Firewall Wizards mailing list archives
RE: Vulnerability Response
From: "Ben Nagy" <ben () iagu net>
Date: Thu, 27 May 2004 09:56:34 +0200
-----Original Message----- From: Marcus J. Ranum [mailto:mjr () ranum com]
[...]
Ben Nagy wrote:To me, amongst the plethora of product, service and snakeoil there aretwo evolving solution spaces that solve real problems. Host based vulnerability mitigationThe big problem with host based anything is that the management effort scales with the number of hosts.
Not linearly, though. I am convinced that it can be done - AV vendors already do it, MS is shipping more and more default security plus they even have a (very very basic) host-based firewall which will be enabled by default - I don't hear users screaming that XP is "less compatible" than Win95. Managability of host-based agents is basically a solved problem - let's move on. [...]
and anything that allows an organisation to condense and prioritise information about where they are exposed to known vulnerabilities in realtime.Asset management, change control, and security workflow are all good, yes. Condensing and prioritizing is just part of it. I'm not at all convinced that it's enough. After all, if you condense and prioritize the "must fix: disaster" list for many companies you'll get a list so long that they'll decide to do something else, instead. Anything else, in fact. :)
One of my fundamental premises - no company will get secure without corporate will to do so. I agree, and we all know a lot of examples. However today even the places that _do_ have the will are frustrated by either information overload, confusion regarding what various solutions _do_, and the nitty-gritty of getting done in practice what we tell them is easy in theory (like patch, for example). To me, change control is an _enemy_ when talking about rank and file machines, not a friend. If you start with secure boxes, strip down the services and then monitor the critical applications for problems then change control rocks. If you start with a million desktop PCs, build a standard image based on what works for all the corporate apps and then run change control then you end up with a million insecure PCs that nobody has the authority to fix with any kind of agility.
Firewalls remain a critical part of any infrastructure, of course, but, to be frank, they just don't work as well anymore.Firewalls are perfectly good tools that are regularly mis-used.
[...]
I did a talk the other day in which I outlined the "old-school" secure firewall approach
Old school networks had less entry points. My only real point is that true chokepoint networks are (sadly) a dying breed. I have no doubt that you are amused by the trend for firewalls to return to application intelligence like it's a new thing, but not even the mjr perfectly secure firewall will work if the traffic can get to the hosts another way.
You *think* host-based vulnerability mitigation (what *is* that, by the way? it sounds like marketing...)
LOL. It means putting stuff on hosts to try and stop zero-day vulnerabilities, or known ones for which you are not yet patched/fixed. The marketing term would probably be prevention - I use mitigation to underline that it's Just Another Layer and not pixie dust.
is going to work. But that's just because not enough users have TRIED it enough to figure out how to politically sandbag it, yet. But don't worry, they will. Remember, users are supposed to be running host-based antivirus, too. :P
And AV does a reasonable job, within its defined scope, provided it is used. It has also reached the point of "no brainer" security investments - it's what / how much, instead of whether. That's a good thing. Unlike marketing (that smarts, by the way ;) all I'm claiming is that those two EVOLVING solution sets are interesting, and pointed in the right direction, unlike many which are boring revamps of existing tech or security appendices that basically do nothing for 90% of the marketplace. Coffee now. ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 21)
- <Possible follow-ups>
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 25)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response Ben Nagy (May 27)
- RE: Vulnerability Response Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Dave Piscitello (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Devdas Bhagat (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)