to simply rely on OS security to avoid viruses or attacks, and I was speaking entirely of Windows, not any other OS you or your teams may have come across, created, or implemented, as Microsoft has 90% of the market today and what is really what people would want to worry about. Chances are, if you're speaking of any other OS, they have their own proprietary security or permissions or controls that probably DOES in some way allow you to do what you are trying to divulge, but are withholding. But I challenge you to do this with a typical corporate networked, multi-user Microsoft 2000 or XP Pro system.

In Windows, you can't always be logged on as a standard user - you will eventually have to install programs, and likely eventually have one you'll need to stay online, or at least networked to a computer that could be online, to complete. You can't lock down the Temporary Internet Files folder. There will always be some time, some where, at which you will be vulnerable if you stick with permissions and transitive trusts as your sole methods of keeping out the files and attackers that are bouncing around on the internet, unless you're willing to share your knowledge on how you guys have set things to where this really does become a non-issue on a Windows system. I don't see it happening, myself.

Just by going to this website on a Windows computer you'll have a number of files download to your computer to display it (icon_cool.gif, insertimage.gif, bold.gif, etc.) and any of those images could have a virus attached to them that, when the picture is displayed, could cause any picture you open on your computer after that to become corrupt. Do I have to send you this virus to prove that it exists and what it can do? It is W32/Klez@mm. I do know what I am talking about, and no security permissions in the world can prevent the spread, because you run the virus just by opening another picture (gif, bmp, jpg, tiff) or mp3 file. It doesn't install anything anywhere, so it doesn't need admin privileges to spread. The only thing that may save you is that it will likely be confined to just your current profile and not any other user on the machine as long as you don't open a file that could be open by any user as the user that downloaded the virus, and this is just a guess on my part.

I agree that running an AV software that won't have the definition file for the latest threat out there won't help you, but neither will Windows permissions, as this was what I thought we were originally discussing. Leave other OSs out and focus on what 90% of us know and have. It's useless to talk about a feature of Mac's Tiger or Linux' Enterprise 4 or Sun Solaris or any other proprietary OS when the rest of the world isn't using them. Especially if you aren't going to say specifically what you are doing to lock the systems down but leave them functional for an administrator to install programs, user to surf the 'net, etc.

0

So the moral of the story is that if you a guru at Windows you don't need AV or Firewall, but if you thick like me you do. What is the comparison between using an AV / Firewall or letting windows security to avoid malicious software, against usability.

I have to security lock down PCs in my job, and many of the things I test make the PC completely unusable, to the point you can't even load the operating system.

If you don't want to discuss other OSs fine, but 10% of the computer using public is still a large proportion, and it's good that this forum duly caters for them.

0

Catch-er got a rubber arm Catch-er got a rubber arm ,no sorry that pitcher got a rubber arm isn't it ,oh well .Have fun and spread like a worm!lol

0

I currently run roughly 10 linux machines at a datacneter.. 5 production... 5 offline..

ALl of them are equipped with what I like to call "nazi" a type firewall an virus protection.

The mail servers run spamassain and clamav.

It is simply a MUST. Just how you would put a lock on your door.

0

Hey guys...this person is a self aggrandizing wanabe autocrat with a tendecy toward pompous pontification. This person gets off on this crap...let's cut him loose.

0

No Way...I was refering to the author of the thread, what was it...catchup, catch22, or something like that?

0

I think this topic is heading down the path of character assassination to an alarming extent. Let's keep it to productive comment please.

0

Couldn't have said it better myself.

How obtuse and purblind can you be? First paragraph above TFM--the manual www.microsoft.com

I will agree that much, if not all, of what you said, catch, was stuff us as admins were not taught in our bachelor's or MCSA courses and would have to do graduate/specialized IT security training to learn (i.e. DBAC, RBAC, etc.), however - that does not make it foolproof as far as practicality to simply rely on OS security to avoid viruses or attacks, and I was speaking entirely of Windows, not any other OS you or your teams may have come across, created, or implemented, as Microsoft has 90% of the market today and what is really what people would want to worry about. Chances are, if you're speaking of any other OS, they have their own proprietary security or permissions or controls that probably DOES in some way allow you to do what you are trying to divulge, but are withholding. But I challenge you to do this with a typical corporate networked, multi-user Microsoft 2000 or XP Pro system.

This just keeps getting better as I read on! So now you're telling me the NSA is wrong? I'd suggest you submit a white-paper on your findings to them ASP.
In my work place, people don't argue with me. I deal almost exclusively with external clients who respect my opinions and appreciate the money I save them. Here, most just like to treat me like I'm stupid just because it is a different approach from their own.

"challenge/ corporate"

I mentioned some systems I've worked on and you thought I was talking about that 10% this whole time? I'm talking about NT.

Actually, trusted systems are quite frequently used by large corporations, though on limited servers. Rarely will you see an entire multi level subnet. I know for a fact that nearly ever major bank uses them as well as many technology companies, (IBM, HP, HDS, Intel, SUN, and SGI to name a few) and of course all secure US government/DoD systems.

We've designed security layouts (NT-C2 and above) system designs for General Electric, Citigroup, Exxon Mobil, Bank of America, Verizon, etc.... Those are Fortune500, is that corporate enough for you? Do you have security input on any Fortune500's systems?


I guess the difference is, I aim for perfect and see what compromises I can make/are needed to be made. You start from completely insecure and try to work up without a road map.

Sadly the majority of the world follows your method.

In reality, the end result is that given similar funds we will end up with similar systems. Mine however will be more comprehensively defined, will mesh better with high level policy, and will have less demanding personnel requirements. For most however this is mere nuance, though as the initial budget increases, so does the gap between the systems. Until eventually one method tops out perfect and the other as a rotten pork chop with heaps of fancy gravy on it.

Also, when has the best solution ever been the most popular one? People don't use some of the systems I speak of because they have uneducated "experts" being dishonest with them and rather than just saying they are not familiar they make up BS about how such systems are not applicable. (Yeah, cause if you did use one, you can typically cut your relevant security expenses by 25-33%... at least this has been my experience.) Don't let their ignorance and insecurity and forced, false job security seeking tactics spill over on to you. :(

This is of course why at any company with mature IS policy you will not find admins making decisions. Because they "know what they're doing." Admins are very low on the food chain and for good reason. They tend to be less educated and less experienced than those who do make decisions, and admins that spend their career as such tend to just be not very bright. No offense.

Would you trust your bank teller to give you financial advice? Of course not, but you would trust them to handle you individual transactions. An admin is the same thing; their job is to keep systems running in the manner in which they are supposed to run. Knowledge of why the system should run that way or details about the system's architecture in relation to other systems both fall beyond the scope of their job. I would trust an admin on how to configure a system to a specified configuration or on questions about day-to-day technical management. It's really a matter of exposure; I know that most admins lack any advanced study or training in security, so they will have a different viewpoint on such topics. Issues like applications level exploits and configuration issues are really about the scope of what they see and consequently the most important aspects to them, while in actuality these fall under system use and not system design. When evaluating system design, proper use is assume otherwise you end up with far too many variables to make anything useful. This of course assumes that information regarding proper use is made available.

This isn't a matter of lower level advice; it is a matter of right and wrong advice. I explained what firewalls are for and when they should be used, I tied that into why a firewall would be inappropriate for the situation at hand. In my original post, why "God" with his all mighty wisdom created this thread I haven't a clue, accept for being uneducated on the topics at hand. Who cares if this is above a "normal" user's head, how are they supposed to learn? Never be pressed to think and just fall into the habits of the flock?

And for the 3rd graders and their remarks. Five people make a few post in a thread with zero knowledge whatsoever, is that "F@ck-all help" commonplace around here?

Does it matter that I am arrogant etc..?
Did you need to make a post about it?
Does your post add any value to this thread?

I guess you'll do what you need to do to feel more comfortable about the situation, though I feel pity for you. I had no idea this site was so full of insecure little kids.

In Windows, you can't always be logged on as a standard user - you will eventually have to install programs, and likely eventually have one you'll need to stay online, or at least networked to a computer that could be online, to complete. You can't lock down the Temporary Internet Files folder. There will always be some time, some where, at which you will be vulnerable if you stick with permissions and transitive trusts as your sole methods of keeping out the files and attackers that are bouncing around on the internet, unless you're willing to share your knowledge on how you guys have set things to where this really does become a non-issue on a Windows system. I don't see it happening, myself.

Just by going to this website on a Windows computer you'll have a number of files download to your computer to display it (icon_cool.gif, insertimage.gif, bold.gif, etc.) and any of those images could have a virus attached to them that, when the picture is displayed, could cause any picture you open on your computer after that to become corrupt. Do I have to send you this virus to prove that it exists and what it can do? It is W32/Klez@mm. I do know what I am talking about, and no security permissions in the world can prevent the spread, because you run the virus just by opening another picture (gif, bmp, jpg, tiff) or mp3 file. It doesn't install anything anywhere, so it doesn't need admin privileges to spread. The only thing that may save you is that it will likely be confined to just your current profile and not any other user on the machine as long as you don't open a file that could be open by any user as the user that downloaded the virus, and this is just a guess on my part.

I agree that running an AV software that won't have the definition file for the latest threat out there won't help you, but neither will Windows permissions, as this was what I thought we were originally discussing. Leave other OSs out and focus on what 90% of us know and have. It's useless to talk about a feature of Mac's Tiger or Linux' Enterprise 4 or Sun Solaris or any other proprietary OS when the rest of the world isn't using them. Especially if you aren't going to say specifically what you are doing to lock the systems down but leave them functional for an administrator to install programs, user to surf the 'net, etc.

The most Jr level NT admin knows better. Those are points made by those who fail to understand system security.


What single piece of bad information have I given?

I am here to engage in security related conversation, to freely offer advice on problems, and to correct information that I know is incorrect.

People come to this site for information, what kind of information do you think they want?

Peoples' opinions and tastes about which FW/Av they like with no objective, quantifiable reasons?

Or...

Perhaps something a little more useful? The correction of misinformation, objective arguments backed up by leading standards organizations?


Here you get a Mod who dragged a tiff from a different site to this one and basically said to ignore my advice in another thread etc...

I currently run roughly 10 linux machines at a datacneter.. 5 production... 5 offline..

ALl of them are equipped with what I like to call "nazi" a type firewall an virus protection.

The mail servers run spamassain and clamav.

It is simply a MUST. Just how you would put a lock on your door.

"a MUST"

Want to know something about firewalls? Most banks do NOT use them on exposed servers, why? Because they know that firewalls are ONLY for the two uses I stated above. Also, if you disagree, you might want to start putting your money in an old mayo jar cause odds are I've had security related input where you bank. ;)

cheers

catch

0

Yet another lengthy diatribe designed to denigrate others, blow your own trumpet, and offer no practical advice whatsoever to people wishing to improve security on their PCs.

0

Hello,

I am closing this thread because it has fallen into name calling and assumption making.

Christian

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.