Just How Effective is System Hardening? 154
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
Very effective (Score:5, Informative)
That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.
Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.
Re:Everyday user? (Score:3, Informative)
Re:Lunix bailout by big daddy gubment (Score:5, Informative)
As for backdoors, I don't know that they've created any code to secure the system, just produced a set of rules and guidelines that help people know what to secure and how.
Re:Everyday user? (Score:3, Informative)
Re:The Network guides are nice (Score:5, Informative)
Cisco Routers [nsa.gov]
Cisco Switches [nsa.gov]
Re:Would be really handy (Score:3, Informative)
Re:Lunix bailout by big daddy gubment (Score:5, Informative)
The rest of your post is probably trolling; but what the hell, I'll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
As for the "handout" angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.
Re:How hard is it to get any real work done on loc (Score:3, Informative)
Responsible IT departments will can configure your systems while still allowing you to work. mike
Re:Lunix bailout by big daddy gubment (Score:3, Informative)
SELinux
RSBAC
PaX
Grsecurity
Bastille
apparmor
are not new, its just that they are finally getting into the mainstream distos, if you wanted a secure linux system you could of had one 5/10 years ago, its just you had to actually do it yourself.
Re:Lunix bailout by big daddy gubment (Score:1, Informative)
NEWFLASH:
Windows already had ACL level control down to the lowest levels ( & easily implementable via group policies &/or GUI tools in MMC.exe via snapins, regedit.exe, & explorer.exe also ) as well, in the OS since day #1 in Windows NT-based OS!
(Whereas Linux did not ( just like Linux didn't have true threads @ kernel level, iirc, prior to kernel build 2.4x, into usermode initially & thus, it was NOT fully SMP ready ) & Linux had to have it later"bolted on" - all Linux had was chmod for example before SeLinux MAC was put in ).
Please - Get informed first, before shooting your mouth off with yet more Linux/Pro-Penguin F.U.D. & misinformation!