Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security

Just How Effective is System Hardening? 154

Posted by timothy from the how-large-is-your-facade dept.
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
This discussion has been archived. No new comments can be posted.

Just How Effective is System Hardening? More

Just How Effective is System Hardening?

Comments Filter:

  • Very effective (Score:5, Informative)

    by hal9000(jr) ( 316943 ) on Tuesday May 13, 2008 @09:50AM (#23390452)
    System and network hardening is very effective. By hardening, I mean doing things like removing unnecessary services and applications; configuring the remaining services to be as featureless as possible while still doing what you need; examining the remaining service and application configurations and making changes to improve reduce features and employ security measures like encryption, etc; utilizing what ever access controls are available in the most strictest sense.

    That is just a start. Now you also have to monitor the activity on the host or network to detect any changes or indicators of malicious behavior.

    Hardening is easier to do with servers because servers tend to have more stable configuration requirements and less user touch. Workstations and desktops are more difficult. You can lock down a windows host very tightly using the GPO and other OS tools. You can also buy other applications to fill gaps. Financial institutions, for example, often have very tight workstations. In most other organizations however, users are used to having more control and the pain of locking down a workstation compared to the outcry IT will receive normally leads to looser standards.

  • Re:Everyday user? (Score:3, Informative)

    by Hyppy ( 74366 ) on Tuesday May 13, 2008 @10:22AM (#23390772)
    The Windows XP guide is also available [nsa.gov], though they also point to the MS guides since they have become very good. If nothing else, a quick glance through the services to disable can be helpful.

  • Re:Lunix bailout by big daddy gubment (Score:5, Informative)

    by bkr1_2k ( 237627 ) on Tuesday May 13, 2008 @10:41AM (#23390974)
    The NSA doesn't really care about hardening your system, they care about their own, first and those of the other US government agencies after that. They produce these guidelines to be used by other agencies, and contractors for use on systems that the NSA will then purchase.

    As for backdoors, I don't know that they've created any code to secure the system, just produced a set of rules and guidelines that help people know what to secure and how.

  • Re:Everyday user? (Score:3, Informative)

    by Aram Fingal ( 576822 ) on Tuesday May 13, 2008 @10:52AM (#23391114)
    I read through the NSA guide for OSX 10.3 and it's surprisingly basic. Most of it just repeats common advice on Mac security that you can get from a number of places. Some of it covers things that the average user wouldn't do like disconnect the microphone so that a spy can't hack in, activate it and listen in on your conversations. The one part which I thought was good was the section on when and how to use the Keychain.

  • Re:The Network guides are nice (Score:5, Informative)

    by Hyppy ( 74366 ) on Tuesday May 13, 2008 @10:59AM (#23391190)
    Ask and you shall receive...

    Cisco Routers [nsa.gov]
    Cisco Switches [nsa.gov]

  • Re:Would be really handy (Score:3, Informative)

    by cromar ( 1103585 ) on Tuesday May 13, 2008 @11:12AM (#23391320)
    You might try (on a test box) the security information/tools CIS [cisecurity.org] (Center for Internet Security) has to offer. I have had good experience with the information for AIX (of all things). They provide automated tools for Windows and a few other OSs.

  • Re:Lunix bailout by big daddy gubment (Score:5, Informative)

    by fuzzyfuzzyfungus ( 1223518 ) on Tuesday May 13, 2008 @11:55AM (#23391776) Journal
    The NSA, and state entities in general, has an interest in increasing security, even though it sometimes makes its job less convenient. The reason is pretty simple: Insecure systems can be broken by anybody with sufficient knowledge and motivation, NSA, spammers, organized crime, foreign intelligence services, etc. Secure systems can be broken by a search warrant, only available to state entities.There are, I'm sure, a number of exceptions to this trend; but for something like computer security, the government's best interests are pretty clear.

    The rest of your post is probably trolling; but what the hell, I'll answer it anyway: SELinux added Mandatory Access Control abilities to Linux. These are very useful, and very powerful, security features and it is definitely good that Linux now has them; but it is hardly the case that any OS without them is necessarily insecure.
    As for the "handout" angle, SElinux was certainly a handout for Linux; but it was also the cheapest and most effective way for the NSA to make MAC widely available in a short period of time. The objective of the program was a handout of security from the NSA to other entities. The handout to Linux was just the easiest path to that objective.

  • Re:How hard is it to get any real work done on loc (Score:3, Informative)

    by hal9000(jr) ( 316943 ) on Tuesday May 13, 2008 @01:14PM (#23392702)
    If your IT admins locked the system down to the point that you can't get work done, they have failed and you, or your boss, have the obligation to raise the issue.

    Responsible IT departments will can configure your systems while still allowing you to work. mike

  • Re:Lunix bailout by big daddy gubment (Score:3, Informative)

    by RiotingPacifist ( 1228016 ) on Tuesday May 13, 2008 @01:46PM (#23393122)
    Hardening has been around for years
    SELinux
    RSBAC
    PaX
    Grsecurity
    Bastille
    apparmor

    are not new, its just that they are finally getting into the mainstream distos, if you wanted a secure linux system you could of had one 5/10 years ago, its just you had to actually do it yourself.

  • Re:Lunix bailout by big daddy gubment (Score:1, Informative)

    by Anonymous Coward on Wednesday May 14, 2008 @12:06PM (#23404408)
    "Since they could not get their hands on the Windows code Linux was the obvious choice." - by AmaDaden (794446) on Tuesday May 13, @12:04PM (#23391860)
    Oh boy, another "slashdot sheep" following the crowd, & the F.U.D. dept. @ this website, spreading around yet MORE "propoganda", without knowing what the hell he's talking about!

    NEWFLASH:

    Windows already had ACL level control down to the lowest levels ( & easily implementable via group policies &/or GUI tools in MMC.exe via snapins, regedit.exe, & explorer.exe also ) as well, in the OS since day #1 in Windows NT-based OS!

    (Whereas Linux did not ( just like Linux didn't have true threads @ kernel level, iirc, prior to kernel build 2.4x, into usermode initially & thus, it was NOT fully SMP ready ) & Linux had to have it later"bolted on" - all Linux had was chmod for example before SeLinux MAC was put in ).

    Please - Get informed first, before shooting your mouth off with yet more Linux/Pro-Penguin F.U.D. & misinformation!

Slashdot Top Deals

"Engineering without management is art." -- Jeff Johnson

Close