[Dshield] Microsoft - Threat to National Security?

Kenton Smith ksmith at chartwelltechnology.com
Thu Sep 25 16:01:03 GMT 2003


I have a couple of issues with this paper. One is regarding the means by
which Microsoft actually got to where it is, and who made the choices
that helped Windows achieve it current state of wide-spread adoption. I
can't come up with a coherent argument for or against that, so I'm going
to go to the second issue I have.

This whole issue of homogeneity. Yes it can be a problem, as we have all
seen. But is the alternative really better? Here's the example that's
been floating around in my head since reading the paper. Say I've chosen
their recommendation and I have gone from having 20 web servers running
IIS to 5 running IIS, 5 running Apache on OS X, 5 running Apache on Red
Hat, 5 running Apache on Open BSD, and 5 running Sun One on Solaris.
I've gotten out of the Windows rut, but right into another, more
challenging one. If a vulnerability is released for IIS, I used to run
my patch management software and get them all patched. This was one easy
step and I could schedule it for any time of the day or night. I still
do for IIS, but what do I do now that I have the same web server
(Apache) running on 3 different platforms? How quick am I going to be to
patch these systems when a new Apache vulnerability comes out? There
isn't patch management software that'll do this, as far as I know. So I
have to visit the distribution's site, and download the patch then
upload it to each box and run whatever is necessary on each box. Plus I
have to do it manually and therefore need the time to not only get the
patch, but also apply it to each machine. Isn't this an increase in
complexity and as a result a security risk?

This is just one example, but there seems to be a disconnect between
their argument of complexity adding to the security problem, and their
push to move everyone (specifically large government organizations) to
the complexity of heterogenous systems. Until someone chooses to come up
with management tools to make managing this type of a network easier, I
think they're going to create more problems than they are going to
solve.

Kenton
  





More information about the list mailing list