RE: Worms, Air Gaps and Responsibility

["Paul D. Robertson" <paul () compuwar net>]

On Mon, 10 May 2004, Mark Gumennik wrote:

> Ron,
> This is exactly my point:
> If you want to put LINUX on the DESKTOP you have to use all the bells and
> whistles which makes vuln. on it equal to MS

Support your claim with data, or examples.  I don't need to open RPC to
anything other than loopback for Linux on the desktop (and rarely even
there.)  In fact, I tend to turn *off* more things than I turn *on* for a
Linux machine when I'm configuring it from a default install.
Furthermore, I'm capable of running almost all services at a priv. level
less than local administrator- which doesn't make the vulns equivalent.

For SMB, sure- I'd have about the same vulnerability surface *for that
service in and of itself*, but in a Windows environment, it'd be hooked in
to a RPC endpoint mapper that's as bad as portmapper has traditionally
been on *nix.  Fortunately, portmapper is one of the things I turn off on Linux
boxes, desktop or server- unless it's a Solaris box which really likes
portmapper, in which case only loopback is allowed to access the RPC
services.

Now, the real point (since you obviously missed it) that everyone was
making in regards to your original argument about vulnerabilities is that
Linux only looks bad when you count all the silly things that nobody sane
would install on a corporate desktop.  Trying to turn that from "more
vulnerabilities on bugtrack (sic) to "equal" is disingenious when you're
trying to stand behind a point, since I already said "about equal."

> PS I'm glad I made such a splash, how wonderful it'd be to go back to the
> world were the knowledge of 25-30 network commands made us all look sacred.

3 replies is a splash?  Mitre never used to be so attention-starved- are
you waiting on a clearance?

I don't know what axe you're trying to grind here- admins need to know
things in any environment- Windows is no different in that matter.  I'm
not even sure why you think any admins feel a need to "look sacred."

You've obviously got some baggage, with all the casting of aspersions- but
outside of the strawmen you're trying to assert, you've come up with
nothing of substance to support your argument.

> Speaking of LDAP , Kerb and other tools : obviously the use of them makes us
> look much better than such earthy things as MS AD or Novell NDS where all
> this staff is already built-in FOR THE DESKTOPS (not for the  remote AAA).

You can use AD or NDS for Linux (or both- in fact you can put up
per-service authentication and use one of every type there is if it
floats your boat), once again you're setting up straw men.  Perhaps you
should spend some time looking at Linux before trying to pass off bogus
opinions as factual.  You've gone from "doesn't support directory
authentication well," to "takes more juju than AD or NDS."  Bzzzt- all the
choices, plus more- that's not a *bad* thing, it's a *good* thing.

Since AD is based upon Kerberos for its default primary
authentication mechanism, I don't see how you come to the conclusion that
AD is any more "built-in FOR THE DESKTOPS" than Kerberos. Nice use of
caps - NOT!

Lose the baggage and bring some facts, ok?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards