[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [school-discuss] Security and Linux

To: schoolforge-discuss@schoolforge.net
Subject: Re: [school-discuss] Security and Linux
From: Simon Scott <sscott@iinet.net.au>
Date: Sun, 15 Dec 2002 13:02:13 +0800
Delivered-to: archiver@seul.org
Delivered-to: schoolforge-discuss-outgoing@seul.org
Delivered-to: schoolforge-discuss@seul.org
Delivery-date: Sat, 14 Dec 2002 23:59:17 -0500
In-reply-to: <1039924208.3dfbfbf0c9cfa@members.iteachnet.org>
Organization: Scottscom
References: <1039924208.3dfbfbf0c9cfa@members.iteachnet.org>
Reply-to: schoolforge-discuss@schoolforge.net
Sender: owner-schoolforge-discuss@schoolforge.net
User-agent: KMail/1.4.3

On Sun, 15 Dec 2002 11:50, David Bucknell wrote:
> Dear Schoolforgers,
>
> I just got a good question from a friend in Canada and wonder if others
> might be willing to address this question as it is likely to come up again.
> I'd appreciate any help you might offer. Here goes:
>
Ill give it a go, but Im sure Leon will have a stab too.

> "We're looking at a project to put cache servers in a couple of schools
> with remote management
> from a company in British Columbia.  They would have to come through our
> district's firewall to
> replenish the servers at night.  That's not fraught with concerns, believe
> me. But, at a meeting

Yeh, no biggie. 

> yesterday, the people that we met with made a statement that I wish that I
> was more informed to
> challenge.  The comment went along the lines of "Well, it's Linux.  It's
> secure and you don't have
> to worry about hackers."  They also were unable to tell me about the
> software that would be used
> and also that this software had ways to cache dynamic content.  ASP, etc. 

OK. A bit worrying.

Linux is no more than a clone of Unix - something that has been tried and 
tested for 30 odd years. The implementation is strong, and since it is open 
source it gains a lot from the 'many eyes' approach.

However, poorly written or configured software can still be a security 
nightmare. In fact, otherwise well written software can - witness the recent 
openSSL problems.

Anyone who can claim that 'its linux and therefore secure by default' need to 
reexamine their approach. Linux needs to be well configured like anything 
else, and the kernel and tools need to be monitored so that any security 
issues are patched quickly.

That is actually the best thing about linux - not that there are no security 
issues, but when they arise they are usually dealt with quickly by the 
community.

As an aside, you cant cache ASP/PHP etc. You never see it. You could cache the 
resulting HTML that is returned, but youll find that most stuff written in 
these kinds of languages send headers which mean 'if you are a cache do not 
cache this - ever'. Otherwise really odd stuff starts happening.

> So, I'm sitting there in
> the meeting with red flags and sirens going off but not familiar enough
> with Linux to return with
> probing questions.  Can you comment or point me somewhere on the net where
> I can do some serious
> reading?  

Here's the rub - finding the reading material. Youll find (as I did) that a 
lot of the linux based comment on the net is mostly 'its great because its 
not Microsoft' or 'it sucks because its not Microsoft'. In reality the 
security aspects of any OS is a massive subject - I would recommend that 
rather tackling it yourself you get in touch with a trusted and honest 
consultant who can guide you. Anyone that claims Linux is totally secure by 
default does not fall into that category.

>Is there a particular piece of software running on Linux that is
> a good caching software
> that you'd recommend so that I can do some research?  As for caching
> dynamic content, I'm just
> going to have to wait and see this system live because it goes against
> everything that I think I
> know about the way these pages work! "

Caching = Squid. You cant go past it. The hardware requirements are a little 
stiff, but when you consider what its doing (storing and indexing thousands 
of objects sourced from the net, its really rather impressive. Its also old 
and well tested software, and I cant recall a serious security issue with it 
in recent times. If one does come up you can be sure that the active 
community will stomp on it quick smart.

Same comments about caching dynamic content above apply. You can cache other 
things like the images embedded in the page itself, but actually caching 
semi-dynamic pages (where the content changes but not very often) is best 
left to the originating server. If a server does cache the HTML from a 
dynamic webpage, how could it tell if it had changed? I think youll find that 
even if the cache does in fact store this, it will refresh so often (maybe 
every call) that the entire point of the cache is lost.

Leon might be able to shed more light on this.

Tread carefully, and beware the Linux zealots! :D

>
>
> Best wishes to you all,
> David

Good luck

References:
- [school-discuss] Security and Linux
  - From: David Bucknell <david@members.iteachnet.org>

Prev by Date: [school-discuss] Security and Linux
Next by Date: Re: [school-discuss] Security and Linux
Previous by thread: [school-discuss] Security and Linux
Next by thread: Re: [school-discuss] Security and Linux
Index(es):
- Date
- Thread