[Techtalk] DMZs, etc.

Michelle Murrain tech at murrain.net
Wed Dec 12 10:26:54 EST 2001


At 11:43 PM 12/11/2001, Raven, corporate courtesan wrote:
>Heya --
>
>Quoth jhamilto at n2h2.com (Tue, Dec 11, 2001 at 11:05:07AM -0800):
> > Security is made up of more that just 'is your box broken into?'. In
> > fact, setting up a 'secure' system includes more factors that you may
> > realize.
>
>         Yah, and I think that's one of the reasons why learning Unix
>security is fairly difficult.  To be really good at it, you have to have
>a deep understanding of all the things you're securing.  So you have to
>know your system really well to know where it might be vulnerable.  Lots
>of folk seem to advocate teaching security first, but that's really hard
>when you don't even know what it is you're supposed to be securing yet.
>"Make sure no programs that don't need it have the setuid bit set" is
>all well and good, but if you don't know what setuid is or does yet, or
>what all these programs on your system are, how are you supposed to know
>what needs it and what doesn't?
>
>         For me, it's been mostly an assembled process.  Learn the
>relevant protocol and daemons, then try to figure out ways to make it so
>that it is less likely to be exploited.  Y'all's mileage may vary, of
>course.

I agree wholeheartedly. There is no question that a system that I would set 
up today is three times as safe as one I would have set up a year or so 
ago. But it doesn't by far match the security that I'd ultimately like to 
see. But it all takes time to learn about. I don't think I could begin to 
understand this stuff if I hadn't been using UNIX for so long. And I'm now 
beginning to realize that if I *really* want to understand security, I need 
to know a whole lot more about TCP/IP, and IP address space, etc., than I 
do presently.

The disadvantage of this approach is that your likelihood of being bit is 
greater. But also being bit means you learn (the hard way) in that process 
too.

.Michelle

---------------------------------------
Michelle Murrain, Ph.D.
tech at murrain.net
AIM:pearlbear0
http://www.murrain.net/ for pgp public key





More information about the Techtalk mailing list