Posted by: Anonymous Coward
on March 18, 2004 02:09 PM
Large organizations tend to have the funding to "do the right thing." With respect to patch management. What the &*^% are you talking about "patching every six months is the best you can hope for?" This is why patch management solutions were created.
PKI is a heck of a can of worms, and it's probably a good idea to know what you're going to use it for before deploying (secure email, client certs for web apps, vpn access, etc.) Many commercial cert issuing solutions are licensed on a per-cert basis, which means that organizations are encouraged NOT to exercise the revocation features unless they absolutely have to; ditto for short expiry.
SSH is a really, really, really good idea. Wrapping telnetd is not a bad idea, it's just not the only solution. I guarantee you there will be a requirement to "tip in" to just about every box at one point. So, while you score points for understanding that machines live in secure enclaves, you get points deducted for implying there's such a thing as a perimeter anymore. My app servers run code from our trading partners. One of my databases (inside the firewall) is maintained by a company we are in coopetition with. The possibility that malicious code exists INSIDE the computing center is just way to real to avoid cryptographic protections on basic firewalls.
What about key management? nCipher makes some pretty nice boxes. MUSCLE / LinuxNet have a pretty decent smart card library or two. PAM rocks.
What about commercial products for authentication? SecurID? CryptoCard? Priva-Tech?
Learn about Linux
Download Linux
Get Linux help
Might have missed the point here...
Posted by: Anonymous Coward on March 18, 2004 02:09 PMPKI is a heck of a can of worms, and it's probably a good idea to know what you're going to use it for before deploying (secure email, client certs for web apps, vpn access, etc.) Many commercial cert issuing solutions are licensed on a per-cert basis, which means that organizations are encouraged NOT to exercise the revocation features unless they absolutely have to; ditto for short expiry.
SSH is a really, really, really good idea. Wrapping telnetd is not a bad idea, it's just not the only solution. I guarantee you there will be a requirement to "tip in" to just about every box at one point. So, while you score points for understanding that machines live in secure enclaves, you get points deducted for implying there's such a thing as a perimeter anymore. My app servers run code from our trading partners. One of my databases (inside the firewall) is maintained by a company we are in coopetition with. The possibility that malicious code exists INSIDE the computing center is just way to real to avoid cryptographic protections on basic firewalls.
What about key management? nCipher makes some pretty nice boxes. MUSCLE / LinuxNet have a pretty decent smart card library or two. PAM rocks.
What about commercial products for authentication? SecurID? CryptoCard? Priva-Tech?
#