Firewall Wizards mailing list archives
Re: Vulnerability Response (was: BGP TCP RST Attacks)
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 1 Jun 2004 20:05:18 -0400 (EDT)
On Tue, 1 Jun 2004, M. Dodge Mumford wrote:
Paul D. Robertson said:If it can't be attacked, then arguably, it doesn't need to be fixed.That sentiment surprises me a bit. It appears to me to violate the concept of defense in depth. Blocking the exploit path to a vulnerability may mitigate the risk greatly, but the vulnerability still remains. In your instance, the exploit path would involve attacking your host operating system that's performing the firewalling. I would think the point of mitigating the risk is to buy you time to fix the vulnerability. That "time to fix" may be "until Longhorn is released." Which assumes that Longhorn (or, broadly, version++) will fix the vulnerability.
blocking the exploit path should be viewed in the context of "defense in depth", and a person has to avoid tunnel vision; At my present place of employment one of the CISSP's had tunnel vision to the affect that in scanning systems for potential sploitable services, he had the impression that if he could not touch a service with his scanner that in and of itself was an issue; nevermind that our unix toolsets used a number of apps to provide "defense in depth" and thus his scanner was 'running' into them and they were doing their job, blocking his scans to those services. Was this a problem? Only in his eyes.... Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Vulnerability Response (was: BGP TCP RST Attacks), (continued)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Jim Seymour (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) M. Dodge Mumford (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re:Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 03)
- Re: Re: Vulnerability Response (was: BGP TCP RST Attacks) Gwendolynn ferch Elydyr (Jun 03)