Full Disclosure mailing list archives
RE: perfect security architecture (network)
From: "Charles Heselton" <charles.heselton () gmail com>
Date: Tue, 9 Aug 2005 10:29:32 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Seeing as how this thread is RAPIDLY going OT (and is probably already OT for the list), in the interest of brevity.... You're playing on semantics. One can play the semantics game forever. What you're suggesting doesn't really hold water. You or I might not use a bank vault to store $50 bucks, but a homeless person might kill for it. Or I might use a bank vault if I'm going to put in $50 Bucks continually. Money is money, data is data, and more often than not, data is money. I'm not familiar with the OSSTMM, but I tend to follow the philosophies and guidance in the Network Security Credo: http://staff.washington.edu/gray/papers/credo.html . I like one of the quotes in the prologue: "It's naive to assume that just installing a firewall is going to protect you from all potential security threats. That assumption creates a false sense of security, and having a false sense of security is worse than having no security at all." Kevin Mitnick eWeek 28 Sep 00 Case in point, I don't have an enterprise network at my home that stores top secret proprietary or government data, but I still have an anti-virus solution, firewall(s), IDSs, and a few other tricks in my bag that help me to ensure my network is secure. Overkill? Not in my house. ;-) - -- - - Charlie, CBSFR 5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF
-----Original Message----- From: Chuck Fullerton [mailto:cfullerton () fullertoninfosec com] Sent: Monday, August 08, 2005 7:51 PM To: charles.heselton () gmail com; cobradead () gmail com; full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] perfect security architecture (network) >There IS NO *perfect* security.If you have a customer that is asking for "perfectsecurity", tell them it can't be done. I beg to differ. If you have a customer that's asking for Perfect Security then read the OSSTMM. (Better yet, send them to my company.) ;-) If you don't believe me then check out my whitepaper, "How to Make the 'Perfect' PB&J". It can be downloaded at http://www.infosecwriters.com/texts.php?op=display&id=236 People that are asking for Perfect Security are those that want the level of security they need for their environment. Your not going to use a Bank Vault to secure only $50.00. It's overkill and their ROI won't match up. So the next time a customer asks you for "Perfect Security" They are telling you that they don't want to be oversold. Sincerely, Chuck Fullerton -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Charles Heselton Sent: Monday, August 08, 2005 9:36 PM To: cobradead () gmail com; full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] perfect security architecture (network) *** PGP SIGNATURE VERIFICATION *** *** Status: Bad Signature *** Alert: Signature did not verify. Message has been altered. *** Signer: Charles Heselton <charles.heselton () gmail com> (0x4829EDCF) *** Signed: 8/8/2005 6:36:24 PM *** Verified: 8/8/2005 10:00:46 PM *** BEGIN PGP VERIFIED MESSAGE *** Although Daniel's comments may be tongue-in-cheek, there is some truth. Here are a few ideas that have become more or less mantras for me, personally.... There IS NO *perfect* security. Defense in depth. The larger your network is, the less effective your perimeter becomes. The end user is always the weakest link. There may be a few more that people feel I have left out. Basically, if you're asking what I think you're asking, you have to be able to cater the level of security you're providing to the needs of your customer. Anti-virus/spyware software, firewalls, IDS/IPSs, "Security Minded" routing......all of these thing have a part in an ideally secure situation. The point is to identify the most critical assets and possible vectors of attack. Then you design a security architecture that 1) addresses those vectors, and 2) has multiple layers that should one preventative method fail, another will detect/prevent (defense in depth). There will always be someone out there who is able to figure out a hole, with enough knowledge, experience, persistence, and luck. If you have a customer that is asking for "perfect security", tell them it can't be done. If you're asking a philosophical question, well secure application development can make a security professional's life a little easier, but it's not going to solve the fundamental problem. But, just like the rest of the security tools (firewalls, etc.), more secure applications and programming techniques only play a part. HTH. -- - Charlie 5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] OnBehalf Of DanielH. Renner Sent: Monday, August 08, 2005 9:08 AM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] perfect security architecture (network) Good Lord C0br4, Did your new client give you a shopping list or what? Use the force C0br4! The force (of the right forum) willprotect you!-- Dan Renner Los Angeles Computerhelp http://losangelescomputerhelp.com On Mon, 2005-08-08 at 12:00 +0100, full-disclosure-request () lists grok org uk wrote:Date: Mon, 8 Aug 2005 11:04:34 +0530 From: C0BR4 <cobradead () gmail com> Subject: [Full-disclosure] perfect security architecture (network) To: websecurity () webappsec org Message-ID: <457462ba0508072234bc6216c () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Hey guys, Have couple of questions need answers plz........... There are three attacks that jeopardize Information security. ------------------------------ - secure Network - ------------------------------ - secure Host - ------------------------------ - secure Application - ------------------------------- How can we optimize security? Stopping attacks at networkor buildingsecure applications.. How should we deal with these attacks? People talk aboutFirewall,IDS/IPS etc.. What's best? If asked to give a perfect security architecture (network)what wouldyou suggest? Given a Firewall, Router, IDS, IPS and Anti-virus . thank you C0br4_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/*** END PGP VERIFIED MESSAGE *** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQvjn+3v40fZIKe3PEQKUCQCcCtQG0JyJqQx74EPu148IKqbIWPgAoNFs XPD83k+j5MjOOvHCmvZX6Lrz =apmM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- perfect security architecture (network) C0BR4 (Aug 08)
- RE: perfect security architecture (network) Aditya Deshmukh (Aug 08)
- <Possible follow-ups>
- Re: perfect security architecture (network) Daniel H. Renner (Aug 08)
- RE: perfect security architecture (network) Charles Heselton (Aug 08)
- RE: perfect security architecture (network) Chuck Fullerton (Aug 08)
- RE: perfect security architecture (network) Charles Heselton (Aug 08)
- RE: perfect security architecture (network) Charles Heselton (Aug 09)
- Re: perfect security architecture (network) Aycan iRiCAN (Aug 09)
- Re: perfect security architecture (network) C0BR4 (Aug 10)
- RE: perfect security architecture (network) Chuck Fullerton (Aug 10)