[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] RaQ patching and security

Subject: [cobalt-security] RaQ patching and security
From: John Brownlee <Johnathan.Brownlee@xxxxxxxx>
Date: Thu, 21 Mar 2002 11:04:00 -0700
Organization: Pima Community College
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

	Sounds like there's a lot of unhappy and angry customers out there. I
am not one of them, however I do appreciate bad vendor experiences. Here
is my lurker's take:


	Cobalt's need to be brought up to the response time Sun gives their
larger iron. I would like patches from Cobalt proper within 24 hours of
an announced vulnerability. This is particularly important as a vendor
is usually informed 30 days or more before a vulnerability is
publicized. At least that's what the companies I worked with in infosec
did. I don't mind basing the product on a release or two back of Redhat
but please, keep it up to date! We're all operations people at heart, we
want a mature and stable product but do pay attention to it!

	We have been running RaQ 3's and 4's, almost 2 dozen of them, for over
a year now. Our IDS picks up a ton of intrusion attempts, but we've been
able to keep things patched and unhacked. My experience to date has been
that calls (admittedly handled under our existing service contract with
Sun at no per incident cost) were promptly and effectively answered. The
times unsupported patches have come up from pkgmaster.com, for example,
the service people mentioned that they thought it wasn't a problem as
long as you understood what you were doing, and the patches came from a
trusted source. Cobalts packages should, of course, be given precedence.
Pkgmaster.com was started by Cobalt and ex-cobalt support techs, wasn't
it? In my practical experience, this conversation about 'voiding your
warranty by patching for vulnerabilities,' is odd and from my experience
with Cobalt or Sun support moot.

	The bottom line is that the sophisticated inter-operability of Internet
services mean that there IS no easy way on in the long haul. Cobalts,
however, are a pretty good place to start if you want to get up in a
hurry and learn as you go. In the end, however, a system is only as good
as it's administrator in any context, security and otherwise. You can
build a system than anyone can administrate but does that mean that
anyone SHOULD administrate it?

	Like they said at NASA years back before I left, "Better, faster,
cheaper - you get to pick two." 
-- 

						John

John Brownlee
Senior Systems Administrator and "Network" Security Dude
Pima Community College
Phone: x4838

Follow-Ups:
- Re: [cobalt-security] RaQ patching and security
  - From: Michael Stauber
- Re: [cobalt-security] RaQ patching and security
  - From: Jerry Kemp

Prev by Date: Re: Cobalt-bashing (Re: [cobalt-security] SUN don't care about security update ?)
Next by Date: Re: [cobalt-security] SUN don't care about security update ?
Previous by thread: Re: [cobalt-security] Watching logs?
Next by thread: Re: [cobalt-security] RaQ patching and security

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index