[plug] Installfest - distributions

Bret Busby bret at clearsol.iinet.net.au
Fri Aug 25 13:25:09 WST 2000 

Christian wrote:
> 
> On Thu, Aug 24, 2000 at 11:38:20AM +0800, Bret Busby wrote:
> 
> > Regarding Red Hat, and the issue of security; does the "least stringent
> > security" apply to local, or external security? Where ipchains is used
> > (we have a quite complicated firewall script, that Christian had a look
> > at, and said that it was too long and complicated to try to easily
> > understand), isn't something like the implementation of the ipchains
> > utility in a distribution, generic across the distributions? By that, I
> > mean the actual code for the application (ipchains); isn't it the same,
> > regardless of the distribution? Thus, if an ipchains firewall is used,
> > shouldn't that overcome the security issues as far as security external
> > to a LAN is concerned, if an external entity can't see past the firewall
> > (on the ideal basis that a firewall is infallible, which, I believe they
> > aren't; my understanding is that they just increase the probability of
> > security)?
> 
> Bret, to paraphase Bruce Schneier, security is not a program, it's a
> process.  The only system I know that obtains security by merely
> installing it is OpenBSD, and even then there are things you can do to
> improve its security.  All Linux distributions are mediocre, at best,
> when it comes to security.  The difference is, how much work (i.e., the
> process bit) needs to be done to bring them up to scratch.  Security
> requires both understanding the issues and knowing what to do.
> "Hardening" scripts are semi-useful because they partially handle the
> second bit but are not the answer because they don't handle the first at
> all.  If you're so worried about security then register interest (and
> enrol!) in the security unit I'm planning to run second semester next
> year.  You can get more info at http://stallman.murdoch.edu.au.  That
> way you will (hopefully) understand the *process* of security instead of
> being caught up with the idea of different programs giving you security.

The point that I ws trying to make, was that my understanding that a
firewall, reasonably setup, should reduce the risk of anyone
unauthorised, getting beyond it. If people cannot get beyond a firewall,
then I am wondering at the "least stringent security", as it supposedly
applies to Red Hat. I was querying the degree of security, and, whether
it was a security issue, that applied to people breaching a firewall (in
other words, that the Red Hat ipchains is inferior to the ipchains of
other distributions), or to people breaching host security within a LAN,
or, whether it applied to people sitting at a terminal to a RH Linux
box, and logging in when unauthorised. I was wanting to seek
clarification of what was meant by the "least stringent security".
However, the person who made the claim, appears to have not been
interested in clarification.

It is interesting, that Christian, in the response above, stated "All
Linux distributions are mediocre, at best, when it comes to security.". 
My understanding is that security is relative, and can never be absolute
(except in the case of the absolute security implemented by MS - the
blue screen of death). Having said that, whilst, according to Christian,
the security of Linux distributions is mediocre, and, whilst my
understanding of computer security is much less than Christian's, it is
my understanding, that Linux is much more secure than other, inferior
operating systems that are acknowledged as having not been designed with
security in mind at the time of design, and, that Linux security is
generally sufficient for most people, with the included facility of
firewall creation, via ipchains, and previously, ipfwadm.

But, no doubt, others will disagree, and, and clarifications, and
constructive discussion, would be appreciated.

Second semester next year is so long away, and, yes, I have visited the
website and done my bit...

> 
> > Regarding Debian, and one of the more knowledgeable on the list can
> > perhaps clarify this, but, in addition to the above comments about
> > Debian, isn't it supposed to be easier (apart from the information on
> > the debian.org website), to upgrade from one version of debian, to the
> > next? While we have last weekend done an easy upgrade, from RH 6.0 to RH
> > 6.2, I understand that RH cannot be upgraded from a first digit version
> > number to a later first digit version number (eg, upgrading my RH 5.2 to
> > RH 6.2); that it has to be done as a clean instal, but, that with
> > Debian, it can be done, easily and simply. Am I correct in this belief?
> > If so, that may be worth including in the comments about Debian. If I am
> > mistaken, then, I can learn from the mistake.
> 
> Debian will upgrade from successive stable distributions with virtually
> no hitches.  It's also trivial to upgrade software and keep things up to
> date (which helps with security).
> 

Then, perhaps, reference could be made to that, in the posters or
whatever, that differentiate between the distributions?


-- 

Bret Busby

......................................

More information about the plug mailing list