Fw: No Security is Bad Security

[sseidler () EASTERNDATACOMM COM (Scott Seidler)]

----------
> From: Scott Seidler <sseidler () easterndatacomm com>
> To: BUGTRAQ () netspace org
 Subject: re: No Security is Bad Security
 Date: Wednesday, February 03, 1999 10:23 AM



 Forwarding this FYI to Bugtraq users

----------


 This is Re: John "E.R." Jasen "No security is Bad Security

 I saw John's dilemma on bugtraq.

This issue is a constant battle with all  of
 My customers who want access to the internet.
 It seems that the lack of adequate security policies and, as in most
 cases, lack of the forsight to see that any amount of money spent on
security would be well spent.

 Most people feel that their being a "small" company, or not being "well
known", somehow leaves them in a position where they
 are "not" or "less" vunerable to intrusion.

 John, obviously, knows from first hand knowledge that this type of
thinking can be, and usually in time is, dangerous.

 It seems that the more you can spend on a firewall and other security
measures, the better you are at protection.

While no firewall  will claim 100% protection, we have learned that some
are better than others for simple reasons.

Software based firewalls, while they usually have more options to integrate
directly, might require a more technical
 suport base internally than most smaller companies or agencies may have.

 Additionally, the daily upkeep and constant vigil to find out about
software patches and vunerabilities tend to be secondary (or third, or
fourth, etc) to the daily jobs of most systems people. Thus old bugs and
often blatant overlooks become the  doorway with the "open for business"
sign hanging above them.

 Unfortunately, basing a firewall on a multpile use operating system (NT,
UNIX, etc) can leave unexpected doorways open and allows for opportunity
for "pilot error" mistakes. Just the time to keep up with them all is too
great for most system managers.

So far we have implemented successfully many hardware based firewalls. The
positives on this type of platform far outweigh the marginal extra cost for
the purchase price. These are single function - Firewall only - types of
devices.

 Some hardware based platforms have no user accessable operating system to
have potential open ended problems with, and right out of the box they seem
 to set up with limited commands when acting as a one way only firewall. Of
course there are many more programming options in these units that go way
beyond the scope of this posting and are, as Aleph has pointed out to me on
the first issue of this email (appreciated by the way Aleph - thanks), too
vendor specific to really elaborate on.

Suffice to say that Network Address Translation (NAT) and Protocol Address
Translation (PAT) are not the only things to base
a Firewall purchase on. There are many other options and hooks that make a
really good firewall, such as interaction with other
devices (routers, high end authentication, encryption, etc.).

 Addtionally, Two types of products that allow for on-line
monitoring/reporting/ detection and also allow for security audits and even
testing of vunerablities are a must for any budget that can afford them.

You can try Cisco (http://www.cisco.com) or Network Associates
(http://www.nai.com/default_ngc.asp) for examples of these products.

Some of these fit really well into the big router manufacturer operating
system schemes by even allowing an automatic rewrite to
the ACL (access control list) to block a detected party. And dont forget
the ever possible "page me when you find something wierd" option too.

Both of these systems are not inexpensive with price tags of around 10k for
the systems I have seen.

I have had great feedback on these types of products from my customers -
especially the firewalls and felt i could dissiminate the info to my fellow
Bugtraq-ers.

email: sseidler () easterndatacomm com
http://home.att.net/~annie.seidler/ (netscape is always best)