Firewall Wizards mailing list archives
Re: Defense in Depth to the Desktop
From: Chris Pugrud <chris () pugrud net>
Date: Mon, 13 Dec 2004 16:41:56 -0800 (PST)
--- "Paul D. Robertson" <paul () compuwar net> wrote: [lots of stuff snipped because we seem to agree more than disagree]
I'm dealing with one of those right now too, severely over-done hardware, over-complex network and multi-homed everything (Windows boxes too, WINS doesn't like that!)
I once worked with an organization that triple homed all production servers. The servers were segmented for security into seperate subnets. Customers on one side, administration on the other side. They then had to tackle backup and decided to triple home the machines onto a _flat_ network to "make backups faster". People, usually in a hurry, reach for the easiest solution, something they know, and something they think will solve the problem at hand. Most organizational networks grow organically, in response to the rush project of the week, and they usually do not have a steady hand guiding them that is more concerned about long term architecture and growth issues, so they wind up with obtuse systems that could be better diagrammed by vines of ivy. Every once in a while it becomes our reponsibility to go in there, clean them up, and set them on a sane path for long term growth. We almost never get to scorch the earth, that would be too easy and we wouldn't be justified. We have to unravel their systems and reorganize them as best we can.
Hype/Budget/Funding scale). I was just searching for something that is abiteasier to explain and apply to the people that write the checks and is more effective than sacrificing rubber chickens at dawn (err, I mean nifty do buzzword compliant gimmick of the week).Sure, but I really guess I'm not seeing this as a solution for a firewall more than it's a solution for an internal network architecture...
That would be my fault. In the rush to explain this as succinctly as possible initially I made a few too many assumptions and left out some critical details. What I am proposing is an internal network architecture that compliments the perimeter firewalls, application, host, and O/S security. I'm trying to add another tool to our toolbelt for "defense in depth", I'm not trying to replace anything or claim that it's the greatest thing since sliced butter. I am saying that it is effective for implementing stronger internal security controls using mostly existing equipment and technology that is very effective at stopping a limited range of attacks when our other defenses fail.
But configuration things, especially those which fit in a .reg file that can go into a login profile are much more likely to be adopted than "buy another firewall" things, no?
Do both. That's my overeducated understanding of defense in depth. Apply several tools at successive layers using varying technologies, techniques, and vendors so that when more than one of them fails at least on of them will still stop the attack.
Again, if the data's on the server, and the data's at risk, I'd rather not see it happen.
The data on the server is at risk regardless. What I'm focusing on is a technique which would help prevent a worm from shutting down an entire organization. When the admins are less concerned about the sanctity of every stinking desktop they have more time and money to focus on best protecting the servers to prevent such an attack.
How many hundred times a day is a user going to "click" to access the organizational file server, email server, and porn (err proxy) serverbeforethey just enable some dangerously broad default allows? I recognize somevaluefor personal firewalls, but I think that using personal firewalls,especiallyon deskbound organizational systems, puts us on the wrong side the tailchasingtreadmill. You are talking about a lot of money and management andapplicationmanagement and helpdesk headaches that could be much more easily andcheaplyand sanely managed at the core router/firewall/rubber chicken substitute.Hmm, the user can't enable it in the "enterprise" versions, it's a company or group-wide policy thing. I'm not sure it's a lot of support costs, and given the amount of spyware and Trojans I've found recently- I'd say it's almost a necessity. Firewalls don't stop this stuff without content inspection and knowing what's bad- or disabling active content, and these days, that's a difficult to win battle :( PFWs seem to me to be a pretty good stop-gap. The ability to get back some control over the desktop is worth its weight in gold- losing that ground is what made the war swing against us!
Is this really an improvement? This is where I can't help but play devil's advocate. Are we really better off when our security is dependent on hundreds or thousands of desktops (the weakest link) that we fight desperately to control in a never ending futile battle? One of the first tenets of systems security is physical security and you can never claim that you have physical control over a machine at your user's fingertips. What's wrong with a model that acknowledges that while we will do our best to protect the security of user machines, they are a resource we can not ultimately control, so rather than making the security of the entire organization dependent on them, we are going to reduce our effective security perimeter to a known subset of systems that we do maintain absolute physical control over? I'm not suggesting that we abandon user machines, I'm suggesting that we remove them from being available to be the weakest link in the security of the organization. I'm suggesting that we acknowledge that desktops are going to get hacked and infected (especially laptops) and make a concerned effort to protect the rest of the organization from that inevitable compromise.
Sure, that a risk that's easier to accept, to know that one system will be vulnerable and you can focus your energy on getting that one system updatedandprotected. That's a bit more difficult to do if your attention is"focused" ona few thousand desktops in various states of patch/AV/user disfigurement.You're still going to have to deal with the desktops, because the users are going to have to work and have critical files there. I think that I'm probably more worried about spyware Trojans than worms right now- worm events get lots of press, but the infestations are really ugly.
I'm not abandoning the desktops, I'm trying to minimize the potential of one infected desktop infecting all of the desktops. One machine is easier to clean than hundreds, or thousands. I'm also addressing the critical files issue. If I was an insider trying the steal juicy data I'm going to attack the desktops and laptops of the people that have that data directly. It will be a lot easier and more discreet than attacking the fortified, guarded, and watched servers.
But then you've got a single point of failure, and just using a 255.255.255.255 subnet mask and a static route seems to be not that messy to me. Plus it works no matter what vendor's gear you happen to hit- that's always a bonus to me because the "switch just went down and we need to put in whatever we can" scenario with little sleep needs to not carry a bunch of administrative overhead.
I'm not discounting this approach, I just need to noodle it some more to understand all of the implications. Do you have any references to this being applied and used? Thank you, chris _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Defense in Depth to the Desktop, (continued)
- RE: Defense in Depth to the Desktop Ben Nagy (Dec 07)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Scott Stursa (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Ben Nagy (Dec 07)
- Re: Defense in Depth to the Desktop Kevin Sheldrake (Dec 11)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 12)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Marcus J. Ranum (Dec 14)