Dailydave mailing list archives
Re: Semi-anonymized moderation.
From: Kowsik <kowsik () gmail com>
Date: Mon, 28 Jan 2008 08:25:47 -0800
After 5+ years of stopping this, stopping that, writing anti-malware, anti-dos, anti-backdoors, anti-vulnerablities, anti-scanners, anti-spoofing, anti-this and anti-that, it pretty much came down to "ENOUGH ALREADY!", for me. Being reactive just ain't fun. It gets pretty damn tiring after a while when for ever rule the ID/PS has, there are like a million exceptions on the network. No, I'm not just talking about evasions and obfuscations. One small step for the attacker, one impossible jump for the rest - especially with the current approach. This is not a dig on specific products or how they work. They do what they are intended to do reasonably well. However, the problem they all set out to solve is inherently intractable. K. On Jan 28, 2008 6:39 AM, Dave Aitel <dave () immunityinc com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Post from Mark Loveless who is subscribed from a diff email and hit "reply all". My moderation gui drops anything from anyone not subscribed, so I'm "moderating" this manually. - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Dave my man. I agree that security is an arm's race for signature based products. Though should we throw out the baby with the dirty water? Is no firewall, VLANs, route filtering, IDS, AV, central management/logging, etc better than a lame one? And besides perhaps some witty vendor will come up with a new solution. :)I'll bite. I'd say as a person who has worked on multiple security products, it is a losing battle. The network is simply hostile. Forget the firewalls with holes in them to allow users to send/receive email, web traffic, IM, plus "trusted" vendors, suppliers, contractors, overseas divisions, and an increasing mobile workforce -- there are simple rules of physics to contend with here, and as a result the network on both sides of the firewall is hostile. If every exploit set the evil bit, we'd just look for that one thing. However any signature-based system has to look at all possible attacks. Now for even ASIC-based systems, you run out of memory real quick. This is the physics thing I mentioned earlier. Most IDS/IPS vendors have a ceiling limit on about 1800-2000 signatures that can be active at once. NO vendor ships with all 5k-10k signatures turned on. The machine would drop packets and grind to a halt. Therefore what signatures do you pick? Only the ones that affect your user base? What about home users coming in via VPN (doubly bad, you may not support the platform AND the communication is encrypted)? Do you think anti-virus companies have it any better? What about anomaly-based host systems? Arguably better, however there are two factors that prevent massive deployment: 1) You now have to run low-level code on all your systems. Aside from the technical issues that this may cause, your CxO types may have gotten burned when the last time code was loaded on every system, it didn't prevent some massive infection. Additionally, the Gartners of the world are quick to point out that the upper right quadrant is filled with signature-based companies anyway, so any consultants/sales people wanting to make a sale have to explain away that upper quadrant in that goofy chart. Hybrid systems that use sigs for the low-hanging fruit and anomaly detection for the hard stuff might creep into the upper right quad (hopefully you know what I mean by Gartner's upper right quad, google it if you don't know). 2) It is cheaper to deploy technology at the "choke points" instead of everywhere, and A/V is about all you can expect to get on the desktop nowadays. Besides the auditors of the world will tell your organization that due diligence is having that A/V there, on the Exchange server, and the fact you have a firewall pretty much has you covered from an audit standpoint. My solution would be to lock down the desktops and servers via hardening, run email and web browsers in sandboxes, and replace the firewalls with router ACLs that simply take large swipes at the traffic to help create a division from the outside world. Firewalls are simply glorified routers at this point anyway, as most are configured to allow certain types of traffic right in through the front door. I used to quote Frank Zappa's comments on modern jazz as "jazz isn't death, it just smells funny" in presentations, saying the same thing about perimeter security. Around 2002 or so I simply started saying perimeter security is just dead. I had a very serious discussion about this very topic with Bill Cheswick around the same time, with both of us threatening to write a paper or article on the topic. Every time I hear the argument that some level of security, even lame security, is better than NO security, I think about my Zappa paraphrasing. In my opinion, lame security is WORSE than no security, simply because most of the people involved (think CxO/pointy-haired boss types) live with a sense that they are being protected, when in fact they are not. The ones with no protection are not living a lie -- they are at least AWARE they really have no security. Mark - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFHlnf7cWrXS8hLmpIRAlV3AJ4xm+t46kKtUaFZ3zbVB9VmEUIPqwCfcNgi yEHFuPRkLlrQEI90G/h3RQg= =DhdV - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnekTB8JNm+PA+iURAgnLAJ9/MYp/eoneY4TwIr50XRIlAZBgCgCgj8ME 48wF+iNSfnb0rOEBiF/eSpk= =d2Lw -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Semi-anonymized moderation. Dave Aitel (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Jon Oberheide (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Lance M. Havok (Jan 28)
- Re: Semi-anonymized moderation. Olef Anderson (Jan 28)
- Re: Semi-anonymized moderation. Stephen John Smoogen (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Sec urity (Jan 28)