[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: red worm amusement

Nicole Zimmerman <colby@wsu.edu> wrote:
> Turning off services makes an excuse for the real problem -- software
> needs to be secure, and people need to make sure they are using software
> that is secure.

There's no such thing as absolute security. Every service you run will have
bugs and security vulnerabilities in it. There's no way to get around that.

Since we've established that there's no such thing as secure software, it
follows that every service you run presents a security risk. If you don't
need the service, there's no need to take the risk.

> Firewalling services makes the same excuse. "I don't care if my software
> is secure because I have a firewall!" ... what happens if your firewall
> gets penetrated? What happens if some local user (hard) reboots your box
> because they want it to run an NFS server?

Firewalling services is useful if you have more than one access policy for
your services: People from network A need access, so we'll make that easy.
People from network B do not, so we'll make that difficult with the intent
that the difficulty tends towards impossible.

Firewalls are also a simple way to add an extra layer of security to your
services. Each extra layer you add should reduce risk in some way.

> If you have secure software, you don't really have to worry about running
> those services, do you? 

See above about there being no such thing as absolute security. See above
about unnecessary risk. Also see above about layers of security, and think
of the OFF button as just another layer that's fast, easy and very cheap to
implement, as well as being very effective.
Sam Couter          |   Internet Engineer   |   http://www.topic.com.au/
sam@topic.com.au    |   tSA Consulting      |
OpenPGP key ID:       DE89C75C,  available on key servers
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C

Attachment: pgpSvgJb2KdBP.pgp
Description: PGP signature

Reply to: