Re: Castles and Security (fwd)

["M.Schubert" <schubert () fsck org>]

Darren Reed Wrote: 
> Other details such as whether or not such a person should be
> installing software, does it fall within the security policy, etc,
> are also relevant but peripheral to the point I was making:
>
> people will follow the path of least resistance to get in, regardless
> of whether that is through the front door or over the WAN.  If all
> paths have the same amount of "resistance" then you should be able to
> feel comfortable with your security.  If you have a security dude
> watching everyone come in your front door, you should have a security
> dude watching everyone come in over the internet.  It might also mean
> that any access to the president's computer needs to be ok'd with the
> secretary (or equivalent thereof) or at home, you'd need to get their
> spouse's ok.  That sort of thing is what I mean.

Basically you've come back to the "a chain is only as strong as it's 
weakest link" cliche, but you are correct. People just fail to see this 
over-used analogy in the grand scheme of things. Why implement heavy 
physical security when one can just utilize poor network security. And 
why bother breaking in via the computer network when one can just 
utilize an unlocked door, window... fool the secretary... etc. I think 
we need to remember that the greatest castle in the world is useless 
without men to man the fort so to speak.

Marcus mentioned in another message (if I may just slop together my 
various opinions into one email :-) that in today's e-commerce, one can 
not just "close the gates" on one's server when under attack. This is a 
rather nasty problem that I have not foreseen any software able to 
solve. Pulling the plug is an option for highly-sensitive information, 
home users and non-essential services but not for e-bay. I think the 
ideas of defenses have been established well enough in this thread but 
I'm wondering as to what you people feel about _counter-measures_. 
Unfortunatly, all of the common ones (automated blocking of ip's and 
subnets) are all too easy to be abused by an attacker and become more 
harmful than good.

If I may stretch this idea of counter-measures further... its very 
similiar to the concept of criminal laws... you break a law and the 
justice system will invoke a counter-measure, a punishment. (and now I 
go off on a bit of a rant :-) These are deterrents! Defenses in your 
network are simply obstacles to overcome just like the locks on your 
doors are merely something a thief must overcome. They do not deter the 
criminal, they merely _delay_ the criminal. I'm sure one could suggest 
we have harsher deterrents (read: laws) against breaking into systems 
but I'm wondering what deterrents can be implemented in software and 
hardware? Actual, tangible, counter-measures. Not more layers of 
defense. Not obstacles.

Now if I may return to the whole castle analogy just for the sake of 
completeness I'd like to point out that it is not the high castle walls 
nor the strong, tricky or trap doors that deterr the mongol horde from 
attacking your network.... its the army of archers sitting ontop of 
those walls and behind those doors waiting to shoot the hapless fool to 
break in. It is the deterrents which will thwart an enemy not the 
obstacles.

-- 
-- M. Schubert          - mschuber () uci edu
-- Security Specialist - michaels () lightspeedsystems com
-- Sys Admin            - schubert () fsck org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards