[ale] Bob Toxen
James P. Kinney III
jkinney at localnetsolutions.com
Tue Dec 17 09:49:50 EST 2002
When I was the Unix sysadmin/security/developer/(fill in the blank)
person at Emory, our eventual solution was to physically remove the
SGI's from the network, put them on their own wire and firewall them off
from the rest of the world. We had ports open for 80, 22 and 53.
Everything else was explicitly denied. There was a security hole (nasty,
remote root exploit kind) in a key component of the desktop system. I
for the life of me have apparently core dumped the application name. The
bloody box just would not run with out, though. It was used by other
SGI's for resource sharing (not NFS) and was a required service even if
it was not used. That hole was around for over 2 years with no fix.
SGI. Really, really, really nice hardware. Really nice OpenSource
support. Not to swift on the security fixes. OS does lots of pretty cool
stuff very, very, very fast.
Including allowing disreputable people to have access to things they
should not have access to.
On Tue, 2002-12-17 at 09:24, Dow Hurst wrote:
> That is completely true as all of y'all know. I've watched the other
> sysadmins on campus try to deal with just one or two systems which don't
> have firewalls. I wouldn't want to be in that position ever again. How
> can you get any real work done when every day your having to test out MS
> patches for your NT servers? Even the Unix guys deal with security
> issues far too much. I know Bob always says that good security is
> expensive and that no security is even more expensive, but, how can you
> work with only security issues on your mind? It's like trying to be
> productive without proper timely backups. You can't sleep or eat in peace!
> Dow
>
>
> James P. Kinney III wrote:
>
> >And with a room full of SGI's, and the
> >time-to-patch-after-security-hole-is-found often measured in months, Bob
> >and the firewall are a required combination!
> >
> >On Mon, 2002-12-16 at 18:19, Dow Hurst wrote:
> >
> >
--
James P. Kinney III \Changing the mobile computing world/
President and CEO \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
This is a digitally signed message part
More information about the Ale
mailing list