Hi,
I resisted the urge to join in on the nuclear tangent but this one
proved too much (and we are indirectly back to talking about the
security of the clusters we look after right?). Besides, we don't have
any nukes in Ireland.
Perry E. Metzger wrote:
It is, to some extent, a question of how many people are interested in
a particular attack vector. Internet Explorer is a major attack vector
for people who make money at this, so they work hard finding the bugs
in it, of which there are an apparent endless number. I believe that
more than 250 days last year, Internet Explorer had a known but as yet
unpatched vulnerability. That's why the overwhelming majority of
Windows boxes are zombies, including almost certainly most of yours
unless you are a really unusual sysadmin.
I'm reading this to mean that you think most Windows boxes on most
networks are zombies - is that right? As one of my many roles, I babysit
our company network and I'd love to know how to avoid the scenario
you're painting - other than the usual stuff of keeping the machines up
to date, ensuring people don't run the latest .exe they receive in a
spam and not exposing Windows boxes to the internet. Maybe I should get
MS certified (joke, joke ;) While suggestions to install Linux on all of
them are constructive, I'm afraid we can't avoid running some Windows
boxen on our network.
If you're smart, you're listening on:
* DNS, with bind configured to run chrooted and unprivileged
* sshd running with priv sep
* ntpd running chrooted and unprived (though not all OSes will allow
you to do that.)
* maybe SMTP via postfix, which runs chrooted and unprived
* and NOTHING ELSE.
And if you're really smart, those daemons are further tied down with
various bondage and discipline equipment like apparmor or SE Linux or
what have you.
Ouch, it's a never-ending battle isn't it?
I think you're largely right about the level of expertise out there for
managing networks though - small companies don't pay someone to manage
their network. Either they have some internal guy who has half a dozen
other jobs or they outsource it, and unfortunately they'll usually
outsource it to the cheapest guy ... who's cheap for a reason.
If you really believe your local net is very good, run a sniffer on it
for a while -- or talk to someone who's job is to run one.
I'd love to know how anyone with skype running on their network manages
to see much of anything from the firehose that is a packet trace (and
our network is small). Again, maybe it's just a question of time.
-stephen
--
Stephen Mulcahy, Applepie Solutions Ltd., Innovation in Business Center,
GMIT, Dublin Rd, Galway, Ireland. +353.91.751262 http://www.aplpi.com
Registered in Ireland, no. 289353 (5 Woodlands Avenue, Renmore, Galway)
_______________________________________________
Beowulf mailing list, [email protected]
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
