[Snort-users] Still Help Needed: i want to make a firewall

Matt Kettler mkettler at ...4108...
Thu Apr 17 11:37:10 EDT 2003


At 12:34 PM 4/17/2003 -0500, Paul Schmehl wrote:
>This is a *horrible* "solution".  How does this improve security?


Actually, this is a good solution in so far that servers on which nobody 
ever web browses will not be as easily taken advantage of by worms that 
rely on IE to spread once they infect the server. This isn't a 
comprehensive security solution, but is a part of one. There is no single 
change to a system that makes it secure, and this certainly isn't massive 
improvement and there are ways around it, but it is indeed an small 
improvement.

It's quite similar to the "by default run no services that aren't needed" 
principle used by OpenBSD. This way you're forcing people to turn on things 
as they need them, instead of forcing them to realize on their own what 
they don't need and turn it off. You're significantly more likely to 
realize that something you need is disabled than to notice something you 
don't need that's on.

It is however, no substitute for other aspects of securing a system, really 
you need a wide variety of techniques applied together, and what they've 
done here IS one of the basic tenets of a secure system (minimal service 
and/or minimal privlege depending on how you look at it).

Some key aspects of a well secured system that spring to my mind include:

         -minimal necessary service (don't offer services that nobody needs)
         -minimal necessary privilege (don't provide users/programs access 
to resources they don't need, ie: ACLs, file permissions)
         -code audits (to find/fix bugs before hackers do)
         -defensive code mechanisms (ie: buffer sanity checks, hardware 
based no-exec, etc. to help prevent unknown holes from being exploited)
         -integrity checking (useful for forensics and figuring out which 
files got changed if an attack occurs, if nothing else.. ie: properly 
configured tripwire or aide. And yes, by "proper" I do mean protecting the 
database and application from being changed).


Admittedly they've not covered every base.. but hey, every little step they 
take is _something_ and I'll be more than happy to praise MS for taking 
steps to improve this area (while at the same time criticizing them for any 
remaining weaknesses).










More information about the Snort-users mailing list