The magic security CD disc Re: HTTP proxies

It can't be done, at least not usefully.

It's easy to turn things off; the hard part is knowing what should be
left on, given your needs, the threat environment, and other protective

I forget which of the Rainbow Series of books said it -- the Yellow
Book, I think -- but one of them noted that the same LAN that was
insecure in an office might be quite secure in a submerged submarine
with a highly-cleared crew aboard.

It is possible, though, to write something that would analyze a
configuration and present you with a sensible menu of choices. It
could know, for example, that one can't disable rpcbind if other
RPC-based services are running. But getting that right for even a
single release of a single OS is hard enough, let alone many releases
of many OSes. And then, of course, you want to add advice to the user.

    --Steve Bellovin, (me) ("Firewalls" book)

As far as I know, we don't have a big problem with zombie computers on
submarines DOSing the Internet.

It takes a lot of time to talk individual users through fixing their
computers. Especially when they didn't break it. They just plugged
the computer in, and didn't spend 4 hours "hardening" it. Most of the
time we're not talking about very complex server configurations, with
full-time system administrators. The "magic" CD would be for people who
don't know they are sharing their computers with the Internet. When
they find out (or someone else reports it), they don't want to share
their computers with everyone the Internet. They just want it fixed.

How unfortunate that the magic CD you refer is not the one with "Microsoft
Windows" written on the front :-p

Seriously, it is faintly ridiculous that we have operators talking about
a magic CD to fix the broken default installations of various operating
systems (I include Linux etc. here too). If OS vendors shipped, by default,
less broken configs (or at least configs that turned services off -
e.g. port 137 - when not required), much, though not all, of this
problem would go away. Just like it is (now) considered irresponsible
to ship a PABX/Voicemail system with open dialthrough, the same should
be true of operating systems. In many such OS's, like it or loath it,
automatic or semiautomatic update mechanisms already exist. This would
seem to be a good use to put them too. Perhaps NIPC etc. should start
talking to OS vendors.

Concrete example (not to pick on MS for a change) - every time I've
installed a Linux machine I spend 10 or 20 minutes rewriting the (kernel)
firewall rules for the box to suit the apps I have installed. It's a
completely automable task. Someone unfamiliar with either IP or UNIX would
find writing such a script very hard and it would take them much longer. Do
mainstraim distributions include such an automatically built script by
default? Not to my knowledge.

Alex Bligh