Firewall Wizards mailing list archives
RE: OT: Av and Gartner...
From: Yinal Ozkan <Yinal.Ozkan () Integralis Com>
Date: Thu, 31 Jul 2003 10:13:26 -0400
There is no black and white when defining how much security is needed. That is why you should know your assets and their value. Then you should analyze the threats, risks and the vulnerabilities (and their costs). To justify a security solution (a.k.a. safeguard) you should be saving something.(things you saved > money you spent) So after your risk analysis you should be able to say how much security is needed. For 25K hosts, I am quite sure that you will get quite impressive numbers. I may post more data on calculation if needed. There is no limit in maximum security. Imagine a museum which has precious jewels in the main showroom. It is possible that you may hire some guardians at the main door (firewall) and you may go home (That should be enough, why are you repeating yourself as posted in another e-mail e.g. " I never understand"). Or you may hire additional guardians from a different security firm just for the showroom (serially connected firewalls from different vendors). The visitors entering the museum should be scanned in eitherbound direction even if they have tickets (gateway content security for authenticated traffic). Not enough? put a scanner for the showroom, and even one scanner for the display box..You may consider another guardian team who are specialized in searching the visitors nothing else since only the visitors are allowed to enter the jewel room (port 80 firewall) Well you still think that someone may steal your jewels. Pay the money and buy a sophisticated alarm system (a.k.a intrusion detection). Your alarm system may either control the perimeter and the halls that lead the your showroom, or the display case itself. Of course your staff must be trusted (certified software) and audited. Use trusted sources and have audit as much as you need it. Hire professional burglars to test your security.... Authentication is another story. You may have factor 1,2,3 .... As long as you need it. cheers, -yinal p.s. regarding your question about a memory resident thread: Any executable that may create such a hole are analyzed at the gateways and the servers before reaching to the final destination . THere are also anamoly based scanner. It is not just the files. All host based IDS systems analyze memory resident applications. -----Original Message----- From: John Keeton [mailto:jkeeton () nettoxin net] Sent: Thursday, July 31, 2003 8:24 AM To: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] OT: Av and Gartner... Everyone, thanks for the replys. I am somewhat suprised that everyone doesn't scan http/ftp. My worry is that something could be d/l'ed and reside only in memory, and then do something. But what could it do? DOS someone else.. rm -rf /.. Worm out to spread. Spread via files.. The last 2 should be caught becaue AV is installed on every single MS box. As far as my setup, no one can talk out anything w/o going through the proxy. IDS kills[1] .exe's.. But, the problem is, the 1% of people that violate policy, and build their own machine[2] don't have AV a lot of times, and these are the people who scare the heck out of me because they think they know what they are doing, and in reality, they are our biggest threat. I am torn if I am more worried about virus's via http malware in Java or ActiveX puke.. I don't think AV would/could catch the latter even if it was installed everywhere.. The PL on this effort, has already had her decision on this. But she always does that after speaking with one person. Thanks again, jkeeton [1] Sometimes on a good day, unless you hit reload enough so that it misses the .exe [2] We are rather large, ~25k machines, and there is a small % of "accepted" violation of IS/Security policy, because the admin support team can't/won't/ aren't allowed to support people. We are STILL running NT4.0.. A lot of stuff needs 2k, or xp.. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.integralis.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: OT: Av and Gartner..., (continued)
- Re: OT: Av and Gartner... R. DuFresne (Jul 30)
- Re: OT: Av and Gartner... Luca Berra (Jul 31)
- Re: OT: Av and Gartner... Paul A. Henry (Jul 30)
- Re: OT: Av and Gartner... Marcus J. Ranum (Jul 31)
- Re: OT: Av and Gartner... Fritz Ames (Jul 31)
- Re: OT: Av and Gartner... Marcus J. Ranum (Jul 31)
- Re: OT: Av and Gartner... Dave Piscitello (Jul 31)
- Re: OT: Av and Gartner... Fritz Ames (Jul 31)
- Re: OT: Av and Gartner... Luca Berra (Jul 31)
- Re: OT: Av and Gartner... Gary Flynn (Jul 31)
- Re: OT: Av and Gartner... John Keeton (Jul 31)
- RE: OT: Av and Gartner... Yinal Ozkan (Jul 31)
- RE: OT: Av and Gartner... Behm, Jeffrey L. (Jul 31)