Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Layered Defenses to Stop Internet Worms

Posted by michael on from the belt-and-suspenders dept.

An anonymous submitter writes "Following last week's release of security configuration guidance for Mac OS X, the National Security Agency has released a paper on Internet worms and how to stop new worms using layered defenses (pdf). A good read - your US tax dollars at work."

7 of 148 comments (clear)

  1. Re:my guide to avoiding worms by Red+Alastor · · Score: 3, Interesting

    Worked for my sister too and she is a typical non-technical user. Of course, she didn't installed it by herself and still have very little knowledge of what the system do (same level she had with Windows anyway) but she managed to do everything she was already doing with Windows.

    I switched her since I was tired of reinstalling her Windows system which she always found ways to break. So far, her Linux box works flawlessly.

    --
    Slashdot anagrams to "Sad Sloth"
  2. Difficult thing about worms... by OnlineAlias · · Score: 2, Interesting

    They never seem to stay the same. They take advantage of things that no one previously thought of, which is why they are so damaging. Defense in depth is great and all, but the next killer worm will probably blow through all of it...

  3. Re:What happened to Darwinism? by Florian+Weimer · · Score: 2, Interesting

    I wish they could just come out and clearly advocate diverstity among OSes. The biggest threat IMO is the ubiquity of holes, not severity.

    Following the diversity mantra would require me to install Windows on some servers and run IIS. I doubt that this increases security of my systems, especially because I don't know much about Windows server administration.

  4. thank you by dJOEK · · Score: 2, Interesting

    I, as a European, would like to thank our American friends for funding this information for the entire world

    It's very nice to see that an organisation such as NSA makes this info Globally Accessible.
    This is important, especially with your current president.

    Of course, the US benefits from the fact that worms do not spread to the nation of freedom

    So once again, thank you for knowing we exist!

    PS Slashdot is America-centric ! ;-)

    --
    Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
  5. Just Wondering... by Jameth · · Score: 3, Interesting

    On this topic of layered defenses:

    Is it possible to use the Xen VM that was on Slashdot earlier today to run multiple OSes and use one OS on the machine as a firewall for the other?

    Could you rig the setup of one so that it couldn't crash the hardware, it could at most make itself crash and reboot without the computer going with it?

  6. Re:my guide to avoiding worms by Lost+Race · · Score: 3, Interesting
    I've been using mainly Windows and DOS since 1985 and never had a worm, virus, spyware, or any other sort of computer "infection". I don't even use "anti-virus" software, except maybe once a year or so just out of curiosity.

    Security isn't about the OS, it's about awareness and prudence. I don't run software of unknown provenance or whose capabilities I don't fully understand. I keep Linux-based firewalls between the (mostly unpatched) Windows machines and the Internet. I don't use Internet Explorer or Outlook.

  7. Re:Why I don't want a "secure" OS by jd · · Score: 3, Interesting
    I'm not convinced. Let's take the following fictional setup:


    Firewall box is running something like OpenBSD (or some other heavily-audited OS), with a pro-active NIDS that detects abnormal network behaviour and shuts down the offending connection.


    User box is running some sort of B1-class "Trusted OS". (A1 would be nicer, but there aren't any commercial A1-certified OS'.) The OS has file-integrity checkers, such as Tripwire, to screen for infections. All externally-originating connections are host-authenticated. RSH and other "vulnerable" protocols are totally disabled. All passwords are validated as "strong" and kept in a secure file or database. Again, all software is heavily audited. Anything considered potentially "unsafe" is run with strict bounds-checking and in a highly controlled environment (eg: a chrooted "jail".)


    In practice, I don't know of any user who actually has a setup of this kind, but let's suppose someone did. Would they still need to be vigilent? Is there anything that is likely to be able to bust through that kind of security? Even if a potential exploit existed somewhere along the chain, isn't the chain sufficiently extensive that nobody could ever make use of it?


    And even if someone could bust through and seize control of such a machine, isn't the threshold so high that the only people able to do it would likely not be stopped by anything you as a user could possibly do? No matter how vigilent you were?


    I believe that "secure" computers can exist, that there is nothing fundamentally impossible about having a setup that is, to any practical degree, uncrackable but still useful to users.


    I don't believe any such systems exist for home users. (I don't consider a top-end SGI box, running the latest and greatest version of IRIX, to be a device you could really call a home computer.) However, equally, I don't believe there is any law of nature which prevents such systems existing for home users.


    When (not if) such systems are developed for the home user, I think it would be very safe for such users to cut back on security patches and eternal vigilence. The combination of holes required to breach such a system would be unlikely to exist, so letting a few holes slide shouldn't be a problem.


    And if someone was good enough to get through all those layers of automatic defence, they'd likely be good enough to get past any defence a mere individual could put up, no matter how vigilent they were.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)