Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security

Just How Effective is System Hardening? 154

Posted by timothy from the how-large-is-your-facade dept.
SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."
This discussion has been archived. No new comments can be posted.

Just How Effective is System Hardening? More

Just How Effective is System Hardening?

Comments Filter:

  • Re:Defense in Depth (Score:5, Interesting)

    by tgatliff ( 311583 ) on Tuesday May 13, 2008 @09:46AM (#23390412)
    I guess it depends on the type of system you are running, and how users interact with it. Most of what I do is building appliance based servers, so my focus is more on keeping users away from the shell, and limiting the number of services (http primarily) they can use. For me, adding SELinux to the mix on something like what I have would be allot more painful and time consuming to implement, and probably not worth the extra time...

    If you have to allow actually users to use a shell on that box, however, I would agree that a SELinux approach is critical because you cannot really determine where you will get attacked from...

  • The Network guides are nice (Score:5, Interesting)

    by Facekhan ( 445017 ) on Tuesday May 13, 2008 @09:52AM (#23390474)
    I've used the network equipment guides to harden routers and switches before and they are very handy.

    I can't speak to how well they withstand attacks after that but if you follow their instructions an nmap scan basically reveals no open services (ssh ports have their own access lists)

    I prefer the guides to tools like RAT because auditors get so out of date that you end up chasing down their rules to find out they don't even know about the last few years of security enhancements. Cisco's Output Interpreter is also good for advice on hardening your devices.

  • Everyday user? (Score:2, Interesting)

    by MosesJones ( 55544 ) on Tuesday May 13, 2008 @09:56AM (#23390512) Homepage
    First off the article talked about Snort, which I can't quite see my wife using it then moved on to talk about the development lifecycle not a major part of her internet and PC experience. The NSA files, while useful, are huge (the Mac OSX 10.3 one is 2.5MB) and I can't see the everyday user trawling through that. Its only for Vista that it is really viable as it says use the MS settings as these follow the NSA guidelines.

    So in summary the only everyday users who could do this are those using Vista.... an unusual plug for Redmond from Slashdot.

  • Re:Everyone knows... (Score:4, Interesting)

    by Bert64 ( 520050 ) <bert AT slashdot DOT firenzee DOT com> on Tuesday May 13, 2008 @10:05AM (#23390596) Homepage
    There were some security advisories for Amiga Unix a few years ago, Yes, Commodore made a unix variant of the Amiga which is extremely rare.

  • Re:The Network guides are nice (Score:4, Interesting)

    by Hyppy ( 74366 ) on Tuesday May 13, 2008 @10:18AM (#23390722)
    I've found the NSA Cisco hardening guides to be amazing. I could hand the guide to a help desk tech we were training to be a netadmin, show him how a console cable works, and he would have a functional and secure test network of a few devices running in no time.

  • allow execution of only known good binaries (Score:1, Interesting)

    by Anonymous Coward on Tuesday May 13, 2008 @10:27AM (#23390844)
    allow execution of only known good binaries

    one good tool out there is from solidcore.. it is being used in Point of Sale devices, ATMs and production servers in some big enterprises..

    works on windows* and unices..

    -Yv

  • Re:Would be really handy (Score:5, Interesting)

    by jandrese ( 485 ) <kensama@vt.edu> on Tuesday May 13, 2008 @10:30AM (#23390870) Homepage Journal
    Where did you find a Windows Gold Disk that doesn't make a complete mess of the OS? I'd really like to get that because I've never gone through that process and still have the application the box is designed for work. In fact it's typically worse with Windows because when something gets a permission denied (especially on something like a Registry key), it won't be like Unix and spit out a message like "Error: File /foo/bar: Permission denied", instead your application will crash and spit out a message like "Error: failure" to the system log (and only if you're lucky will it put something in the system error log)". Since locking down windows means changing the ACL on just about everything on the system, it's almost impossible to track down what broke your application.
  • Anonymous Coward wrote:

    allow execution of only known good binaries
    But who declares a binary "known good"? And how well do you expect your method to scale down to home and small-office PCs?

  • You could always bring in a lappy and do like this guy [shandyking.com] did ...

    • 1. Find unsecured wireless router
    • 2. Secure it with your own ssid/password
    • 3. PROFIT - charge to "fix" the problem

  • works ok for me (Score:4, Interesting)

    by myxiplx ( 906307 ) on Tuesday May 13, 2008 @11:25AM (#23391466)
    Basic hardening of a windows system has stood us in good stead here. IE's locked down so sites can't run scripts. CD-ROM drives are disabled, users can't install USB thumb drives. All e-mails and internet access is filtered.

    It's not perfect by a long shot, but it's good enough that we've not had a sniff of a virus or malware outbreak in getting on for three years now. Hell, we don't even consider it necessary to install most MS updates straight away. We let other people do the testing, and roll them out via WSUS 3-6 months later.

  • Re:Defense in Depth (Score:3, Interesting)

    by dpilot ( 134227 ) on Tuesday May 13, 2008 @12:54PM (#23392450) Homepage Journal
    I'd go one step further, and state that SELinux *can* be the enemy of defense-in-depth. To begin with, SELinux has been sufficiently difficult to get running properly that a common response is to just shut it off. So if you want defense-in-depth, and the other forms of defense are those that haven't been pre-configured into SELinux, you're essentially discouraged from using them. (If you think it's hard picking SELinux up off the shelf and using it, then try some fairly deep modifications to existing policies, and adding new policies.)

    Add the amount of general awe the people hold toward the NSA and SELinux, and there is a tendency for it to be not just A silver bullet, but THE silver bullet.

    That's not even to say anything necessarily bad about SELinux or the job it does, but there can be difficult circumstances created around it.

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close