Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Stay aware of security

by arhuman (Vicar)
on Mar 15, 2001 at 19:44 UTC ( #64691=note: print w/ replies, xml ) Need Help??


in reply to Stay aware of security

I totally agree with you when you say that we must be security aware.

However, I real life you just CAN'T always setup the adequate security level.

I mean security is almost always a tradeoff for ease of use...

Of course you can recompile your kernel adding various security patches, audit your sources, log everything on your box,
changes your password to a random one every week (and Remember it), disable all unused ports,
set up a tcpwrapper AND a firewall, use secure protocol (ssh, IMAP(?)) and forbid the insecure ones (telnet, ftp...),
you can spend 2 hours a day browsing for security holes on vulnerability lists and patching all your proggies to new versions...

But will it be necessary for single user box, with no sensitive data and connected few hours a day to the net ?
Even if some of you scream 'YES' the answer is 'no' (mainly beccause of the hours lost in the patching/upgrading work ;-)

Security must be adapted to the level of security you NEED.

Enhance the security where it's necessary (or at least where it's the most efficient).

Don't ge me wrong ! in a perfect world (where I would get paid to do it full time with skillfull user accepting the drawbacks)
the 'everything should be secure' policy would be fine.
Sadly, My boss think my job is to code as much as I can, and allow me almost no time to administer 5 servers and several workstations.
My users say SCP is too complex and that they WANT to use their (unsecure) AceFTP client.
So in this world I have to carefully use the few time I have to enhance the security with a maximum efficiency (with the little time/resource I have).

So IMHO, even If you must be always security aware, there are some things that you can't afford to do.

It remembers me the (Merlyn?) 10/10 rules about 'use strict' stating that any script with more than 10 lines
or running more than 10 times should be using use strict.
We should always use the strict pragmata, but we can't afford it for simple case...

Have you ever wonder why there are so few b1 compliant computers ?
It's only beccause REAL security make the use of a computer REALLY horrible.

So even if it's not so clear, here is my message :

Be security aware, especially beccause you CAN'T reach true security, and try to make things as secure AND easy AS YOU CAN.

"Trying to be a SMART lamer" (thanx to Merlyn ;-)


Comment on Re: Stay aware of security
Re: Re: Stay aware of security
by jeroenes (Priest) on Mar 15, 2001 at 20:00 UTC
    arhuman,

    Maybe you better tend to weight security against money! How much does it cost to improve, and how much will it cost me if it goes wrong? For personal use, think about what info can they get from my box? Account numbers, sensitive job-information, etc... For business use: legal stuff, consumer trust, etc, etc....

    The other hand for the equation is the cost to improve. Not a matter of possibility, but of bare costs. Costs in terms of time spend, technology bought, etc.

    Jeroen
    "We are not alone"(FZ)

Re: Re: Stay aware of security
by footpad (Monsignor) on Mar 15, 2001 at 21:12 UTC

    I have really mixed feelings about your thoughts because "It's too hard" is a very slippery slope, one that leads to complacency far too easily. In turn, complacency leads to compromise (in both senses of the word).

    Given the rise of distributed DOS attacks, the practice of using compromised systems as gateways to further mayhem, and other common tactics, I really don't think it's unreasonable to make things a little harder than they need to be in order to add basic and reasonable precuations.

    (I'm reasonably certain that you're aware of this, but I'm trying to point out that many hacks are executed through very common and easily fixed vunerabilities.)

    Yes, of course there's a balance, but I would argue that you need to draw the line a little farther from the knife edge.

    Users will complain about being forced to change their passwords and to mix case, add numbers, and so on. But they eventually learn and adapt.

    They will not do it on their own; you (the admin) must educate them. Given the number of excellent sources and the publicity surrounding certain hacks, this doesn't need to be overly time consuming.

    Your boss wants you to code? Fine, get him to let you code decent starting places for your users. If they're using FormMail, give them a more secure version. Give them packages of convenient, easy-to-use routines designed to be safer.

    Let them use their FTP clients...on realms isolated from data. Don't let them play in a sandbox on the same machine as the one running your database.

    I think part of tilly's warning is that there are far too many basic, easy, and well-known things you can do to prevent most problems. Be sure you use them.

    Do you really want modern versions of Al Capone running through your systems?

    Also, try to get your boss to allow you two hours a day for research to be spent on non-billable projects. Explain to him the benefit of having a more educated admin/programmer. Show him that this is an investment that will pay off over time.

    Yes, there's a balance between total security and reasonable access. Take the time to make sure you've drawn that line as carefully as possible. If you don't know where it is, you will learn...one way or the other.

    (Not trying to flame you or anything. Just trying to make it perfectly clear that it's far too easy to be complacent. Ignorance must be resisted as strongly as possible.)

    "It's too hard" is not a valid excuse in my book. "Acceptable Losses" may be a better term.

    --f

    Update: In response:

    I think we're arguing the same thing viewpoint from different angles. I do agree that 100% security is difficult, expensive, and restrictive. I was really trying to say be very, very careful with your compromises.

    Specific points:

    • "security is easy, you only have to do simple things to secure your machine"

      I agree and if that's how I came across, that is not what I meant. I meant, don't let your compromises prevent you from doing the easy stuff.

    • the recipes are known but they are impractical in real use.

      I would rather say "they can be impractical." I have seen far too many cases where people have taken this idea to the extreme of "Never mind. We'll take that chance." Those extremes are what prompted my reply.

      Yes, of course, take the basic precautions and figure out the balance you're talking about. Again, I'm not disagreeing with you...I'm arguing against the extreme conclusions that I've seen others make, conclusions generally starting with thoughts very similar to yours. You appear to be drawing a good balance.

    • Tell me how do you easily fix production servers which must be runinng 24/24h 7/7j
      (with of course some applications incompatible with the new secure version of other applications)?

      This is true. There's not an easy answer. Or, perhaps more accurately, I don't know how secure sites do this. I know it's done and hope that a monk more versed in Adminsitration matters can offer some hints or a link.

    • OK, but they want the same password for telnet and ftp, anyone with a sniffer on my subnet now has a local access on my box.

      Which is why I suggested using a different realm or box. I would not knowingly advocate dangerous practices. I'm sorry I wasn't more clear on that point.

    • I will now have another box to secure...

      Then that's a risk you find acceptable, one I assume you'll fix when or if you have the opportunity. As I understand it though, my recommendation is considered safest.

      Again, I am not criticizing your choices, just trying to call attention to a couple of ideas that I've come across. It's free advice. Ignore it if you wish.

    • (It IS a huge error if you think in long term effect, but my boss tend to be short sighted...)

      I don't envy your position. You're clearly dealing with several conflicting desires/choices/factors. The presence of a PHB doesn't help.

      As I mentioned earlier, you're doing the best you can and that's all anyone can ask.

      However, that doesn't mean you should give up. Try to socially engineer him. If you're not allowed to experiment, then how can you predict that new changes won't adversely affect production data?

      I'm sure that far wiser and more experience monks can offer other ideas and suggestions.

    • I hope you won't take it as irony or personal attack, but this is MY REALITY, and probably the one a of a lot of sysadmin...

      No, I don't take it as a personal attack, in part because my reality is, in many ways, similar. I freely admit that I'm a programmer, not an admin. but, I have compromises to live with in my work as well.

      However, that doesn't stop me from trying to improve that reality through education, discussion, experimentation, and so on. It doesn't prevent me from trying to help my boss get over some of her pointiness. It doesn't stop me from trying to help others make their professional lives better.

      I know I am not perfect. I continue to try to make a difference. I will not accept my reality as set in stone. I believe I can affect and improve it.

      I'm sure you are doing the same and are as frequently frustrated as I am.

    • Be security aware, especially because you CAN'T reach true security, and try to make things as secure AND easy AS YOU CAN.

      I agree. I also think it's important to try to do better, even after making certain choices. Put another way, a compromise is fine, as long as it's knowingly made. However, it should not remain set in stone. "We can't do that" should be "We can't do that now." This leads to "What needs to happen so we can," which in turn often leads to a solution and a plan for implementing it.

    Again, this is friendly discussion that's not intended to inflame. I'm trying to solve problems, not criticize anyone's decisions, work, or choices. Most of us care enough about our work to keep poking at it after it's "done." That's the attitude that I'm trying to encourage. Do the best you can at the moment, accept your limitations, and try to improve when and where you can--even if that's the next project.


      I must have been VERY unclear:
      I've never said security 'it's too hard' in fact I think security is obvious
      (a large part of the vulnerabilities are known and categorized)

      I only say that most of us can't afford the cost of true security
      I furthermore think that saying "security is easy, you only have to do simple things to secure your machine" is wrong !
      (the easy things to do, provides only weak protection against the clueless script-kiddies)
      It's not only wrong but it has the bad side-effect of (wrongly) making you feel secure.

      Really securing your machine is a constant/heavy process.
      the recipes ar known but they are impractical in real use.

      "I'm trying to point out that many hacks are executed through very common and easily fixed vunerabilities"
      I'd like to do it, just imagine how much time it would take to constantly check for new exploit/version and upgrades.
      Tell me how do you easily fix production servers which must be runinng 24/24h 7/7j
      (with of courses some applications incompatible with the new secure version of other applications) ?

      "Let them use their FTP clients"
      Ok but they want the same password for telnet and ftp, anyone with a sniffer on my subnet now has a local access on my box.

      "Users will complain about being forced to change their passwords and to mix case, add numbers, and so on.
      But they eventually learn and adapt.
      "
      You're right they'll adapt, I can't count the number of time I caught them writing it on a post it (put ON THE SCREEN !!!)

      "Don't let them play in a sandbox on the same machine as the one running your database."
      Another machine ? I can't convince my boss to give me few time,
      how will I convince him to spend hundreds dollars for the box/hosting.
      Worse ! I will now have another box to secure...

      Explain to him the benefit of having a more educated admin/programmer. I've tried he then explained me the benefit for the society of making money, he explained me how much 2 hours of security cost and how much 2 hours of coding bring us
      (It IS a huge error if you thing in long term effect, but my boss tend to be short sighted...)

      That's why I (you'll) have to think in term of efficiency(or cost, which is the right term here, as jeroenes said).

      I hope you won't take it as irony or personnal attack but this is MY REALITY, and probably the one a of a lot of sysadmin...

      All I can say is claim it again :
      Be security aware, especially beccause you CAN'T reach true security, and try to make things as secure AND easy AS YOU CAN.


      "Trying to be a SMART lamer" (thanx to Merlyn ;-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://64691]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (8)
As of 2014-10-25 12:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (143 votes), past polls