Madhu's Corner :: Write :: All your eggs in one basket?

Variety is the spice of life.
Perhaps the need of the hour as well.

Normal is boring. Sometimes normal can be a bit more dangerous than just plain boring. Security depends on the attacker being as minimally aware of your information. Your information is power in the hands of an attacker. Highly diverse, d issimilar systems are likely to pose a greater difficulty to an attacker than a standard, normal and expected configura tion. From a security standpoint, being average is more than just being mean (pun unintended). Using similar applicatio n software, operating systems or even configuration is a probable cause for security issues. Thanks to the Internet, we are all now much closely connected that we actually believe or understand ourselves to be. This connection implies tha t problems in one configuration can migrate to another with ease.

And the foremost tool used to externally analyze your machine is nmap (http://www.insecure.org/nmap). Nmap is a port sc anner that can tell you exactly which operating system and what services are operating on a given machine. Once an atta cker is able to obtain information regarding what is the configuration of the machine, the situation changes. If the sc an reveals the machine to be of a default or well-known configuration, scripts are usually available to attack the mach ine. These issues are not specific either to Windows or the Unix world, they are occurring with increasing frequency in both.

True, one would assume that there's a fair degree of diversity in the Windows world - after all Windows is available as 3.1, 95, 98, CE, ME, NT, 2K, XP, (with some of these in Home, Professional Server and Data Center variants). If that i sn't enough, you may or may not have applied the various service packs supplied by Microsoft. Hang on; we aren't done a s yet - the IIS Web Server, IE and Outlook Express are available in a variety of versions. If there is so much diversit y, we should be safe, right? But, in the virus attacks that routinely cripple the Windows world we see the effects of h aving an operating system based on a common family with similar security issues. Love Bug, Melissa and the KaK virii (h ttp://www.securityportal.com/research/research.virus.html) extracted a devastating price in terms of the damage they ca used. The fact that Microsoft routinely creates software that allows malicious external code to be executed via an emai l client is inexcusable, however, the rate at which these email virii spread are a cause for concern.

Another example of the implications of a Windows bug comes from a newly discovered exploit that affects IIS 5.0 servers . This bug is estimated to affect over a million servers worldwide. How many of these servers are likely to be patched in time to avoid automated tools that hunt for such servers is yet to be known. However, if one reads the relevant Micr osoft Security Bulletin (http://www.microsoft.com/technet/security/bulletin/MS01-023.asp) it is revealed that if a user had not retained the defaults but had customized his / her IIS setup, this problem could have been avoided. The degree at which these infections spread reveal that monoculture, especially in an office or in an organization is a fertile b reeding ground for a an attack to extract a savage price in terms of damage.

The Unix world is much safer right? Well, not really. Linux is humorously described as the Unix de-fragmentation tool. And, for far too long, most new users seem to think that RedHat is Linux and vice versa. The outbreak of the Ramen, Li0 n and Adore (http://www.nipc.gov/warnings/alerts/2001/01-010.htm) worms reveal that Linux usage is also beginning to sh ow a lack of diversity. These worms use the fact that typically machines are installed using the default RedHat install - something that installs unwanted software. It may be far easier to setup a safe server using Linux, but that does no t explain the success of these worms.

Purists may object that most vulnerabilities occur in applications not necessarily in the operating system. That is the truth - but what about cross platform applications that are now in vogue? Apache can now run on *BSD, Mac's OS X, Linu x and just about every other platform out there. In a famous hack sometime ago, a bunch of clever hackers attacked apac he.org to show that a mis-configured Apache server can lead to serious security vulnerabilities. Ken Thompson's famous compiler hack (http://www.acm.org/classics/sep95/) is another example of one piece of software (in this case gcc) being used everywhere can lead to system wide vulnerabilities.

If there is gloom about the state of diversity in computer systems - is there a flip side? Using numerous little known, obscure and out of date software does not automatically guarantee security. The goal is to use the right software for the right job. Tailor each configuration to the particular need, don't assume that the default is right. Don't use one setup or configuration because it may seem easy to administer or maintain. Security is a tradeoff between functionality and safety. Understand the need for diversity in the context of the systems that you are in contact with. Yes, there are advantages to a software or operating system being used by a large number of people. Widespread use resu lts in better testing and detection of potential problems. In communities that can react quickly to problems (for examp le, the Linux community solved the Ping-Of-Death bug in 2 hours http://www.linuxsolve.net/public.taf?id0=662&id1=1001) the widespread use of software implies that it can quickly become safer. So, is there a middle path to choose?

For the Windows world, the simplest option would be to not upgrade unless you absolutely need to. If your current brows er displays pages decently, do you really need that new version? Especially if you have been diligently applying all th e patches (http://windowsupdate.microsoft.com/) for your current setup. Use some of the available freeware firewalls to mask your identity. For the Linux world, do not use the default install - customize each machine based on the requirem ents for it. Use a hardening script like Bastille Linux (http://www.bastille-linux.org/) to kill known security issues. Turn off services that you do not need.

One very interesting possibility is the IP-Personality Patch (http://ippersonality.sourceforge.net/) available for Linu x Kernel 2.4. This patch makes your machine look like any other operating system to external scanners - so you can make your Linux machine pretend to be an OS/2, Windows, FreeBSD or Sun Solaris box! In this way, you can actually have the cake and eat it too. You can use a popular distribution (and the attendant benefits) while pretending to be a rare (and therefore difficult to attack) platform.

A heterogeneous network in an office or organization will need more work and maintenance. It may also need more resourc es and personnel. But, in the larger perspective, if you want a more reliable and fault tolerant setup, then diversity is strength. Learn to mix and match operating systems, software and resources. Depending on your needs use different co nfigurations where they are justified. Try to introduce an awareness of where each software has a particular niche in w hich it is most suited. Apart from learning about different software and how they interact, this will expose you to pot ential overlaps between software - something that is useful from a security perspective. More importantly, learning how to use different software keeps you from becoming normal and ordinary - and normal is boring, right?