Just How Effective is System Hardening? 154
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
Defense in Depth (Score:5, Insightful)
System hardening is also very helpful against inside jobs, or against other systems on the network compromised through brute force or social engineering.
Re:Would be really handy (Score:4, Insightful)
Re:Concrete (Score:4, Insightful)
Is it just me? (Score:4, Insightful)
Re:Would be really handy (Score:2, Insightful)
Re:Defense in Depth (Score:5, Insightful)
Many of the SNACs (or STIGs as I remember them being called) go into detail in such areas as setting the method for password hashing, setting policies for allowed authentication protocols, disabling authentication on time mismatches, and a plethora of other things.
If nothing else, system hardening can be a "best practices" framework for your systems and/or network. I remember one of my systems administrators complaining to a security inspector that the system would not allow a log on if the security log was full instead of just overwriting old entries. He didn't realize that filling the security log with bogus crap could mask a real intrusion. Nobody knows absolutely everything, and not everyone has the time to sit down and understand every intricate detail. Using a system hardening approach, however, is a very good foundation to build your overall security posture.
You say that you only allow http, but what happens when a vulnerability is found in code that you use for your http application? That's what defense in depth is all about. You may be able to knock down this wall, but there are 10 more behind it that are even bigger.
Re:Defense in Depth (Score:5, Insightful)
There's no perfect safety ... (Score:5, Insightful)
Two guys are out on a hike in the forest. They go around the corner of a rock outcropping, and are confronted with a grizzly bear, not far away, who immediately springs toward them. The first guy starts running away. The second yells after him, "You damned fool, you can't outrun a grizzly bear!" The first says, over his shoulder, "I know -- but I can outrun you."
Your house doesn't have to be impossible to break into; it helps quite a bit if it's just harder than your neighbor's.
Re:Defense in Depth (Score:5, Insightful)
Re:Defense in Depth (Score:5, Insightful)
That's one of the biggest hurdles today in security: striking a balance and prioritizing. Everyone can say "Usability and security are both important," but it takes time and thought to come up with a detailed analysis of the priorities during an actual attack.
Re:There's no perfect safety ... (Score:3, Insightful)
Re:How hard is it to get any real work done on loc (Score:5, Insightful)
Re:Is it just me? (Score:5, Insightful)
I'm not wary at all. Any access they might want into your Windows system was probably built in. I imagine they already have that kind of access to every Windows computer. Anything they can give you to help keep your Windows machine from turning into part of a North Korean botnet can only benefit both you and the government.
Just because you're inept at systems management (Score:3, Insightful)
How hard is it to get any real work done on super locked done system with out a lot of dead time waiting for IT to unlock what you need to get your job done?
So kindly go fuck yourself with your condescending attitude.
Re:allow execution of only known good binaries (Score:3, Insightful)
define "effective" (Score:4, Insightful)
1) improperly designed trusts between systems (e.g. the Internet can't talk to my database server, but my webserver has full access; when my webserver is compromised, the contents of my database are toast as well). Networks designed to fail safely and gracefully, with liberal application of the principle of least privilege, help mitigate this kind of risk.
2) stupid user tricks (I place social engineering in this category, along with phishing and the majority of email viruses). There is no technical solution for this essentially social problem - education helps, sane and safe defaults help tremendously (every unnecessary feature is an additional security risk, and the risk compounds as features are added), software policy approaches like ACL/MAC/UAC/RBAC help
Re:Concrete (Score:3, Insightful)
Re:Defense in Depth (Score:5, Insightful)
SELinux almost makes more sense in an appliance server; as the config is not likely to change much. Just assume the web interface is vulnerable (it probably is; if not through your code then some as-yet undiscovered vulnerability in the LAMP stack.) I'll admit, SELinux is a religion you've got to practice, but Unix filesystem permissions leave a lot to be desired (I don't like having to create a new group every time I want to set permissions on a subset of users, thanks.) There needs to be more in the 21st century, and while SELinux is not the best solution, it's a workable one.
The goal of SELinux IMO is the realization that you will never get rid of all vulnerable code on your box. What you can do is limit the damage they can do when they get past the application layer security. Who cares if they can hack your sendmail server when it doesn't have access to read/write anything outside its config and spool directories?
Re:Defense in Depth (Score:3, Insightful)
There is no one-stop panacea for security. Anyone who says otherwise is either a snake-oil salesman, or a massive liability to any company that hires them.
Yes, it's just you (Score:3, Insightful)
Probably. What risk does it introduce, which you didn't already have?
The situation simply cannot get any worse from the perspectives of security and trust, so what is the downside? You might as well let NSA patch things to oppose their competitors' access. A machine with one master that is potentially hostile to you, is better than a machine with multiple masters that are potentially hostile to you.
Re:works ok for me (Score:3, Insightful)
How many cases have you had of users not being able to do work, or being greatly inconvenienced and slowed thanks to those security measures?
How about incidents where users bypassed security? Like, how have you disabled the CD? Went into the BIOS setup and simply disabled the IDE interface it's connected to? And why are you even using IE?
You're a good way down the path of just not allowing the use of computers at all.