Firewall Wizards mailing list archives
Re: iso 17799
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Wed, 21 Jul 2004 12:10:26 -0400
Thanks for the list, but methinks your rant missed the point. :-). My issue IS education (and staff time reduction by not reinventing the wheel) not buying a "$100,000 doo-dad". Having worked in several micro start-ups and small companies throughout my career, I can assure you they don't buy $100,000 doo-dads. In fact the entire operations budget (host, network, security, etc) MIGHT be $100,000/yr including salaries. So I think your definition of small company and my definition of small company are different (hint, if you need to use your fingers AND toes to count staff, you are closing on the upper limit, borrow Paul's too and we're more than covered ;). Maybe where you work, a $100,000 doo-dad is the order of the day but most of the small software companies I worked for used recycled developer desktops running Linux or *BSD to provide infrastructure. Now at a bigger company (still WAY small by your def, I'd think), sure, I could get $5x,xxx or so for a doo-dad if I thought it was critical, but I'm not likely to do that. Most of the internal infrastructure is running Linux here and we use Windows in the infrastructure (exclude desktops) only where required (app servers). Sure I buy off the shelf stuff as well, I don't build my own switches or routers and we have a netscreen or two handling VPNs, etc. But that's pretty much the extent of the doo-dads, basic network hardware and simple security boxen. So when someone comes into my office wondering how to secure protocol XXX or provide service YYY, I COULD recommend they search the net and buy a doo-dad, punch button, and go back to sleep. I USUALLY say, are you sure they need it (get a justification), have you done the research on another way to do the task, have you done the research on the implications of allowing it, what ports/machines are involved, ... And the usual answer WAS "I don't know/I haven't" (shocking isn't it) and I wind up explaining stuff. Of course these people aren't security guys, just network guys (In my experience, truly small companys don't get to have both, you make do), but they are interested and they are learning (some of the questions have answers when they walk in :). Don't underestimate the skill/power of an interested newbie, they CAN move mountains, been there seen that. I can't believe I'm the only manager with that issue. I HAVE to believe that not all IT managers are: 'get out of my office', go buy, punch button, and snooze types of people. Someone other than me HAS to care about training the staff and doing the right thing at a reasonable price. I admit that the marketdroids push hard and that the bulk of the IT managers ARE clueless. Hell, maybe I'm on the wrong list. (Paul, is there some demographic on list member company size?). I'd also like to think some guys in 'your' small company would like the tools to make a sane recommendation to their boss. Damn I don't know anymore, maybe some of us just like windmills and riding horses. The push for standards by the marketing weenies has always existed. As you state, because it helps them gain control over the market. BUT there is now push for standards from the customer/geek/CEO and not because they want the vendor to control the market. It's because they need help, any help in getting a handle on direction. A man overboard wants a lifeboat, any boat, even a leaky boat, it beats hell out of drowning. Now he may still starve to death or die of heat stroke from bailing out the leaky boat but he'll grab ANY boat and hold on. I forget who, but someone said, "tomorrow is tomorrow" and the micro/small corporate world has embraced that VERY tightly. So you don't like the marketing FUD, no shit really. Guess what, neither do a lot of us but it's the only boat floating by today. So you can whine or you can grab your own damn boat or you can help others build a boat and start rowing. Damn man, back in the GREAT CIRCLE (see Paul, I can remember;) days you used to be one of the first guys on scene with the hammer and nails. Too much marketing FUD and not enough fiber in your diet? ;) Oh, and for the record Marcus, we are outbound only, have a DMZ, and consider the DMZ pre-poisoned whenever feasible. Handle attachments at the gateway, use a mix of stateful and level 7 service handlers. Disallow new protocol/service requests as a matter of course until a justification is made. We DO NOT ALLOW mobile users direct access to the internal network, they get a VERY few services (like mail) and are on a different logical subnet with different firewall rules (in fact we export EXACTLY 4 services to the public and about 6 to mobile users). We use default deny. We use a centralized antivirus install that autoupdates the desktops as patches are provided by our vendor (about a 10 minutes delay) all automagically, even nights and weekends. We use centralized mail services that do SPAM and attachment handling. We are small enough that almost all firewall traffic is logged, certainly ALL inbound traffic is logged. All logs are autoscanned via cron each night and a summary is emailed to me and several others (vacation issue). In that list, you will note ONE firewall doo-dad (OK, I've got another for VPNs ;). Everything else is open source, homegrown scripting, and hand rolled firewall rules (yes we tested them, and periodically recheck them for stupid admin errors). We're not perfect, I'd like to kill some of the app servers, we COULD segment a bit better, we don't audit (read logs/sniff) as much as I'd like, some of the VPNs are a bit too friendly, and I spend a chunk of my time explaining stuff (how to, when to, why not to, ...). But if the bear joke is the standard, I'd guess we're probably a bit faster than the average guy on the net but not as fast as you, Paul, Gwen, and several others. All without a single $100,000 doo-dad. As much as I'd like to be unique, the number one, most secure, top of the pile, best in the business guy in the industry, I doubt it. I tend to think that if I need information, some other people might like it too, and probably several hundred people already have it. I spend some time each month keeping up, researching patches/bugs, learning about new tech, looking at protocols, writing memos on tech, etc. Any repository that helps me or helps my admins so I get more time and they still get it right is an official 'good thing' from my perspective, but maybe I'm unique. At 11:49 PM 7/20/2004 -0400, Marcus J. Ranum wrote:
Dana Nowell wrote: (in response to Paul Robertson)Great, how do the rest of us learn to negate 90% of the risk? Got a paper somewhere? Written up an FAQ? Guideline? "Best Practice"? :-) Know of a good repository of that type of thing? Or is every newbie supposed to post the question to the list to extract your knowledge, say every other month? ('cause you KNOW they don't search the archives)Well, there are 2 ways to negate 90% of your risk: a) do a few simple, obvious things that are not very fun -or- b) spend a ton of money on products and process Let me try to explain it a different way: Computer security, as it's done today by most practitioners, is fundamentally a con. It's a con the same way that most diet foods and "lose weight fast" schemes are a con: they cost a lot and they only work if you do something sensible that would have worked REGARDLESS of whether you were following the rules of the diet. Because, basically, successful diets involve taking in less than you burn. All of them. It's the 2nd law of thermodynamics, basically. If you burn more fuel than you take on, you'll get smaller. Well, security's the same way: if you only do smart safe stuff, you won't get hacked. If you buy a $100,000 security doo-dad that makes sure you only do smart safe stuff, you won't get hacked. But the actual presence of the $100,000 doo-dad has relatively little to do with it other than making the vendor happy and giving the stupid suits you work for something to point at that has neat-o blinky lights. It's a con. Simple, obvious things: 1) Make your network originate-only except for a very very very very (is that enough "very"s?) small handful of services a) lock down those services b) log usage of those services c) put error detection into service-specific places on those services (hey, you can even call it "intrusion detection" if you want to make Gartner happy) 2) Know what's going on in your network a) know who normally talks to whom b) log usage of your network and look at those logs c) know your security policy as well as normal usage d) look in your logs for indications that your policy is being violated (burglar alarms) 3) Your policy should be "deny all" a) only permit it if it needs to be permitted 4) Internally compartment your network a) mission critical machines should be behind screening routers, on separate networks, with a bare minimum (zero is a good start..) of services back and forth b) audit all traffic between mission critical systems and non-critical systems c) if someone can walk into your facility and plug into a network port, get an IP address assigned to them, and ping your mission critical machines, your network is a disaster waiting to happen d) if someone can walk into your facility and plug into a network port without you knowing about it, your network is a disaster area already; you're just blissfully ignorant 5) Delete incoming attachments at the gateway to your network except for a short-list of acceptable mime types 6) Don't outsource security; outsourcing is an admission that you are ignorant and that your management are clueless - or that your clueless management think you're ignorant 7) Know what goes out through your firewall a) if you don't know how much spyware is installed on your desktops, your network is 0wned b) if you don't know how much IRC traffic is leaving your firewall you're 0wned c) why the heck would you let IRC out through your firewall, anyhow? what are you, a born victim? 8) If you don't understand the difference between layer 7 security and "stateful inspection" - learn 9) Don't waste your time patching a) if you're running code on an internet-facing system that has a history of needing patches every week, you're running the wrong code b) your internet-facing machines should have exterior lock-downs that mitigate the damage of individual service/server failure, or they shouldn't be internet facing c) if they aren't internet facing don't make them internet facing just so you can get patches d) production systems 101: 10 SET IT UP 20 MAKE IT WORK 30 IF WORKING THEN 40 DON'T F- WITH IT 50 ENDIF 60 IF NOT WORKING 70 FIX IT 80 GOTO 20 90 ENDIF it's that BASIC (ok, that was a bad one...) 10) Why on earth would you have roaming users connecting straight into your corporate WAN after they have been at home surfing pornsites and downloading Warez? a) mobile users go on a separate network 11) Antivirus software is good a) updating it 4X / day is not necessary b) updating it 1X / week works fine but especially when combined with stripping attachments (see above) 12) No, your users do NOT need that stupid new chat/file sharing/ net-meeting/remote-control/powerpoint sales tool/virtual FAX garbage - it IS dangerous See? That's a list of great, simple, powerful ideas. If you do these things you will virtually never get hacked. Of course, in the immortal words of Ray Wylie Hubbard, "It's not so hard to do what's right; it's just not as much fun." (Conversations with the Devil, from Crusades of the Restless Knights)IMO, the 'push for standards' is because the field is exploding AND maturing and many, many, newbies are being thrown in to the fire everyday.The push for standards has nothing to do with the unfortunate newbies. Standardization is a long-running conversation (or battle) between vendors and customers over who has control over the market. Standards only happen (are allowed to happen) once the innovation has gone out of a market - or in the rare case where a standard happens in spite of vendors splitting the market - standards cause innovation to go out of the market. The vendors will innovate (read: make stuff that doesn't work together) someplace else. If you look at the effectiveness of standards bodies since the early 1990's (the beginning of the Internet era) you'll notice that they have been reduced to a bunch of squabbling vendor shills (with a few academics and idealists thrown in) that are only able to effectively ratify the installed base after throwing a few little tweaks on to show that NIH syndrome is alive and well.The frustration is that people on this list 'generally' solve the same problems, use lots of the same references, sites, and resources.Well, part of it is because some of us (heya Paul! Fred! Steve! Michael!) have been singing basically the same song for ever. I published a few verses of it above. We've been singing the song through rain and snow and we've been right all along. And when people ask for a solution, what they're really saying is "We don't LIKE the rules of the jungle! Surely if I just buy this new $100,000 doo-dad then I can rewrite them so they no longer apply to me!" Nu-huh.This list is dedicated to answering specific questions about firewall implementations, a good thing. However no centralized list or repository exists to share the 'other' information required in the real world (training materials, reference materials, example risk assessments/documents, staff/food chain management issues, software, etc.). The list is good, it does its job well, too well, people want the other problems solved as well and currently they can't have it.Conferences like SANS try to do this, as do most security-oriented conferences. Personally I think you can learn it all yourself if you are motivated enough. This list is not the right place for that. Not because nobody here knows what to do; it's just our throats are tired from singing the same song and then having people say, "that sounds like sense but there's no WAY my pointy-haired boss is gonna let me do that."In one man's opinion, that's one of the main reasons why we see the push for 'standards'. It's not really standards people want, so much as direction/help with the 'other' parts of their job.If you "standardize" enough then you've derived a "one size fits all" - which you can only do after something has commoditized to the point where it is no longer interesting. I'm not saying that's a bad thing - not by a long shot - but the implication of my view, if I am right, is that there will never be useful or meaningful standards regarding whatever the most interesting problem is that you have on your plate at any given moment. mjr. "A standard of one, since 1962"
-- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: SMS ports John Adams (Jul 21)
- irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Re: iso 17799 R. DuFresne (Jul 22)
- Re: iso 17799 Paul D. Robertson (Jul 22)
- Re: iso 17799 Paul D. Robertson (Jul 26)
- Message not available
- Re: iso 17799 Frederick M Avolio (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Message not available
- Re: iso 17799 Frederick M Avolio (Jul 22)
- Re: iso 17799 Dana Nowell (Jul 23)
- Re: iso 17799 ArkanoiD (Jul 26)