On 02/11/99 23:28:15 you wrote:
In message 199921122746541@ix.netcom.com, sirbruce@ix.netcom.com writes:
This simply isn't true; there's many sorts of system maintenance that can be done on the console without an admin host, and even moreso now with Web-based administation. One doesn't even have to have a permanent admin host... you could just briefly export the root directory for a quick update, then unexport it from the filer console.
So you're saying that having a Java runtime on the filer is an improvement in security? That's insane.
It would be insane; that's why I didn't say it. Your claim, which you neatly snipped, was:
Filer's typically have an "admin host" which can mount and read/write to the filer root directory. Without it, it's impossible to do any sort of system maintenance on the filer.
To wit, my answer - it's not impossible. Whether or not other methods are more or less secure is a matter of debate, but your original point was wrong.
This isn't new; a malicious individual could potentially effect firmware in previous versions. This is potentially the case in almost any OS... although I admit, 5.x makes it a little "easier" to do so. Firmware also isn't hardwar e, although bad firmware could theoretically lead to physical damage of the disk drive hardware mechanism.
It doesn't make it easier. It makes it trivial.
This we'll just have to disagree on. We don't really know without statistically sampling over a number of security incidents and seeing exactly what the increased risk is, and even then we'd have to agree on the range of what is called "trivial". If you surveyed a group of informed security consultants on the issue, however, I don't think "trivial" would be the word of choice.
Wrong. People keep thinking the admin host is some mythical authoritative host. It isn't. It's nothing. Forget the term. You *can*, if you like, allow one or more hosts to telnet into the filer, rsh into it without a password, or mount it's root partitions. These are no more or no less a factor in the filer than in any other system, and you are perfectly capable of *not* allowing a host to do any of the above. The filer will continue to work.
And you will be unable to update it's /etc/passwd, /etc/quotas, etc. You must not run a filer in an environment that changes often.
Or when you do, you create a temporary security hole that you can monitor in realtime. (Any real security conscious admin are monitoring all of their stuff anyway, but that's another issue). The point is, again, your statement was wrong. Perhaps you were simply *overstating* to make a point... but in the world of security, one should be careful to convey accurate information, not hype.
Now it seems Network Appliance has just raised the stakes; not only can you lose your data, but you can also potentially lose hundreds of thousands of dollars worth of hardware.
This isn't true, and no one should be doing risk-analysis assuming that a user accessing a system through software can't do damange to the hardware underneath.
It is true. Perhaps you should pull your head out of the sand for a minute and stop blindly defending the existance a stupid command.
By the way, I was only saying the first part of your statement (before the semicolon, that Netapp had raised the stakes) wasn't true; obviously from the context I agreed with the latter, but feel it's largely irrelevant since one should rate virutally the same possibility to previous OS version. You probably still disagree, but I wanted the clarification so we didn't go down a rathole over a misunderstanding.
Even if you're correct, you're talking the filer's risk increasing only so much as to be in line with almost every other OS/platform out there that include facilities for such a thing. Hardly something to get worked up over.
Bruce
-
sirbruce@ix.netcom.com