Digg this story   Add to del.icio.us  
Secure by Default
Jason Miller, 2004-05-13

Why "Secure By Default" is a step in the right direction.

I'm not here to talk about some groundbreaking security technology or ideology that's going to change our lives -- if I had the solution to all of the security problems that have been plaguing the Internet lately, I'd be busy working on it. Instead, I'm here to talk about what I think is a basic and fundamental rule of good security practice: the OpenBSD concept of shipping an operating system "Secure by Default".

Okay, okay, I know what you're thinking. I'm an OpenBSD zealot that's convinced that his operating system of choice can save the world. Nah. If I'm a zealot, then I'm a FreeBSD zealot, but that's another story that we won't get into here. Let me try and stick with my point -- there is an obvious and undeniable benefit to keeping network-aware software disabled in the default installation of all operating systems.

Why? Applications are going to have vulnerabilities. This is possibly the one golden unavoidable truth in information security. Now, anyone out there who is screaming to me about their Java application inside a JVM running as a non-privileged user sitting in a jailed environment needs to be a little more pragmatic here. Vulnerabilities are everywhere. Deny this golden fact and you've already lost the war. I'm not even talking about the vulnerabilities that led to the success of Blaster, Slammer, Sasser, Slapper (okay, so I needed one example that applies to Unix), or whatever other worm is the current flavor of the month. I'm talking about the vulnerabilities that we don't know about: the vulnerabilities that are sitting there waiting to be discovered by someone with the time to spend looking for them, the vulnerabilities that have been discovered but are kept by a select few as precious 0day, and even the vulnerabilities that haven't been written yet, but will inevitably make their way into a network-aware service near you. Although some of these vulnerabilities may be eliminated in a proactive fashion, not all of them can be. That is something I can promise you.

So, we've established the fact that the existence of vulnerabilities in network-aware services (and everything for that matter) is something that we can't prevent. Now what do we do about it?

Shut them off by default. All of them. I'm going to take a step out into the firing squad and suggest that NO network-enabled services (and by this I mean listening servers, not client applications like dhcp clients and automatic update agents) should be enabled by default, period. Sure, there are the obvious ones like MSRPC and the Server service in Windows, or rsh/rlogin and NFS-related services in Unix (yes, most if not all Unix-based operating systems disabled things like these ages ago), but there is also plenty of other cruft running by default on most Windows systems. And yes, I'm even going to include the most amazing network-aware application of them all: sshd.

Now, I'm not saying that shutting off all network-aware applications by default is going to solve all of our problems, nor am I suggesting that "Secure by Default" means absolutely secure. Not by any far stretch of the imagination. What I am saying is that this concept provides us with a lot of solid and immediate benefits, and relatively few drawbacks. Sure, we're applying a rule to accommodate the lowest common denominator, but isn't that the way things need to be done in network security? Let me provide some examples of situations where disabling network-aware services by default gives us a benefit. And of course in the following when I say "prevents", I really mean something along the lines of "greatly reduces the risk of":
  • It prevents people who don't know what they're doing (there are an awful lot of them) or people who install an operating system to play with (see once again, people that don't know what they're doing) from unintentionally exposing a vulnerable service. Sure they can enable a service later, but we're going to be in a better situation than we would if the service was on by default anyways.
  • It prevents dated and vulnerable operating systems from being compromised during installation and before they can be patched.
  • It prevents things from being left on by accident.
  • It takes some of the onus off of the administrator (and I use the term loosely) of the computer to understand some of the most basic concepts of network security.
If you don't see a relationship between this concept of "Secure by Default", and the fundamental rule of "that which is not explicitly permitted is denied," then you need to look closer.

Sure, there are some drawbacks to this ideology, but there are drawbacks to everything. The key is that the benefits outweigh the drawbacks. I could sit here and give a bunch of examples or talk about the benefits of this concept of "Secure by Default" until I was blue in the face, but I think a lot of these should be obvious. If you're really creative, you can probably even come up with some other interesting arguments that support this idea, for example what about the (negligible) performance benefits? The smaller memory footprint for the operating system?

But wait! I use &insert distribution here> Linux, and they don't run *any* network-aware services by default! Great! I'm not talking about some groundbreaking concept here that nobody is implementing, I'm simply trying to reinforce what I believe is a good idea for everyone. The idea of "Secure by Default" isn't new (unless you're from Redmond), and even then, it's still starting to be adopted in lots of different operating systems, including some interesting changes with Windows XP Service Pack 2 and Windows 2003. I won't get into that here, but it's safe to say that this concept is making some headway, and I believe it's something that all operating system vendors need to continue with.

Deep down, I know that I'm preaching to the choir. I'm talking about a problem that, on the whole, affects Windows more than it does Unix (and even they're starting to take steps in the right direction). However, on some level or another, this ideology of "Secure by Default" applies to all operating systems, not just those shipped from Redmond.

But let's be honest for a second -- if I were writing about the things that Unix could learn about network security from Windows, you'd have finished my article a long time ago.


Jason Miller manages the Focus IDS area for SecurityFocus.
    Digg this story   Add to del.icio.us  
Comments Mode:


 

Privacy Statement
Copyright 2010, SecurityFocus