Firewall Wizards mailing list archives
Re: Firewall Primitives
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Sun, 10 Nov 2002 19:31:59 -0800
My conclusion after being a vendor for lo these many years is that customers *DESERVE* the security they get.
Which is fine, as far as that goes. Unfortunately, it doesn't scale with the same egalitarianism. Theorem: Clue doesn't aggregate worth a damn, and dumb does. So as an organisation gets larger, it gets---as a whole---dumber and dumber. Theorem: Vendors with larger customers have their survivability probabilistically enhanced. Corrollary: Vendors listen to larger---and therefore dumber---customers over smaller---and therefore more clueful---customers. As a result, customers, on the whole, get the security the dumbest customers deserve. This looks particularly interesting if you try to model worldwide information security as a game between multiple factions with differing goals---one or more being whitehats (for some suitable definition of whitehat) and one or more being blackhats. Some are neutral---i.e., not really concerned about information security at all. Most resources start out being controlled by neutral factions, and whitehats and blackhats may attempt to influence or compromise them. What you discover, if you're so inclined to run iterated models, is that there is a finite amount of resources to be spent on security---good or bad---and so every bit spent on bad or useless security robs from those making the good stuff. This means they are less well suited to advance their technology, market their products, and so on, and so are less likely to survive in the long run. In other words, in the model outlined above, most of the resources at the disposal of the neutrals are either actively or passively being used to advance the goals of the blackhats. At the same time, assets that are secured with lousy or no security are more likely to be subverted by one or more blackhats, meaning that the whitehats have fewer resources to draw on, and are facing a ever-growing opponent. If you do take the time to build such a model of the situation and look at it as a sort of tabletop wargame (like ASL, for example, or Risk if you don't know what ASL is), you realise that the game balance is really lousy, and one side is almost always guaranteed an (overall) victory. It also---and this is why I bothered to bring it up---gives a somewhat different perspective on the guys who never get around to patching that webserver. Not that I'm suggesting that they're doing anything -actively- malicious in being sloppy or stupid---just suggesting another way of putting the ramifications of having an industry full of such bozos into perspective. -spb
Attachment:
_bin
Description:
Current thread:
- Re: Firewall Primitives, (continued)
- Re: Firewall Primitives Marcus J. Ranum (Nov 06)
- Re: Firewall Primitives Devdas Bhagat (Nov 06)
- Re: Firewall Primitives Marcus J. Ranum (Nov 06)
- Re: Firewall Primitives Devdas Bhagat (Nov 07)
- Re: Firewall Primitives Adam Shostack (Nov 09)
- BS claims (was Re: Firewall Primitives) Marcus J. Ranum (Nov 09)
- Re: Firewall Primitives Mikael Olsson (Nov 09)
- Re: Firewall Primitives Marcus J. Ranum (Nov 09)
- Re: Firewall Primitives Christopher Hicks (Nov 10)
- Re: Firewall Primitives Predrag Zivic (Nov 10)
- Re: Firewall Primitives Stephen P. Berry (Nov 11)
- Re: Firewall Primitives Cat Okita (Nov 11)
- Re: Firewall Primitives Paul Robertson (Nov 11)
- Re: Firewall Primitives Stephen P. Berry (Nov 11)