Re: 10 top myths of debian
On Fri, Mar 1, 2013 at 10:44 PM, Miles Fidelman
<mfidelman@meetinghouse.net> wrote:
> Good point. And when you start talking security to the point of serious
> testing and configuration control, I believe there are very few
> distributions that are on the DoD approved product list.
I've tried to stay out of this thread, but I feel that Ihave to comment.
The first point I need to make is that security is a mindset. Anything
can be made secure if you are willing to work at it and accept the
trade-offs that are required to be that way. Just like a training
Olympian cannot eat bacon sandwiches and still be ready to compete, an
administrator or user cannot just install any piece of software
whenever they want and hope it will stay secure. Take, for instance,
Java... I have an adage that "usability times security is a constant.
The only truly secure system is one that is unplugged from the
network, powered off, packed in concrete, then fired into the
sun...But at that point, it isn't very usable, is it?"
However, if you *are* willing to work for it, you can secure anything.
In 1995, the NSA granted Windows NT 3.5 an Orange Book C2 security
certification, C2 being Controlled Access Protection. Now the caveats
to this:
* The tested machine had no network connectivity;
* The tested machine had no floppy drive;
* The tested machine had no CD-ROM;
So the box could only run what was installed on it, and had no contact
with the outside world.
Now, having said that, you can take a page from MS here. Run the
absolute minimal software needed to accomplish the task at hand. In
this respect, servers are generally (and I *am* generalizing here)
than workstations, because of the required functionality of
workstations -- video drivers, games, internet communications, etc.
Take, for instance, my workstation versus my firewall. My workstation
has 2850 packages installed, while my firewall has a total of 369.
That's nearly an order of magnitude more software that can be attack
vectors.
Additionally, you can, especially if you have a home network, run
security tools, both on your machines and scanners. Nessus
(www.tenable.com) has a free Home Feed, you can run nmap against your
machines, etc. Get to know how they behave, then you will notice it
when things change.
Finally, have regular backups. If the worst does happen, you can
recover from it.
Security isn't a fire-and-forget solution. It is a constantly changing
threat environment. You can't say "I installed distro/OS abc, I'm
secure now." There are always people out there who want access to your
machine, for varying reasons.
--b
> On the BSD side, OpenBSD (despite the name), focuses on security, and has a
> pretty good reputation for being pretty secure.
>
> Miles Fidelman
>
>
> --
> In theory, there is no difference between theory and practice.
> In practice, there is. .... Yogi Berra
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 513175AE.5080307@meetinghouse.net">http://lists.debian.org/[🔎] 513175AE.5080307@meetinghouse.net
>
Reply to: