Firewall Wizards mailing list archives
Re: Defense in Depth to the Desktop
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 14 Dec 2004 09:05:57 -0500 (EST)
On Mon, 13 Dec 2004, Chris Pugrud wrote:
PFWs seem to me to be a pretty good stop-gap. The ability to get back some control over the desktop is worth its weight in gold- losing that ground is what made the war swing against us!Is this really an improvement? This is where I can't help but play devil's
I think so...
advocate. Are we really better off when our security is dependent on hundreds or thousands of desktops (the weakest link) that we fight desperately to control in a never ending futile battle? One of the first tenets of systems
It is no matter what- one Trojan on the internal network can remove the power of all of the other security controls if the environment is such that that desktop has access to critical resources, vulnerable systems, or whatever. Let's not forget that peer-to-peer isn't the only way to spread malice in an organization.
security is physical security and you can never claim that you have physical control over a machine at your user's fingertips.
Perfect is the enemy of good enough.
What's wrong with a model that acknowledges that while we will do our best to protect the security of user machines, they are a resource we can not ultimately control, so rather than making the security of the entire organization dependent on them, we are going to reduce our effective security perimeter to a known subset of systems that we do maintain absolute physical control over? I'm not suggesting that we abandon user machines, I'm suggesting
You're only as strong as the weakest link. That's the user desktop.
that we remove them from being available to be the weakest link in the security of the organization. I'm suggesting that we acknowledge that desktops are going to get hacked and infected (especially laptops) and make a concerned effort to protect the rest of the organization from that inevitable compromise.
Ah, but if we can reduce the compromise rate significantly, then why not? Especially if it's at a cost that's less than the current level of compromise events? I really think we're at that point, essentially it's that or ripping out IE- something that's only now becoming an option, and even then you still have the e-mail vector. Strengthen the weakest link, and you strengthen the overall posture.
You're still going to have to deal with the desktops, because the users are going to have to work and have critical files there. I think that I'm probably more worried about spyware Trojans than worms right now- worm events get lots of press, but the infestations are really ugly.I'm not abandoning the desktops, I'm trying to minimize the potential of one infected desktop infecting all of the desktops. One machine is easier to clean than hundreds, or thousands. I'm also addressing the critical files issue. If
I'm not sure the degree of difficulty is all that much higher, the real argument here is for degree of completeness.
I was an insider trying the steal juicy data I'm going to attack the desktops and laptops of the people that have that data directly. It will be a lot easier and more discreet than attacking the fortified, guarded, and watched servers.
A clued outsider doing a target of choice attack should reach the same conclusion... Hence my assertion that hardening the desktop is important.
But then you've got a single point of failure, and just using a 255.255.255.255 subnet mask and a static route seems to be not that messy to me. Plus it works no matter what vendor's gear you happen to hit- that's always a bonus to me because the "switch just went down and we need to put in whatever we can" scenario with little sleep needs to not carry a bunch of administrative overhead.I'm not discounting this approach, I just need to noodle it some more to understand all of the implications. Do you have any references to this being applied and used?
I've done it on *nix boxes occasionally by turning off dynamic ARP and adding an interface route to the gateway. On Windows nets, I've typically supernetted the internal side, and handed out subnets to the clients with no inter-subnet routing through the gateway. It doesn't protect from a really clued attacker or user, but it gets rid of the 90th percentile of stuff without a lot of overhead, and leaves me to focus on detection of folks who get past it (obvious places to apply the clue bat, rather than noise-level attacks.) Taking down from the subnet to the system level shouldn't be a big deal, if there's no gratuitous ARP- dynamic ARP should be taken care of by the routing- assuming something like WINS doesn't screw it all up. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Defense in Depth to the Desktop, (continued)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Scott Stursa (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Kevin Sheldrake (Dec 11)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 12)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Marcus J. Ranum (Dec 14)