Firewall Wizards mailing list archives
Re: Defense in Depth to the Desktop
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 14 Dec 2004 12:34:03 -0500
Devdas Bhagat wrote:
What we need is a PFW that can be controlled by the central IT department and global policies applied to similar sets of desktops.
Most of the PFW makers are heading that way. Some of the companies (e.g.: Sygate) have been doing it for a long time. I'm (no business association with Sygate or their products) pretty impressed with the policy framework they have built. But, fundamentally, we need to assess where we're heading with the whole thing. PFW is a piece of it, but as malware is showing us beyond the shadow of a doubt, the final battle is going to be fought over what gets executed on the desktop. The orange book guys knew this ages ago, and we've just been in denial about it, as we thrash desperately back and forth between "can we secure it at the network?" (no) "can we secure it at the host?" (no) Eventually, we'll find ourselves accepting the reality that we need total, granular, management of execution and network connectivity network-wide. That's the truth we've been dodging since the "desktop revolution."
But it *is* the most common way for malicious code to replicate. Windows file and print sharing is one huge hole.
Close one common vector and it'll just make another vector the new most popular and most common pathway. That's the fundamental problem with playing computer security whack-a-mole -- the underlying premise is "if we just close this one hole" - and it's wrong. That's why the folks who say "If we just blow away Windows" are wrong (yes; I have said that) or "If we just stop using IE" are wrong (yes; I have said that). A more accurate statement would be "if we just blow away IE, we will force the bad guys to reassess their attack vectors and learn new ones." Which is not an entirely bad thing. Note that I am usually recommending blowing away Windows and IE in the context of replacing them with an absolutely controlled execution environment, so I am not exactly in favor of playing whack-a-mole. I would describe my position more as "driving a stake through its heart" -- and, yes, I would be willing to operate in such an environment. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Defense in Depth to the Desktop, (continued)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Marcus J. Ranum (Dec 14)