RE: perfect security architecture (network)

["Charles Heselton" <charles.heselton () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Seeing as how this thread is RAPIDLY going OT (and is probably
already OT for the list), in the interest of brevity....

You're playing on semantics.  One can play the semantics game
forever. 

What you're suggesting doesn't really hold water.  You or I
might not use a bank vault to store $50 bucks, but a homeless person
might kill for it.  Or I might use a bank vault if I'm going to put
in $50
Bucks continually.  Money is money, data is data, and
more often than not, data is money.  

I'm not familiar with the OSSTMM, but I tend to follow the
philosophies 
and guidance in the Network Security Credo: 
http://staff.washington.edu/gray/papers/credo.html .

I like one of the quotes in the prologue:

"It's naive to assume that just installing a firewall is going to
protect you from all potential security threats. That assumption
creates a false sense of security, and having a false sense of
security is worse than having no security at all."  
Kevin Mitnick
eWeek 28 Sep 00  

Case in point, I don't have an enterprise network at my home that
stores top secret proprietary or government data, but I still have an
anti-virus solution, firewall(s), IDSs, and a few other tricks in my
bag that help me to ensure my network is secure.  Overkill?  Not in
my house.  ;-)

- --
- - Charlie, CBSFR
 
5A27 58D2 C791 8769 D4A4  F316 7BF8 D1F6 4829 EDCF
 
 
 

> -----Original Message-----
> From: Chuck Fullerton [mailto:cfullerton () fullertoninfosec com] 
> Sent: Monday, August 08, 2005 7:51 PM
> To: charles.heselton () gmail com; cobradead () gmail com; 
> full-disclosure () lists grok org uk
> Subject: RE: [Full-disclosure] perfect security architecture
> (network)  
>
>  >There IS NO *perfect* security.
> > If you have a customer that is asking for "perfect 
> security", tell them it
> can't be done.
>
> I beg to differ.  If you have a customer that's asking for 
> Perfect Security
> then read the OSSTMM. (Better yet, send them to my company.)  ;-)
>
> If you don't believe me then check out my whitepaper, "How to Make
> the 'Perfect' PB&J".  It can be downloaded at
> http://www.infosecwriters.com/texts.php?op=display&id=236
>
> People that are asking for Perfect Security are those that 
> want the level of
> security they need for their environment.  Your not going to 
> use a Bank
> Vault to secure only $50.00.  It's overkill and their ROI 
> won't match up.
>
> So the next time a customer asks you for "Perfect Security"  They
> are telling you that they don't want to be oversold.
>
> Sincerely,
>
> Chuck Fullerton
>
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
> Of Charles
> Heselton
> Sent: Monday, August 08, 2005 9:36 PM
> To: cobradead () gmail com; full-disclosure () lists grok org uk
> Subject: RE: [Full-disclosure] perfect security architecture
> (network)  
>
>  
> *** PGP SIGNATURE VERIFICATION ***
> *** Status:   Bad Signature
> *** Alert:    Signature did not verify. Message has been altered.
> *** Signer:   Charles Heselton <charles.heselton () gmail com> 
> (0x4829EDCF)
> *** Signed:   8/8/2005 6:36:24 PM
> *** Verified: 8/8/2005 10:00:46 PM
> *** BEGIN PGP VERIFIED MESSAGE ***
>
> Although Daniel's comments may be tongue-in-cheek, there is 
> some truth.
> Here are a few ideas that have become more or less mantras for me,
> personally....
>
> There IS NO *perfect* security.
>
> Defense in depth.
>
> The larger your network is, the less effective your perimeter
> becomes.  
>
> The end user is always the weakest link.
>
> There may be a few more that people feel I have left out.  
> Basically, if
> you're asking what I think you're asking, you have to be able 
> to cater the
> level of security you're providing to the needs of your customer.
> Anti-virus/spyware software, firewalls, IDS/IPSs, "Security Minded"
> routing......all of these thing have a part in an ideally 
> secure situation.
> The point is to identify the most critical assets and 
> possible vectors of
> attack.  Then you design a security architecture that 1) 
> addresses those
> vectors, and 2) has multiple layers that should one 
> preventative method
> fail, another will detect/prevent (defense in depth).  There 
> will always be
> someone out there who is able to figure out a hole, with 
> enough knowledge,
> experience, persistence, and luck.
>
> If you have a customer that is asking for "perfect security", 
> tell them it
> can't be done.  If you're asking a philosophical question, well
> secure application development can make a security professional's 
> life a little
> easier, but it's not going to solve the fundamental problem.  
> But, just like
> the rest of the security tools (firewalls, etc.), more secure 
> applications
> and programming techniques only play a part.
>
> HTH.
>
> --
> - Charlie
>  
> 5A27 58D2 C791 8769 D4A4  F316 7BF8 D1F6 4829 EDCF
>  
>  
>  
>
> > -----Original Message-----
> > From: full-disclosure-bounces () lists grok org uk
> > [mailto:full-disclosure-bounces () lists grok org uk] On 
> Behalf Of Daniel 
> > H. Renner
> > Sent: Monday, August 08, 2005 9:08 AM
> > To: full-disclosure () lists grok org uk
> > Subject: Re: [Full-disclosure] perfect security architecture
> > (network)
> >
> > Good Lord C0br4,
> >
> > Did your new client give you a shopping list or what?
> >
> > Use the force C0br4!  The force (of the right forum) will 
> protect you!
> > --
> > Dan Renner
> > Los Angeles Computerhelp
> > http://losangelescomputerhelp.com
> >
> >
> > On Mon, 2005-08-08 at 12:00 +0100,
> > full-disclosure-request () lists grok org uk wrote:
> > > Date: Mon, 8 Aug 2005 11:04:34 +0530
> > > From: C0BR4 <cobradead () gmail com>
> > > Subject: [Full-disclosure] perfect security architecture
> > > (network) To: websecurity () webappsec org
> > > Message-ID: <457462ba0508072234bc6216c () mail gmail com>
> > > Content-Type: text/plain; charset=ISO-8859-1
> > >
> > > Hey guys,
> > >
> > > Have couple of questions need answers plz...........
> > >
> > > There are three attacks that jeopardize Information security. 
> > >
> > >                                 ------------------------------
> > > - secure Network      -
> > > ------------------------------
> > > - secure Host           -
> > > ------------------------------
> > > - secure Application  -
> > > -------------------------------
> > >
> > > How can we optimize security? Stopping attacks at network
> > or building
> > > secure applications..
> > >
> > > How should we deal with these attacks? People talk about 
> Firewall, 
> > > IDS/IPS etc..
> > >
> > > What's best?
> > >
> > > If asked to give a perfect security architecture (network)
> > what would
> > > you suggest?  Given
> > > a Firewall, Router, IDS, IPS and Anti-virus .
> > >
> > > thank you
> > > C0br4
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> *** END PGP VERIFIED MESSAGE ***
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQvjn+3v40fZIKe3PEQKUCQCcCtQG0JyJqQx74EPu148IKqbIWPgAoNFs
XPD83k+j5MjOOvHCmvZX6Lrz
=apmM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/