Firewall Wizards mailing list archives
RE: Vulnerability Response (was: BGP TCP RST Attacks)
From: Dave Piscitello <dave () corecom com>
Date: Thu, 27 May 2004 09:29:45 -0400
At 06:30 PM 5/26/2004 -0400, Marcus J. Ranum wrote:
Ben Nagy wrote:>there are two evolving solution spaces that solve real problems. Host based vulnerability mitigationThe big problem with host based anything is that the management effort scales with the number of hosts.
Agreed. Done in a vaccuum, host vulnerability assessment illustrates how poorly you are configuring and maintaining your hosts. Moreover, if vulnerability mitigation is addressed per host, based on scanning results, you have to question whether you ever achieve uniform security policy. But don't you think you can manage risk better if you mitigate by central policy definition and patch management? I've used the CIS security tool (includes HFnetchk) and templates one-off with both MMC plug-in and local policy editing. This is hours per computer, and does not scale even in my home office. But if you use a template and push a configuration from a central policy server to all clients, it's more efficient, and uniform.
> and anything that allows an organisation to condense and >prioritise information about where they are exposed to known vulnerabilities >in realtime. Asset management, change control, and security workflow are all good, yes. Condensing and prioritizing is just part of it. I'm not at all convinced that it's enough. After all, if you condense and prioritize the "must fix: disaster" list for many companies you'll get a list so long that they'll decide to do something else, instead. Anything else, in fact. :)
Perhaps initially, but this is a systemic problem, no? Anyone with kids knows the "clean the room" syndrome, and security operations are like parents with lots of messy children. Each child does little or nothing for a long long time, until the only way to clean his or her room is to literally empty it and restore order and cleanliness. But if the effort to establish the baseline is followed by more disciplined administration and housekeeping, the must fix disaster list is shorter, and more suitable to prioritization.
"None of our users would accept that kind of solution!" they cried.
If this attitude is pervasive, then the client wasted your time and spent their money unwisely.
Therein lies the rub.
Hamlet, Act III, "To die, to sleep; To sleep, perchance to dream-there's the rub;...
You *think* host-based vulnerability mitigation (what *is* that, by the way? it sounds like marketing...) is going to work. But that's just because not enough users have TRIED it enough to figure out how to politically sandbag it, yet. But don't worry, they will. Remember, users are supposed to be running host-based antivirus, too. :P
Curmudgeon factor is high today, eh Marcus? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 21)
- <Possible follow-ups>
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 25)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response Ben Nagy (May 27)
- RE: Vulnerability Response Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Dave Piscitello (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Devdas Bhagat (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)