Gary Flynn wrote: > Crispin Cowan wrote: > > Thus, one could say that buffer overflows are the leading > > cause of software vulnerabilities, and misconfiguration is the leading > > operational problem. Which problem dominates overall vulnerability is > > unclear. > > I'm digesting your paper but wanted to comment on the peripheral topic > of "operational" issues. > > If we're going to add operational problems as a category, I'd > suggest that "usage" may be a more predominant problem than > "misconfiguration". > > End user practices of downloading unknown software, running the unproven > "application of the week", and other risky behavior makes the vulnerabilities > due to misconfiguration and software defects that much more problematic. I agree that configuration and operational issues are a hard problem to solve. In general, I don't know how to solve them. My (crass commercial) solution is that folks who don't really know what they're doing should buy appliances instead of general-purpose computers. Then at least the configuration is done by a professional. The quality of the configuration then depends on the quality of the vendor. It is for this reason that WireX products are appliances: I have some trust that *I* applied my security tools correctly, but I'm not at all sure that end-users can apply them correctly. I'm rather amazed at the existance of the firewall *application* market, where you buy a firewall product and install it on one of your server machines. How can such an application install take a pre-installed machine from an unknown state to a secure state? Does the install script for (say) Checkpoint do extensive configuration checking and adjusting? Or do they just assume a very competent sys admin puts the machine into a "firewall" configuration? Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:57 PDT