nanog mailing list archives
RE: bloomberg on supermicro: sky is falling
From: "Naslund, Steve" <SNaslund () medline com>
Date: Wed, 10 Oct 2018 15:25:02 +0000
You are free to disagree all you want with the default deny-all policy but it is a DoD 5200.28-STD requirement and NSA Orange Book TCSEC requirement. It is baked into all approved secure operating systems including SELINUX so it is really not open for debate if you have meet these requirements. Remember we were talking about Intel agency systems here, not the general public. It is SUPPOSED to be painful to open things to the Internet in those environments. It needs to take an affirmative act to do so. It is a simple matter of knowing what each and every connection outside the network is there for. It also reveals application vulnerabilities and compromises as well as making it easy to identify apps that are compromised. In several of the corporate networks I have worked on, they had differing policies for different network zones. For example, you might allow your users out to anywhere on the Internet (at least for common public protocols like HTTP/HTTPS) but not allow any servers out to the Internet except where they are in a DMZ offering public services or destination required for support (like patching and remote updates). Seemed like good workable policy. Steven Naslund Chicago IL
Hi Steve, I respectfully disagree. Deny-all-permit-by-exception incurs a substantial manpower cost both in terms of increasing the number of people needed to do the job and in terms of the reducing quality of the people willing to do the job: deny-all is a more painful environment to work in and most of us have other options. As with all security choices, that cost has to be balanced against the risk-cost of an incident which would otherwise have been contained by the deny-all rule. Indeed, the most commonplace security error is spending more resources securing something than the risk-cost of an incident. By voluntarily spending the money you've basically done the attacker's damage for them! Except with the most sensitive of data, an IDS which alerts security when an internal server generates unexpected traffic can establish risk-costs much lower than the direct and indirect costs of a deny-all rule. Thus rejecting the deny-all approach as part of a balanced and well conceived security plan is not inherently an error and does not necessarily recommend firing anyone. Regards, Bill Herrin
Current thread:
- Re: CVV (was: Re: bloomberg on supermicro: sky is falling), (continued)
- Re: CVV (was: Re: bloomberg on supermicro: sky is falling) Chris Adams (Oct 11)
- CVV (was: Re: bloomberg on supermicro: sky is falling) bzs (Oct 11)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Brian Kantor (Oct 10)
- Re: bloomberg on supermicro: sky is falling Suresh Ramasubramanian (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Suresh Ramasubramanian (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Brandon Butterworth (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Mike Hale (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Mike Hale (Oct 10)
- Re: bloomberg on supermicro: sky is falling Lee (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Jamie Bowden (Oct 10)