Dailydave mailing list archives
Semi-anonymized moderation.
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 28 Jan 2008 09:39:17 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Post from Mark Loveless who is subscribed from a diff email and hit "reply all". My moderation gui drops anything from anyone not subscribed, so I'm "moderating" this manually. - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dave my man. I agree that security is an arm's race for signature based products. Though should we throw out the baby with the dirty water? Is no firewall, VLANs, route filtering, IDS, AV, central management/logging, etc better than a lame one? And besides perhaps some witty vendor will come up with a new solution. :)
I'll bite. I'd say as a person who has worked on multiple security products, it is a losing battle. The network is simply hostile. Forget the firewalls with holes in them to allow users to send/receive email, web traffic, IM, plus "trusted" vendors, suppliers, contractors, overseas divisions, and an increasing mobile workforce -- there are simple rules of physics to contend with here, and as a result the network on both sides of the firewall is hostile. If every exploit set the evil bit, we'd just look for that one thing. However any signature-based system has to look at all possible attacks. Now for even ASIC-based systems, you run out of memory real quick. This is the physics thing I mentioned earlier. Most IDS/IPS vendors have a ceiling limit on about 1800-2000 signatures that can be active at once. NO vendor ships with all 5k-10k signatures turned on. The machine would drop packets and grind to a halt. Therefore what signatures do you pick? Only the ones that affect your user base? What about home users coming in via VPN (doubly bad, you may not support the platform AND the communication is encrypted)? Do you think anti-virus companies have it any better? What about anomaly-based host systems? Arguably better, however there are two factors that prevent massive deployment: 1) You now have to run low-level code on all your systems. Aside from the technical issues that this may cause, your CxO types may have gotten burned when the last time code was loaded on every system, it didn't prevent some massive infection. Additionally, the Gartners of the world are quick to point out that the upper right quadrant is filled with signature-based companies anyway, so any consultants/sales people wanting to make a sale have to explain away that upper quadrant in that goofy chart. Hybrid systems that use sigs for the low-hanging fruit and anomaly detection for the hard stuff might creep into the upper right quad (hopefully you know what I mean by Gartner's upper right quad, google it if you don't know). 2) It is cheaper to deploy technology at the "choke points" instead of everywhere, and A/V is about all you can expect to get on the desktop nowadays. Besides the auditors of the world will tell your organization that due diligence is having that A/V there, on the Exchange server, and the fact you have a firewall pretty much has you covered from an audit standpoint. My solution would be to lock down the desktops and servers via hardening, run email and web browsers in sandboxes, and replace the firewalls with router ACLs that simply take large swipes at the traffic to help create a division from the outside world. Firewalls are simply glorified routers at this point anyway, as most are configured to allow certain types of traffic right in through the front door. I used to quote Frank Zappa's comments on modern jazz as "jazz isn't death, it just smells funny" in presentations, saying the same thing about perimeter security. Around 2002 or so I simply started saying perimeter security is just dead. I had a very serious discussion about this very topic with Bill Cheswick around the same time, with both of us threatening to write a paper or article on the topic. Every time I hear the argument that some level of security, even lame security, is better than NO security, I think about my Zappa paraphrasing. In my opinion, lame security is WORSE than no security, simply because most of the people involved (think CxO/pointy-haired boss types) live with a sense that they are being protected, when in fact they are not. The ones with no protection are not living a lie -- they are at least AWARE they really have no security. Mark - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFHlnf7cWrXS8hLmpIRAlV3AJ4xm+t46kKtUaFZ3zbVB9VmEUIPqwCfcNgi yEHFuPRkLlrQEI90G/h3RQg= =DhdV - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnekTB8JNm+PA+iURAgnLAJ9/MYp/eoneY4TwIr50XRIlAZBgCgCgj8ME 48wF+iNSfnb0rOEBiF/eSpk= =d2Lw -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Semi-anonymized moderation. Dave Aitel (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Jon Oberheide (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Lance M. Havok (Jan 28)
- Re: Semi-anonymized moderation. Olef Anderson (Jan 28)
- Re: Semi-anonymized moderation. Stephen John Smoogen (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Sec urity (Jan 28)