Not meaning to beat dead horses, just clarifying a few issues...
On Fri, 6 Aug 1999, Frank Darden wrote:
> Ok, just my 2c
>
> I agree with the flick the BIC analogy..
> However.. I constantly to talk to clients that complain that their users can
> barely login to the windows domain. As Boris pointed out, complex passwords
> = decent front end security.
This argument doesn't hold on the level of operating system security. NT
does have mechanisms for checking password complexity. If you are using
the NT Resource Kit and Microsoft's Security Configuration Manager, you
should have no problems with forcing NT to validate password complexity,
although the rules are not as flexible as with UNIX (i.e. the definition
of complexity is static in NT). All of which seems more than a little
irrelevant in the context in which this discussion started, which was the
suitability of NT for firewall deployment. I do not say this to dismiss
this argument, only to point out that its validity is stronger in other
contexts.
> Unrealistic for Joe Bloshmo sales rep. He will
> always use easy to guess passwords, given the opportunity to choose them on
> his own.. assign difficult to guess passwords to him, and he will write them
> down.
The argument here is a little weak. Couldn't Mr. Bloshmo also write down
the password for a B-2 certified Digital UNIX or Trusted Solaris box? The
issue is not the operating system but the fact that you are using
passwords for authentication. While NT is not known for its flexibility
in authentication and directory services (witness the fact that Novell had
to hack the samsvr.dll to make NDS for NT posible), this certainly is not
operating system specific, nor is it mundane to NT's use for firewall
deployment.
Now, if you want to argue this in the context of an end-user system, it
would not be invalid to say that there is relationship between NT's
interface and the fact that users don't always take adequate measures in
security. One could argue that Windows' strength, its user-friendliness,
is also its weakness, in that Microsoft's efforts not to expose users to
the genuine difficulties of computing and the extreme complexity that is
hidden from view in NT is also what makes a lot of Windows end users lazy
and inattentive to security. The attitude that underlies Windows, the
Homer Simpson "Why can't someone else do it?" certainly does present
challenges to anyone who wishes to operate a secure Windows NT system for
end users. Please note that I say "challenges" and not "insurmountable
obstacles".
One could argue that the same product aura that Microsoft uses to sell so
many million copies of NT and all of the ideological attendants to it
complicate the issues of user education and cooperation in security
issues. One should avoid simplifying this argument because there are no
easy alternatives. In particular, in anticipation of a certain simplistic
conclusion that might be drawn from previous statements, I would like to
make the following observation, itself somewhat lacking in nuance: UNIX is
not *simply* technology where Windows is ideological, in that UNIX's
vaunted status as a "truly technical" operating system is an ideology that
is used to market UNIX (or to put it another way: it is not an attribute
of UNIX per se but a way in which people relate to UNIX -- by inference
one may note that I am repeating a previous observation that technology
rarely stands in opposition to ideology). I say this only to observe
that, while Microsoft might be a master at manipulating the ideology of
technology, they didn't introduce ideological impurity into the technology
sector (and certainly not the technology market).
All of this is proper to a discussion of security policy and education.
While this is certainly central to security in general, it is a distinct
element among others and is certainly distinct from firewalls. If you
want to take this up in terms of operating system security and end users,
I would suggest the NTSEC list at ISS.net, as it seems to be a more
appropriate forum than a firewalls list.
> Extending an authentication system that has repeatedly demonstrated
> serious security flaws such as the Windows NT authentication (which is the
> knee jerk reaction solution from most MIS LAN folk..) (but it shore is
> convenient!) This scenario can be improved.
The scenario can be improved by using NT as your only flavor of Windows,
if that is your environment. If the concern is with the authentication
system, the biggest holes by far are use of the LanMan hashes for
compatibility (particularly with Windows 3.X and 9X) and not enabling NT's
packet signature/encryption features. It surprised me (slightly) that
Microsoft's high-security domain controller template for Security
Configuration Manager did not turn off LanMan and did not mandate the use
of signatures and encryption. (It is the LanMan hash that L0pht uses for
its sniff attack against NT passwords, as it a weaker hash that is sent
over the wire during login [as login is the only time that Windows 9X
machines can authenticate to NT].) Microsoft warns that the high-security
templates may break stuff, but I would argue that they don't break enough.
Anyway, the point is that, in terms of firewalls, all of this stuff can
and should be hardened. And all of these settings can be verified by
anyone who bothers to read the O'Reilly NT books (at the very least,
the Frisch admin book and the Robechaux [sp.?] registry book and then
then tested to make sure they close the holes. Not that any firewall,
running on NT or otherwise should have users authenticating against
anything but firewall related software, except maybe the admin (who would
do well to use out-of-band on most platforms anyway). In terms of end
user operations, I do not wish to advocate NT per se but to say that the
case for NT demands a little more than dismissive comments (which is not
at all to place Mr. Darden's message in this category).
All of this has wandered rather far afield, so, finding ourselves in other
fields, perhaps we may wish to announce that we have left the firewall
field and that it is time to take up the challenges of the fields in which
we have not so accidentally arrived. NTSEC, anyone?
-Bayard Bell
Emory University
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
