Re: Security != Reliability - need flexible responses.

From: Matthew S. Hamrick (mhamrickat_private)
Date: Tue May 29 2001 - 22:06:22 PDT


Yet again we come to a point where we all seem to forget the nomenclature we
agreed upon last year...

David, I beleive what you are discussing is 'Availability' and not
'Reliability.' I think the difference here is that you intentionally trade
system features such as cost and security to get more Availability. If you
work your design and implementation right, then your system might be
configurable enough to allow your customers to choose between cost,
security, and availability. A system which is unreliable is a system which
does not allow the end user or developer to choose between cost, security,
and availability, but simply imposes it because of poor design.

This appears to be the primary battle between the Unix and WinNT camps. From
the Unix perspective, Unix is a configurable system that is highly
available. It is easy to configure in such a way that it is secure and
available, but to do so will cost you about a week's time from a pretty
descent system administrator (or you can just get OpenBSD...) Unix heads
look at WinNT and shake their heads as it is less reliable than Unix.
Microsoft seems to change the programming and administrative interface to
various system resources every 6 months. You can therefore not plan on what
tools you'll use with NT two years from now. So, you sacrifice reliability
for cost. Installing an NT server is less expensive than a Unix server,
because you can get your secretary or a high-school student to install NT,
and you don't have to worry about it, there's no configuration that you have
to do. You just wait for McAfee or NAI to publish the latest version of
their software and have your secretary install it.

Having administred large networks of Windows and large networks of Unix
machines, I think I would have to say I prefer Unix if I have a competent
staff. It is much harder to mitigate the risk with a network of Unix
machines if you don't have compentent administrators. That said, one system
administrator in a Unix network goes a whole hell of a lot farther than a
single administrator in an NT network. If you eliminate NIS from your
network, you can get even better results. In '93, I was the administrator
for a 2000 node NeXT network spanning three countries and five time zones
(though 98% of the systems were in the states...) In conjunction with a
person to handle hardware issues, a person to handle local network issues,
and a person to handle WAN issues, I was the only "system administrator." A
staff of four people supporting 2400 users on 2000 machines across a WAN is
unthinkable in the WindowsNT world. This is why I'm probably going to buy me
another Macintosh... NeXTStep has finally returned, and I can now get a
machine which will run mainstream apps, and in a pinch run Windows Apps...
oh heck.. now I'm just bitching...

So, the moral of my story is... Reliability and Availability are similar,
but not the same thing. The same way that a Trusted system is not exactly
the same thing as a Secure system. You never know if your system is reliable
until you install it and start having requests hit it. However, you can
strive to make your system Available, and there are several well known
development methodologies to enhance the probabilty that you'll make an
available (and reliable) system.

-We now return you to the previously scheduled program...
-Matt H.

Alzo Spracht David Wheeler:
> > From: "mshines" <mshinesat_private>
> > To: <secprogat_private>
> > Subject: FW: Repost
> > Date: Mon, 14 May 2001 13:00:10 -0500
> > Message-ID: <008301c0dc9f$b8302e50$5565d280at_private>
> > We don't practice what we preach?  :)
> >
> > New software = failed software...
> >
> > Mike Hines
> > mshinesat_private
> >
> > RELIABILITY would be one criteria for secure programming...   it would
seem
> > to me.
>
> Well, your statement appears to be mostly tongue-in-cheek, but there's
> actually a valid issue hiding here.  I don't agree with your statement.
>
> Security requirements vary, depending
> on the use of the system, and might include:
> * confidentiality/secrecy ("an attacker can't read my stuff")
> * integrity ("an attacker can't change my stuff"), and/or
> * availability/defense from denial-of-service ("an attacker can't keep
>   me from using my stuff").
>
> Not all users require all of these requirements to the same degree.
> Indeed,  can trade between these.  For example, a system that tries to
detect
> "suspicious" situations, and prevents you from reading your data in such
> cases, may be very unreliable... but have great confidentiality.
> Whether or not that's okay depends on how the system is being used, but
> in some contexts this would be a _more_ secure system.
>
> We've had a "reliability vs. security" definition debate before.
> I guess what I'd contribute is that software developers need to
> examine the intended environment & determine the best trade-off BEFORE
> the software is developed.  If there's no single answer for the intended
> market/user base, the code needs to be configurable so that
> the user/administrator can select the best response to the circumstance.
>
>
>



This archive was generated by hypermail 2b30 : Thu May 31 2001 - 18:41:31 PDT