Domain: bayour.com
Stories and comments across the archive that link to bayour.com.
Comments · 6
-
Re:wouldn't it be simpler to run a Linux distro ..
> Do you really expect us to believe that the only secure way of accessing an Office Doc is to quarantine it.
> I thought you had the system totally locked down and AV on all desktops?As far as I'm concerned, yes. There are far too many vulnerabilities in office docs, and no way for me to lock those programs down. The primary aim of our security practices is to stop malware coming into the building, once it's in we're pretty much screwed. AV is the last line of defence, and one I don't particularly trust these days.
Blocking executable viruses and securing the web browser is easy. Securing Outlook and Office programs is a pain, but fortunately it's not proving too much hassle to manually vet these and we catch 5-6 documents a week that aren't caught by the AV scanning on our email gateway.
I just don't trust AV scanning these days, there's always a window of opportunity for any new virus, and too many viruses are sneaking in under the radar. In the last 18 months I've submitted four previously unknown viruses to the AV companies, two of which weren't detected at all by either Sophos, Symantec or AVG after booting from recovery CD's.
> What are those specialist apps. Do you mind telling me what sector your business is in?
Our sector - structural steelwork, and off the top of my head a quick list of some of our specialist software would be: AutoCAD, Design Review, Strucad, Xsteel, GoData, Farm Design, Multisuite, Procad, Fabtrol, Dema, Union2, Fastrak, Tedds.
None of these are minor, most are absolutely core programs that are vital to our business. To the best of my knowledge, *none* are available under Linux, and at least 4 require some serious graphics capabilities that rule out virtual machines or wine.
> http://www.linuxjournal.com/article/6266 [linuxjournal.com]
> http://en.wikipedia.org/wiki/OpenLDAP [wikipedia.org]
> http://www.bayour.com/LDAPv3-HOWTO.html [bayour.com]Ok, you've got open LDAP authentication. Now make it as easy to use as Active Directory Users & Computers, with all the functionality (we use a *lot* of it - have you got support for Microsofts IAS there?). You're also missing Group Policy. That sets all our security policies, it configures our computers, and installs all our software.
> http://www.howtogeek.com/howto/ubuntu/configure-how-often-ubuntu-checks-for-automatic-updates/ [howtogeek.com]
Ok, you can do security updates. How about deploying software? What about configuring policies for things like disabling CD-ROM drives, enforcing screensaver timeouts, etc.
> I am surprised as my personal experience is a bit different
I've been doing this a while
:) Most of this lot is second nature to me.> What else do you do apart from locking down and patching?
Everything
:-) I'm your proverbial jack of all trades, responsible for:
Servers, Databases, Intranet, Security, Backups, Software Development, Helpdesk, Software Installation, Printers (up to A0), Fax machines, ScannersWe have 13 servers and over 100 individual pieces of software on this network. There are also a further 20+ legacy in house applications in use (mainly visual C++ v5, with the odd visual basic v5 one), and about half a dozen modern ones (developed with visual studio
.net or 2005). We have five database servers, a wiki, an intranet, an email server, two firewalls. We run Windows (NT - 2003), Linux, OpenSolaris and ESX, with the Citrix server having been retired.And believe me, I've simplified things wherever possible. This network is horribly, horribly complex. It took me nearly two years to familiarise myself with it, and we really do use everything I've
-
Re:wouldn't it be simpler to run a Linux distro ..
'all Office Documents are quarantined before manual release'
Do you really expect us to believe that the only secure way of accessing an Office Doc is to quarantine it. I thought you had the system totally locked down and AV on all desktops?
"it would take a lot longer to get this network working under linux than windows"
I thought Linux did networking as well as Unix, what do your servers/routers/switches/firewall run on?
"the couple of dozen specialist apps that simply don't exist in Linux"
What are those specialist apps. Do you mind telling me what sector your business is in?
"I'm not aware of anything that as easy to use and effective as group policy for securing computers and deploying software"
http://www.linuxjournal.com/article/6266
http://en.wikipedia.org/wiki/OpenLDAP
http://www.bayour.com/LDAPv3-HOWTO.html
http://www.howtogeek.com/howto/ubuntu/configure-how-often-ubuntu-checks-for-automatic-updates/
"I think you'd be surprised just how low maintenance this lot is"
I am surprised as my personal experience is a bit different
"patching software is something we can do in our own sweet time"
What else do you do apart from locking down and patching? -
Re:+ Kerberos ?
Ok, so "turnkey" was a bit overstatement. "be able to do it for the common admin" atleast.
To do this today, you need to be a wizard. With Red Hat/Fedora it's been a little easier -
They have the system-config-auth tool. Which works. Hand editing the pam config to make this workable on a debian box wasn't ... fun.
here is how you set up LDAP+Kerberos.
It is sorcery. -
Re:MS is ahead of Open Source on encryption
- Loop-back encryption is kinda clunky. dm-crypt looks to be a cleaner way to do encrypted devices. And pam_mount can mount encrypted home directories on login.
- As for doing encryption in the filsystem, several people are at working at it.
- Your notion that OpenSSH only creates a tunnel while the "console" is open, is little more than FUD. Oh no! The console!. That's the whole point. SSH is largely interactive by its very nature.
- It's quite easy to setup OpenSSL in inetd mode for SSL'd services.
- Encrypted executables? Are you joking? WTF would that achieve? If someone has physical access to your machine, you're screwed anyway. And if someone has broken into your machine remotely then your executables are probably the last thing to worry about. On Unix/Linux systems you need root access to write to system executables. If an intruder has root access, they can do anything and don't need to modify your executable to screw around. This is a straw-man argument.
- Linux is very good as a VPN router. Not only do we have IPsec/IPV6 from the KAME project, there's also the (abandoned) FreeS/WAN project and the spin-off Openswan. But don't forget OpenVPN (available for quite a few platforms, not just Unix/Linux). If you're really desperate, you can always combine SSH and PPP to make a VPN.
- Tokens? You have heard of Kerberos haven't you?
BTW, here's a good LDAPv3+SASL+KerberosV HowTo
My god you are a troll. Oh, and as others have pointed out, encryption does not instantly make something secure.
-
Fertile ground for foul playThis Jones fellow is just dusting off the FUD we heard a few years ago, perhaps just to keep attention off the heinous security problems that are affecting Win NT, 2000, XP, and Win2003 despite claims of improvement.
When you rely on proprietary products you often get the shaft, especially if you cannot audit and compile the code yourself. See:
This applies to all areas, especially infrastructure. For now you have a choice, you can choose Kerberos and OpenLDAP, where you can audit the code. Or, you can experiment your money away with MS-ActiveDirectory and hope that it does what it claims to on the box and hope that none of the currently known remote exploits cause you any trouble. -
Re:This has been a huge problem for us as well
Have you seen this?