Firewall Wizards mailing list archives
Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Mon, 15 Apr 2013 20:57:56 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Piscitello writes:
I think your premise - that we are comfortable with this architecture - is wrong, at least for this choir.
Well, the recommendations are coming from the list. If you're going to tell me that sometimes we recommend things that we're none too happy about, I understand. But I still think it's a problem. We would reduce the number of real-world information security problems by -at least- a factor of ten if we simply stopped doing things that we, collectively, know are wrong. I don't say that casually, and I think it's one of those things that is a) profoundly shocking, and b) steadily getting worse rather than better. And here, as before, I mean `we' in the collective sense, all network/information security types out there working. I'm not trying to single out anyone on the mailing list, and I'm not trying to exclude myself. My argument is that the -structural- security of our networks is, as a general rule, getting worse and worse and no matter how much we tell ourselves it can't be helped and no matter how many spiffy quote security unquote quote appliances unquote we allow vendors to sell us this is still the fundamental reality. As far as virtualisation goes, I think it's a profound missed opportunity. In principle things like AWS AMIs make doing minimal footprint, application- specific OS installs with everything unnecessary turned off, central logging, behaviour-based auditing based on a known-good baseline, and all those other things that used to be comparatively expensive to do much MUCH more straightforward. But of course this isn't how, as a rule, virtualised deployments are architected because doing things this way just isn't even in most organisation's decision tree. I reallise that I'm probably doing two stupid things here: preaching to the choir, and complaining about a problem instead of fixing it. But this is something that I feel like I've spent years and years throwing effort at it (professionally, in contributing open source code to the community at large, in mentoring other sysadmins/network admins, participating in SAGE back when they were still a going concern, and so on) and things just keep getting worse and worse. - -spb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBUWzLrB+T8Ptkg9h9AQIc4ggAlwZcxqcCzEqBWc+RJZB+YqajnZcLOOFC FiXpK0ZdazVw6sAqpwaWTbF6+O+rJp8TlzxSBm4H/PdJqBWYI5VPv2QQ7rQGKw7i JPj18BmItLllL0OYFzeBMOc7Q6+UHYeh2kr1Fwba9qEzR6hfYPV8zCzU0LwBRlAi 4fb74PBDDJQ/kb2dzrBfYL8tyNi+gGMTscv3KtCwbPMk7KnwFQJdXsqgCINeXeUR zxeW84zs19CVVIhCg0zjd5WncwswdGlwu+6DL6TfceJWYehJvODJZOMKyMo0DADc OAfBDBfKnrV4hQIh2Jahr8s1fn5F7zRkSc8XPx1AyMQoA4n/DXJpDg== =Pdx/ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Dave Piscitello (Apr 12)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Kyle Creyts (Apr 12)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Dave Piscitello (Apr 15)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Marcus Ranum (Apr 15)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Dave Piscitello (Apr 15)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Bill Kyle (Apr 15)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Magosányi Árpád (Apr 16)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing David Lang (Apr 30)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Dave Piscitello (Apr 15)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Stephen P. Berry (Apr 16)
- Re: firewall-wizards Digest, Vol 64, Issue 3 phishing Kyle Creyts (Apr 12)