Re: standards status in the industry - opinion?

[Barrie Dempster <barrie () reboot-robot net>]

On Mon, 2006-01-09 at 12:01 +1300, Nick FitzGerald wrote:

> Nah -- SRP is very, very much a poor man's form of whitelisting.  It 
> does not work properly and never did.  I'm sure it was thrown together 
> over a sleepless weekend by two drunk lemurs who happened to wander 
> onto the MS campus with the objective of knocking out a Shakesparian 
> sonnet or two by engaging in their own form of "a million monkeys 
> typing"...


I didn't say it was great. But it is white-listing functionality. It
doesn't have much competition or much usage so MS don't focus too much
on making it worthwhile.


> Do these people still wear diapers?

They live in a world where you can have distributed Kerberos
authentication, LDAP resource location and whole pile of other
technologies without knowing anything about them. Yes, this is
definitely diaper land. There is a real belief that "any monkey can run
a Windows network". when the truth is that "any monkey can run a Windows
network - badly!"

> It is a fundamental tenet of security that I cannot define your 
> security policy. 

They are not expected to define the policy, but provide the signatures
so that the administrator can define the policy. There is no point every
admin auditing their network and trying to figure out if this copy of
file.exe is the same as the official one by creating sigs for both, if
the vendor can give them a repository to compare to - reducing their
workload. It's the repositories I think are needed as well as the
software to manage them. Both locally and remotely. In much the same way
that update systems work for many Linux distributions, although with a
slightly different focus.

> If you don't like that and won't do the work to sort out your own 
> network you _definitely_ should not be allowed to connet to the 
> Internet...

I think they would do the work, if the vendor backed them up.
Identifying and creating a signature for every file on a network is no
mean feat. If your OS vendor does their own stuff and you just have to
do the 3rd parties (or even just the 3rd parties that didn't have the
foresight to create their sigs for the OSs they run on). The job is made
much easier. Windows administrators generally want central
administration, distributed storage, redundancy, ease of use and most
importantly they want someone else to set it all up for them. Which is
one reason why Active Directory is so wide spread and hard to replace.

Saying
I want to run these programs that my OS provides.
is entirely different from saying ...
I want to run these programs that my OS provides and I've identified
their signatures as ....

That's a two step process, if the vendor or an ISV provides the
signatures for you and all you have to do is check a box then add in
your 3rd party stuff. Your job is much easier - although admittedly the
3rd party stuff could well be a major task in itself.

> Of course, when I said someone else cannot do your security policy for 
> you, I mean in the "out of the box" kind of way that Barrie says his 
> clients/informants expect.  Well-informed and trained security 
> consultants should be able to do a good policy for others after 
> carefully examining their requirements, but a "one size fits 
> many/most/all" type approach is not suitable -- it reflects the 
> opposite of the "security is process" ideal that we espouse so often.

I absolutely don't advocate them setting the policy, just providing the
information so that the admins can.

> As discussed elsewhere in the thread though, it was somewhat 
> impractical _at the time_ on the predominant small computers (PCs, 
> Macs, etc) with their lack of memory protection and other resource 
> limitations and the larger systems didn't need something like this as 
> they were (mostly) competently run (and mostly not on or even near, the 
> Internet).

Indeed yeh. For now, in a decent sized network that has competent IT
staff whitelisting can work - to an extent. However I don't know of a
project that attempts to tackle this in any practical way. I don't
consider administrators creating their own sigs, for components of the
OS, in any way practical. It makes much more sense for this to be done
centrally by the provider, especially from a Windows administrators
point of view.


-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.