Security for the desktop user
in [UK Linux]
|
From: D.M. Procida on 16 Apr 2008 09:36 Bernard Peek <bap(a)shrdlu.com> wrote: > >>> Sorry, I should have said that this would be directly Internet-facing on > >>> a public IP address. > >>> > >> From your previous description, it doesn't need to be and from your > >> requirements it shouldn't be - Andy's advice is spot on. For the sake > >> of �30-�40 you get a lot of security by buying a decent router and > >> configuring it properly. > > > > I'm afraid I don't have that kind of say over this institution's IT > > policies. > > If you suggest that an internet-facing machine should have regular > penetration testing (and tell them how much it could cost) you may get > them to change their mind. Actually, although the workstations here (at Cardiff University) are on public IP addresses, I don't know what else might be between them and the rest of the world. There is presumably some sort of firewall. > > It's not really my battle. When I started the job I refused to use > > Windows and insisted they buy me an iMac, but the Linux question is on > > someone else's behalf. > > You appear to have a pathological situation which the PTB aren't > handling too well. My first instinct would be to run away very fast. But > now isn't the best time to look for work. I'm very happy in this particular job, thanks. Daniele
From: Chris on 16 Apr 2008 09:45 D.M. Procida wrote: > What would you suggest as sensible security measures for desktop Linux > users, who won't be running such things as PHP websites or an array of > vulnerable services? > Which Linux do you wish to use? It may be an idea to use a RH derived distro (Fedora, CentOS, etc) and switch SELinux /on/. Also, remove as many proprietary binaries/drivers as you can live without such as flash, nVidia, et al. and use Open source alternatives. Linux is not a priority for many of the developers so patches can be slow in coming when compared to their Open Source equivalent. This site, although mainly for desktop users, has some good advice: http://www.getsafeonline.org/nqcontent.cfm?a_id=1166
From: Nigel Wade on 16 Apr 2008 11:09 Van Helsing wrote: > Nigel Wade wrote: > >>> >>> This is mainly to satisfy an institutional box-ticker, whose box demands >>> that "up-to-date anti-virus software" be installed. >>> >> >> In that case your first approach should be to point out to them that the system >> runs Linux, and there are no viable viruses in the wild for Linux. >> >> If the bean counter doesn't have sufficient clue for this to satisfy them, then >> install ClamAV and pat them gently on the head and say "there now, is that ok?" > > Whilst I'd agree with you on the subject of viable viruses for Linux its > important not to forget that Linux can act as a carrier in mixed OS > environments. A downloaded file that may be perfectly harmless to a > Linux host could contain a virus that infects a Windows host if copied > across. > > If a mixed OS environment its definitely worth considering running an AV > scanner on Linux if only to prevent it being the infection vector to its > lesser brethren. > It makes more sense to run the virus scanner on the system which is affected by viruses. The vulnerable system should have its own virus scanner installed, and that system should scan every file which is accessed from anywhere other than its internal disk. Virus scanning on the Linux system should not be necessary, but might be desirable. As for using a private address and NAT router, it may be that the OP is constrained by policy as we are here. It is not allowed for us to install any system with a private address. Any machine connected to the University network *must* have a valid IP address within the Uni. domain. This allows the network admin. to identify traffic originating from, or destined for, any machine on the network in case that machine is causing network problems and/or using banned protocols such as P2P etc. As for regular security testing, that is probably already done. Nessus is used here, I'd be surprised if Cardiff don't do something similar. That's another reason that every system has to have a public IP. Also all internal firewalls need to allow full access to the Nessus system. -- Nigel Wade
From: Bernard Peek on 16 Apr 2008 11:10 D.M. Procida wrote: > > Actually, although the workstations here (at Cardiff University) are on > public IP addresses, I don't know what else might be between them and > the rest of the world. There is presumably some sort of firewall. I think that's a safe assumption. Yours isn't the only university that gives all of its workstations public IP addresses. I've heard elsewhere from a sysadmin who has tried to shift a large university site to private addresses without any success. They have some applications that they believe require public addresses and don't have any easy way to find out where they are installed, so they can't isolate those users. It's not uncommon for sites that adopted the Internet early to have painted themselves into a corner. Decisions that were reasonable in 1980 may now be irrevocable. They may want to change now but the problem is too big to be manageable. It might be fixable as part of a technology refresh but a site-wide refresh in one hit seems unlikely. Perhaps if they switch to IPv6 they will do it. It's worth thinking about just why they have those tick-box specifications. They may have to comply with a specification written by someone else sometime in the past. It may be a clause in a support contract or in an insurance policy. Non-compliance could have quite large costs if some other part of the system gets borked. If this is the case then an independent or authorised expert's assessment that Linux complies with the letter of the law may be all you need. Just who that expert might be depends on who wrote the specifications and why. -- bap(a)shrdlu.com
From: Tim Clark on 16 Apr 2008 11:53
In article <66m8dgF2k559uU1(a)mid.individual.net>, Bernard Peek <bap(a)shrdlu.com> writes: > D.M. Procida wrote: > >> This is mainly to satisfy an institutional box-ticker, whose box demands >> that "up-to-date anti-virus software" be installed. > > Does a patched Linux installation fit that description? No, you're not thinking along the right lines. If you want to honestly state that you have "up-to-date anti-virus software" installed on your machine, create a text file containing: #!/bin/sh # name: up-to-date anti-virus software # purpose: a placebo for box tickers sleep 316224000 exit 0 make sure you call the file "up-to-date anti-virus software", make it executable, install it somewhere appropriate. You can now legitimately claim to any box-ticker or similar pond life that you have "up-to-date anti-virus software" installed on your machine -- Tim Clark |