Thursday, November 30, 2006

Thoughts on Vista

To mark the launch of Microsoft Windows Vista, CSO Online asked me to write this article. The editor titled it "Security In Microsoft Vista? It Could Happen." I think I took a balanced approach. Let me know what you think. I was pleased to see my FreeBSD reference survived the editor's review!

5 comments:

Anonymous said...

Definitely a balanced approach. Good article. Nice turn of phrase with "Unfamiliarity will breed misconfiguration".

Anonymous said...

The comments about v6/IPsec might also want to include that robust use of IPsec relies on a global PKI infrastructure that does not exist (nor will it for a long time). Additionally we will many articles like the following posted to SANS in 2005:

We received some packets today from someone who was chomping at the bit to get his Windows Vista up and on the wire, and was in for an interesting surprise. After a short while, he was being barraged with a good number of UDP port 53186 packets from around the globe. A bit of digging gave me an education in Teredo - Microsoft's IPv6 over IPv4 encapsulation, discussed in: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx and RFC3904. Teredo's strength is it's ability to traverse NAT firewalls while maintaining the protections offered by IPv6, and it has been used to build tunnels for plenty of OSes and applications, including Windows P2P and especially the Peer Name Resolution Protocol, PRNP.

Best thing to do is if you do not need the v6 service to disable it (much like how we do normal business today for other services).

One other comment, I heard a Microsoft rep talk about the orders of magnitude of download performance (as much as 10x + faster) between longhorn and vista, do you think this will cause havok for network security appliances?

Kenneth F. Belva said...

Memory Address Randomization in Vista will help significantly to prevent many exploits. It's turned on by default.

My blog entry here.

KB

John Ward said...

you mean vista actually launched. With the lack of press, I didn't even know... Maybe thats part of the security strategy?

Anonymous said...

Vista will suck. Microsoft has terrible OS's.



Kettler