Re: iso 17799

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

Thanks for the list, but methinks your rant missed the point. :-).  My
issue IS education (and staff time reduction by not reinventing the wheel)
not buying a "$100,000 doo-dad".  Having worked in several micro start-ups
and small companies throughout my career, I can assure you they don't buy
$100,000 doo-dads.  In fact the entire operations budget (host, network,
security, etc) MIGHT be $100,000/yr including salaries.  So I think your
definition of small company and my definition of small company are
different (hint, if you need to use your fingers AND toes to count staff,
you are closing on the upper limit, borrow Paul's too and we're more than
covered ;).  

Maybe where you work, a $100,000 doo-dad is the order of the day but most
of the small software companies I worked for used recycled developer
desktops running Linux or *BSD to provide infrastructure.  Now at a bigger
company (still WAY small by your def, I'd think), sure, I could get $5x,xxx
or so for a doo-dad if I thought it was critical, but I'm not likely to do
that.  Most of the internal infrastructure is running Linux here and we use
Windows in the infrastructure (exclude desktops) only where required (app
servers).  Sure I buy off the shelf stuff as well, I don't build my own
switches or routers and we have a netscreen or two handling VPNs, etc.  But
that's pretty much the extent of the doo-dads, basic network hardware and
simple security boxen.

So when someone comes into my office wondering how to secure protocol XXX
or provide service YYY, I COULD recommend they search the net and buy a
doo-dad, punch button, and go back to sleep.  I USUALLY say, are you sure
they need it (get a justification), have you done the research on another
way to do the task, have you done the research on the implications of
allowing it, what ports/machines are involved, ...  And the usual answer
WAS "I don't know/I haven't" (shocking isn't it) and I wind up explaining
stuff.  Of course these people aren't security guys, just network guys (In
my experience, truly small companys don't get to have both, you make do),
but they are interested and they are learning (some of the questions have
answers when they walk in :).  Don't underestimate the skill/power of an
interested newbie, they CAN move mountains, been there seen that.

I can't believe I'm the only manager with that issue.  I HAVE to believe
that not all IT managers are: 'get out of my office', go buy, punch button,
and snooze types of people.  Someone other than me HAS to care about
training the staff and doing the right thing at a reasonable price.  I
admit that the marketdroids push hard and that the bulk of the IT managers
ARE clueless.  Hell, maybe I'm on the wrong list.  (Paul, is there some
demographic on list member company size?).  I'd also like to think some
guys in 'your' small company would like the tools to make a sane
recommendation to their boss.  Damn I don't know anymore, maybe some of us
just like windmills and riding horses.

The push for standards by the marketing weenies has always existed.  As you
state, because it helps them gain control over the market.  BUT there is
now push for standards from the customer/geek/CEO and not because they want
the vendor to control the market.  It's because they need help, any help in
getting a handle on direction.  A man overboard wants a lifeboat, any boat,
even a leaky boat, it beats hell out of drowning.  Now he may still starve
to death or die of heat stroke from bailing out the leaky boat but he'll
grab ANY boat and hold on.  I forget who, but someone said, "tomorrow is
tomorrow" and the micro/small corporate world has embraced that VERY
tightly.  So you don't like the marketing FUD, no shit really.  Guess what,
neither do a lot of us but it's the only boat floating by today.  So you
can whine or you can grab your own damn boat or you can help others build a
boat and start rowing.  Damn man, back in the GREAT CIRCLE (see Paul, I can
remember;) days you used to be one of the first guys on scene with the
hammer and nails.  Too much marketing FUD and not enough fiber in your
diet? ;)

Oh, and for the record Marcus, we are outbound only, have a DMZ, and
consider the DMZ pre-poisoned whenever feasible.  Handle attachments at the
gateway, use a mix of stateful and level 7 service handlers.  Disallow new
protocol/service requests as a matter of course until a justification is
made.  We DO NOT ALLOW mobile users direct access to the internal network,
they get a VERY few services (like mail) and are on a different logical
subnet with different firewall rules (in fact we export EXACTLY 4 services
to the public and about 6 to mobile users).  We use default deny.  We use a
centralized antivirus install that autoupdates the desktops as patches are
provided by our vendor (about a 10 minutes delay) all automagically, even
nights and weekends.  We use centralized mail services that do SPAM and
attachment handling.  We are small enough that almost all firewall traffic
is logged, certainly ALL inbound traffic is logged.  All logs are
autoscanned via cron each night and a summary is emailed to me and several
others (vacation issue).  In that list, you will note ONE firewall doo-dad
(OK, I've got another for VPNs ;).  Everything else is open source,
homegrown scripting, and hand rolled firewall rules (yes we tested them,
and periodically recheck them for stupid admin errors).  We're not perfect,
I'd like to kill some of the app servers, we COULD segment a bit better, we
don't audit (read logs/sniff) as much as I'd like, some of the VPNs are a
bit too friendly, and I spend a chunk of my time explaining stuff (how to,
when to, why not to, ...).  But if the bear joke is the standard, I'd guess
we're probably a bit faster than the average guy on the net but not as fast
as you, Paul, Gwen, and several others.  All without a single $100,000
doo-dad.  

As much as I'd like to be unique, the number one, most secure, top of the
pile, best in the business guy in the industry, I doubt it.  I tend to
think that if I need information, some other people might like it too, and
probably several hundred people already have it.  I spend some time each
month keeping up, researching patches/bugs, learning about new tech,
looking at protocols, writing memos on tech, etc.  Any repository that
helps me or helps my admins so I get more time and they still get it right
is an official 'good thing' from my perspective, but maybe I'm unique.



At 11:49 PM 7/20/2004 -0400, Marcus J. Ranum wrote:
> Dana Nowell wrote: (in response to Paul Robertson)
> > Great, how do the rest of us learn to negate 90% of the risk?  Got a paper
> > somewhere?  Written up an FAQ?  Guideline?  "Best Practice"? :-)  Know of a
> > good repository of that type of thing?  Or is every newbie supposed to post
> > the question to the list to extract your knowledge, say every other month?
> > ('cause you KNOW they don't search the archives)
>
> Well, there are 2 ways to negate 90% of your risk:
>        a) do a few simple, obvious things that are not very fun
>        -or-
>        b) spend a ton of money on products and process
>
> Let me try to explain it a different way:
>        Computer security, as it's done today by most practitioners, is
> fundamentally a con. It's a con the same way that most diet foods
> and "lose weight fast" schemes are a con: they cost a lot and they
> only work if you do something sensible that would have worked
> REGARDLESS of whether you were following the rules of the
> diet. Because, basically, successful diets involve taking in less
> than you burn. All of them. It's the 2nd law of thermodynamics,
> basically. If you burn more fuel than you take on, you'll get smaller.
> Well, security's the same way: if you only do smart safe stuff,
> you won't get hacked. If you buy a $100,000 security doo-dad
> that makes sure you only do smart safe stuff, you won't get hacked.
> But the actual presence of the $100,000 doo-dad has relatively
> little to do with it other than making the vendor happy and giving
> the stupid suits you work for something to point at that has
> neat-o blinky lights. It's a con.
>
>        Simple, obvious things:
>        1) Make your network originate-only except for a very very
>                very very (is that enough "very"s?) small handful
>                of services
>                a) lock down those services
>                b) log usage of those services
>                c) put error detection into service-specific places on
>                        those services (hey, you can even call it
>                        "intrusion detection" if you want to make
>                        Gartner happy)
>        2) Know what's going on in your network
>                a) know who normally talks to whom
>                b) log usage of your network and look at those logs
>                c) know your security policy as well as normal usage
>                d) look in your logs for indications that your policy is
>                        being violated (burglar alarms)
>        3) Your policy should be "deny all"
>                a) only permit it if it needs to be permitted
>        4) Internally compartment your network
>                a) mission critical machines should be behind
>                        screening routers, on separate networks,
>                        with a bare minimum (zero is a good start..)
>                        of services back and forth
>                b) audit all traffic between mission critical systems and
>                        non-critical systems
>                c) if someone can walk into your facility and plug
>                        into a network port, get an IP address
>                        assigned to them, and ping your
>                        mission critical machines, your network
>                        is a disaster waiting to happen
>                d) if someone can walk into your facility and plug
>                        into a network port without you knowing
>                        about it, your network is a disaster area
>                        already; you're just blissfully ignorant
>        5) Delete incoming attachments at the gateway to your
>                network except for a short-list of acceptable mime
>                types
>        6) Don't outsource security; outsourcing is an admission
>                that you are ignorant and that your management
>                are clueless - or that your clueless management
>                think you're ignorant
>        7) Know what goes out through your firewall
>                a) if you don't know how much spyware is installed
>                        on your desktops, your network is 0wned
>                b) if you don't know how much IRC traffic is leaving
>                        your firewall you're 0wned
>                c) why the heck would you let IRC out through your
>                        firewall, anyhow? what are you, a born
>                        victim?
>        8) If you don't understand the difference between layer 7
>                security and "stateful inspection" - learn
>        9) Don't waste your time patching
>                a) if you're running code on an internet-facing
>                        system that has a history of needing
>                        patches every week, you're running
>                        the wrong code
>                b) your internet-facing machines should have
>                        exterior lock-downs that mitigate the
>                        damage of individual service/server
>                        failure, or they shouldn't be internet
>                        facing
>                c) if they aren't internet facing don't make them
>                        internet facing just so you can get patches
>                d) production systems 101:
>                        10 SET IT UP
>                        20 MAKE IT WORK
>                        30 IF WORKING THEN
>                        40      DON'T F- WITH IT
>                        50 ENDIF
>                        60 IF NOT WORKING
>                        70      FIX IT
>                        80      GOTO 20
>                        90 ENDIF
>                        it's that BASIC (ok, that was a bad one...)
>        10) Why on earth would you have roaming users connecting
>                straight into your corporate WAN after they have been
>                at home surfing pornsites and downloading Warez?
>                a) mobile users go on a separate network
>        11) Antivirus software is good
>                a) updating it 4X / day is not necessary
>                b) updating it 1X / week works fine but especially
>                        when combined with stripping attachments
>                        (see above)
>        12) No, your users do NOT need that stupid new chat/file sharing/
>                net-meeting/remote-control/powerpoint sales tool/virtual FAX
>                garbage - it IS dangerous
>
> See? That's a list of great, simple, powerful ideas. If you do these things
> you will virtually never get hacked. Of course, in the immortal words
> of Ray Wylie Hubbard,
> "It's not so hard to do what's right; it's just not as much fun."
> (Conversations with the Devil, from Crusades of the Restless Knights)
>
> > IMO, the 'push for standards' is because the field is exploding AND
> > maturing and many, many, newbies are being thrown in to the fire everyday.
>
> The push for standards has nothing to do with the unfortunate newbies.
> Standardization is a long-running conversation (or battle) between
> vendors and customers over who has control over the market.
> Standards only happen (are allowed to happen) once the innovation
> has gone out of a market - or in the rare case where a standard
> happens in spite of vendors splitting the market - standards cause
> innovation to go out of the market. The vendors will innovate (read:
> make stuff that doesn't work together) someplace else.
>
> If you look at the effectiveness of standards bodies since the
> early 1990's (the beginning of the Internet era) you'll notice
> that they have been reduced to a bunch of squabbling vendor
> shills (with a few academics and idealists thrown in) that are
> only able to effectively ratify the installed base after throwing
> a few little tweaks on to show that NIH syndrome is alive and well.
>
> > The frustration is that people on this list 'generally' solve the same
> > problems, use lots of the same references, sites, and resources.
>
> Well, part of it is because some of us (heya Paul! Fred! Steve!
> Michael!) have been singing basically the same song for ever.
> I published a few verses of it above. We've been singing the
> song through rain and snow and we've been right all along.
> And when people ask for a solution, what they're really saying
> is "We don't LIKE the rules of the jungle! Surely if I just buy
> this new $100,000 doo-dad then I can rewrite them so they
> no longer apply to me!"   Nu-huh.
>
> >  This list
> > is dedicated to answering specific questions about firewall
> > implementations, a good thing.  However no centralized list or repository
> > exists to share the 'other' information required in the real world
> > (training materials, reference materials, example risk
> > assessments/documents, staff/food chain management issues, software, etc.).
> > The list is good, it does its job well, too well, people want the other
> > problems solved as well and currently they can't have it.
>
> Conferences like SANS try to do this, as do most security-oriented
> conferences. Personally I think you can learn it all yourself if you
> are motivated enough. This list is not the right place for that. Not
> because nobody here knows what to do; it's just our throats
> are tired from singing the same song and then having people
> say, "that sounds like sense but there's no WAY my pointy-haired
> boss is gonna let me do that."
>
> > In one man's opinion, that's one of the main reasons why we see the push
> > for 'standards'.  It's not really standards people want, so much as
> > direction/help with the 'other' parts of their job.
>
> If you "standardize" enough then you've derived a "one size fits
> all" - which you can only do after something has commoditized
> to the point where it is no longer interesting. I'm not saying that's
> a bad thing - not by a long shot - but the implication of my
> view, if I am right, is that there will never be useful or meaningful
> standards regarding whatever the most interesting problem is that
> you have on your plate at any given moment.
>
> mjr.                "A standard of one, since 1962" 
-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards