In addition, see CERT advisory J-042: Web Security
(http://www.ciac.org/ciac/bulletins/j-042.shtml)
PROBLEM:
Public web servers continue to be attractive targets for hackers seeking to
embarrass organizations or promote a political agenda. Good security
practices can protect your site from the risks such compromises create.
PLATFORM:
Any Unix platform or NT system being used as a web server.
Best Regards, Donald Kelloway
http://www.commodon.com
-----Original Message-----
From: Bill Stackpole <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Sunday, June 20, 1999 12:07 AM
Subject: RE: Why not NT?
>I heard on the news this morning that there are 1.5 million web sites using
>IIS that are subject to hacking by a tool readily available on the
Internet.
>I think that should end the discussion.
>
>> -----Original Message-----
>> From: Kunz, Peter [SMTP:[EMAIL PROTECTED]]
>> Sent: Tuesday, June 15, 1999 5:15 AM
>> To: [EMAIL PROTECTED]
>> Subject: Re: Why not NT?
>>
>> Folks,
>> I came across some nice Gartner Group reports. Here are some highlights:
>>
>> - SPA-03-1884 NT Server Security: When 'Good Enough' Is Not Enough
>>
>> For most server applications, the security of NT Server will not be an
>> inhibitor to its deployment, but we recommend that NT Server be avoided
>> for
>> security-critical applications.
>>
>> Enterprises should not deploy NTS without assessing the likelihood of a
>> sophisticated attack of the application deployes. For most enterprise
>> applications, NT's ease of setup and configuration out of the box
provides
>> a "secure enough" platform that minimizes the risk of a security
exposure;
>> however, through year-end 2000, enterprises should avoid using NTS for
>> security-ceritical server deployments sucha s firewalls for high-threat
>> locations, as a focal point fo rsingle sign-on or for hosting
>> Internet-based
>> electronic systems.
>>
>> For security-critical deployments, NTS will remain less secure than other
>> mature midrange OSs through 2001 because of Microsoft's desire to target
>> vol�ume markets and increase revenue through continual product
>> ehnhancements.
>>
>> [Long list of NT security lags and B-level OSs]
>>
>> - C-03-5070 Sun. Pulling Together a Security Strategy?
>>
>> We consider the firewall market to be composed of three different
>> segments:
>> a high security segement, a midrange segment and a low end that is served
>> by
>> firerwall appliances. Midsize enterprises should select firewalls on the
>> basis of familiarity with the platform used, ease of use and the quality
>> of
>> securit yprovided by the vendior.
>>
>> - KA-03-7212 Essential Components opf a PC Security Software Decision
>>
>> [Lots of stuff on encryption]
>>
>> Microsoft OS Security Highlights; Risk of HandheldsP-06-7364 HP's
>> VirtualVault: Running Ahead for a Secure Web
>>
>> [Nice piece ob a B-level compliant OS including Netscape Webserver]
>> [Porting to NT difficult, as source code for B-level verification not
>> available]
>> Other vendors: Sun and Data General.
>> [I'd expect to see B-level AIX (IBM) sometime soon]
>>
>>
>> I recommend anyone with a GG subscription get teh CD and doe some
>> research.
>>
>>
>> cu
>> -pete
>>
>> -
>> [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> "unsubscribe firewalls" in the body of the message.]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
