Re: Host-Base Firewall

[Adriel Desautels <adriel () netragard com>]

No problem.

In all honesty security is never something that anyone can ever be 100% 
successful at. Everything, everywhere, will always have a vulnerability 
its just a question about how much vulnerability someone is willing to 
accept. Hence, acceptable risk.

I do not disagree with you about technology either, I just didn't want 
to mislead people and allow them to think that technology alone would 
solve their security problems. I think that the ratio of technology to 
policies and procedures varies in acceptability depending on ones 
acceptable risk levels.

If you are in the business of protecting cup-cakes then you can afford a 
higher level of risk and exposure than if you are in the business of 
protecting bio-weapons.

I think that the real trick here is to help educate the community about 
how to decide what is right for them. There is no one solution for the 
masses, but there most certainly is a solution for each individual 
(business, person, etc). Hence why I asked about interesting white paper 
topics. ;]

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


krymson () gmail com wrote:
> Thank you for the response to my question and others. The tone of some of your responses is very dismissive of technology 
> (Windows firewall != security), while you trumpet "policies, procedures, and training" in a way that makes it sound 
> like that will save us all.
>
> I think this might just be a communication issue, since you blend them together more in your response below...
>
> I think, however, you and I would simply disagree (which is fine since there is no correct answer!) on the weight given to each of the building blocks of security, which include technology, policies, procedures, and training. I'm far more on the side of technology, because ultimately I can't force anyone to chose to do anything smart and secure. 
>
> Just like the technology you say will be broken someday (an assumption I share), I would counter that people will 
> always be broken someday as well. I see this break down just as much or more so (ever hold the door for the cutie 
> behind you?) than technology, but I at least know which one I can trust to some degree.
>
> In the end, it is a blending of everthing that can add value, not the denouncing of measures. I think we maybe agree on 
> that, to a varied degree, so I won't drag this out further. :)
>
>
>
> <- snip ->
> Incorrect, but firewalls do not equal security. They equal a component 
> of security that provides you with a reasonable demarcation point 
> between one network and another. Good and strong security is a process 
> that includes well written policies, procedures, training, technology, 
> etc. Technology is near useless if the people that are using it are not 
> trained properly and are unaware of what threat they are trying to 
> defend against.
>
> Fancy door licks, card/biometric authentication, and mantraps can all be 
> circumvented, especially if well trained people are not present.
>
> I remember once we were testing a facility that had a mantrap with 
> biometric hand scanners. I watched one of the employees let me into the 
> server area and took note of his pin code as he typed it into the hand 
> scanner. Later on during the test I managed to take his card from his 
> desk, stick my hand in the scanner, and type in the code and the door 
> opened! As it turns out the so called biometric scanner only measured 
> the size of my hand which was nearly the same size as his (pretty weak).
>
> So, not all scanners, door locks, etc are effective. IMHO, most 
> biometric scanners, not all, are good for show and thats about it. There 
> are other more obvious ways to bypass such technologies, but I won't go 
> into those unless people want to hear it.
>
> Had the security guard been well trained and not let me see his pin, not 
> left his card on his desk in his open office, then I would have had to 
> use a different technique to get in. Had the policies and procedures 
> that were written been followed, I would not have been able to get in.
>
> Technology is far from useless, but it can become ineffective when the 
> people supporting it don't know how to do their jobs, or just become lazy.
>
> Regards,
> Adriel T. Desautels
> Chief Technology Officer
> Netragard, LLC.
> Office : 617-934-0269
> Mobile : 617-633-3821
> http://www.linkedin.com/pub/1/118/a45
>
> Join the Netragard, LLC. Linked In Group:
> http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com - "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>
> Netragard Whitepaper Downloads:
> -------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j
> Three Things you must know : http://tinyurl.com/26pjsn
>
> krymson (at) gmail (dot) com [email concealed] wrote:
> > So, are you saying that because a firewall can't make every perfect decision, they do not equal security? I wonder, do 
> > they add any value to you at all? What if they do DPI and make smarter decisions?
> >
> > So if security cannot be found in hardware, does that mean a fancy door lock, card/biometric authentication, and 
> > mantrap have no value?
> >
> > Personally, I find value in firewalls. Sure, the security they offer is not perfect, but that doesn't discount them as 
> > being a part of a solid security regimen. In fact, while there are journalists and other part-time ITers who regularly call 
> > out about the widening or diminishing perimeters, there is still a definite need to separate networks of different trust 
> > levels to some degree or other.
> >
> >
> >
> > I know there will be some here that can smell the straw for the hay in the above, but such a tactic can be useful to 
> > find the boundaries.
> >
> >
> > <- snip ->
> > All,
> > Firewalls are packet control devices. They do little more than control 
> > the flow of traffic into and out of your network. Some of them contain 
> > "defensive" capabilities such as IPS. Those defenses make decisions 
> > based on the nature of the traffic. Those decisions aren't as accurate 
> > as they should be because the very medium from which they are forming 
> > "opinions" is flawed. Traffic can be spoofed/forged/manipulated, so how 
> > can one trust it.
> >
> > Security is more of a process than anything else. It is enforced by 
> > policies, procedures, and the people using technology. Security can not 
> > be found via hardware. This is a bit philosophical, but I can back this 
> > up if anyone doesn't understand my perspective.
> >
> > Regards,
> > Adriel T. Desautels
> > Chief Technology Officer
> > Netragard, LLC.