lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030928193641.GA3376@deneb.enyo.de>
From: fw at deneb.enyo.de (Florian Weimer)
Subject: CyberInsecurity: The cost of Monopoly

On Sun, Sep 28, 2003 at 12:20:28PM -0500, Paul Schmehl wrote:

> I don't think "we" as a "security community" have even begun to tackle this 
> problem.  We talk about it, but who is *really* doing it?  For example, if 
> you want to network machines you *have* to use SMB/NetBIOS for Windows, NFS 
> for Unix, CIFS, or something similar.  Who is really looking at how to be 
> secure while still allowing internal machines to talk to each other? 
> Certainly none of the above protocols qualify as secure.

For NFS, some pretty robust server and client implementations exist.
Much better than SMB/CIFS.  However, authentication sucks, of course.
(NFSv4 will hopefully change that.)

> When a machine is problematic, for whatever reason, the usual reaction is 
> "block it at the firewall".  But that doesn't protect that machine from 
> *other* internal machines.

At work, we have almost all of our machines in separate VLANs, and
filter the traffic between them.  (There are just tens of machines under
our direct administrative control, so it's doable.  The rest of the
network is a huge mess, as usual.  The sad thing is that most likely,
we'll  never need this separation because we are careful enough anyway,
but better safe than sorry.)

> It only protects it from the outside.

And the outside from you, and your organization from embarrassment. 8-)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ