RE: Vulnerability Response

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjr () ranum com] 
[...]
> Ben Nagy wrote:
> > To me, amongst the plethora of product, service and snake 
> oil there are 
> > two evolving solution spaces that solve real problems. Host based 
> > vulnerability mitigation
>
> The big problem with host based anything is that the 
> management effort scales with the number of hosts.

Not linearly, though. I am convinced that it can be done - AV vendors
already do it, MS is shipping more and more default security plus they even
have a (very very basic) host-based firewall which will be enabled by
default - I don't hear users screaming that XP is "less compatible" than
Win95. Managability of host-based agents is basically a solved problem -
let's move on.

[...]
> > and anything that allows an organisation to condense and prioritise 
> > information about where they are exposed to known vulnerabilities in 
> > realtime.
>
> Asset management, change control, and security workflow are 
> all good, yes. Condensing and prioritizing is just part of 
> it. I'm not at all convinced that it's enough. After all, if 
> you condense and prioritize the "must fix: disaster" list for 
> many companies you'll get a list so long that they'll decide 
> to do something else, instead.
> Anything else, in fact. :)

One of my fundamental premises - no company will get secure without
corporate will to do so. I agree, and we all know a lot of examples. However
today even the places that _do_ have the will are frustrated by either
information overload, confusion regarding what various solutions _do_, and
the nitty-gritty of getting done in practice what we tell them is easy in
theory (like patch, for example). 

To me, change control is an _enemy_ when talking about rank and file
machines, not a friend. If you start with secure boxes, strip down the
services and then monitor the critical applications for problems then change
control rocks. If you start with a million desktop PCs, build a standard
image based on what works for all the corporate apps and then run change
control then you end up with a million insecure PCs that nobody has the
authority to fix with any kind of agility. 

> > Firewalls remain a critical part of any infrastructure, of course, 
> > but, to be frank, they just don't work as well anymore.
>
> Firewalls are perfectly good tools that are regularly mis-used.
[...]
> I did a talk the 
> other day
> in which I outlined the "old-school" secure firewall approach 

Old school networks had less entry points. My only real point is that true
chokepoint networks are (sadly) a dying breed. I have no doubt that you are
amused by the trend for firewalls to return to application intelligence like
it's a new thing, but not even the mjr perfectly secure firewall will work
if the traffic can get to the hosts another way. 

> You *think* host-based vulnerability mitigation (what *is* 
> that, by the way? it sounds like marketing...)

LOL. It means putting stuff on hosts to try and stop zero-day
vulnerabilities, or known ones for which you are not yet patched/fixed. The
marketing term would probably be prevention - I use mitigation to underline
that it's Just Another Layer and not pixie dust.

> is going to 
> work. But that's just because not enough users have TRIED it 
> enough to figure out how to politically sandbag it, yet. But 
> don't worry, they will. Remember, users are supposed to be 
> running host-based antivirus, too. :P

And AV does a reasonable job, within its defined scope, provided it is used.
It has also reached the point of "no brainer" security investments - it's
what / how much, instead of whether. That's a good thing.

Unlike marketing (that smarts, by the way ;) all I'm claiming is that those
two EVOLVING solution sets are interesting, and pointed in the right
direction, unlike many which are boring revamps of existing tech or security
appendices that basically do nothing for 90% of the marketplace.

Coffee now.

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards