Re: Botnets, IRC servers and firewalls?

[Chris Blask <blask () protegonetworks com>]

Hey folks!

While I know what all y'all are saying and I feel the pain and frustration 
("been there, heard that") it always leads me to a slightly more complex 
conclusion:  Darwin works on both camps, the consumer and the producer.

Consumer:

o  Egress Filtering.  Buy a bigger bloody router (if necessary) and invest 
the time to use it properly, and it may well save you from the maw of the 
Big Cat lurking just outside your campfire light.
o  Identity, traffic monitoring, IDS, encryption (in all its 
forms)...  Sigh.  These things are meant to help you, investigate them.
o  The future will be littered with the descendants of those consumers not 
eaten by Big Cats.

Producer:

o  Read the first bit of Plato's Republic.  I know it's not a shiny new 
idea, but the FOCUS of the art of being a PRODUCER is to accommodate the 
needs of the CONSUMER.
o  If the consumer does not successfully experience the output of the 
producer it CANNOT, by definition, be the consumer's fault.  If the clay 
does not successfully experience the output of the sculptor it cannot be 
the fault of the clay, if the patient cannot appreciate the output of the 
doctor it is to the doctor's shame.
o  Producers, tell your Consumers about building and managing a secure and 
efficient network and they will often listen.  (Building some decent 
management tools wouldn't hurt, either).
o  The future will be littered with the descendants of those producers who 
addressed a consumer's needs.

As I postulate in my last rant, the Internet Protocol camp of the 
Electronic Engineering tribe has to date done a bang up job of (massive 
shortcomings notwithstanding) building an Internet that most people can, in 
most ways, use most of the time.  We, the Security Brigade of the IP camp 
(in this case we, all of us and not just the vendors, become the Producers) 
have not, however, succeeded yet in polishing the edges of the thing so 
that it fits into very many Consumers' daily lives without at least modest 
reworking.

I have worked at a number of places - both very small and very large - 
where it can be safely said that I and my fellow Producers did not achieve 
the penultimate goal of crafting our output in a way that flowed seamlessly 
into every Consumers' world.  In some cases I could say that, circumstances 
being different (read: "politics, decisions made, in some cases competence 
levels"), the outcome would have more effectively met the goal of providing 
something that truly matched more Consumers' needs and usage 
scenarios.  Most of the time, however, it's been a matter of taking some 
tiny handful of people and making, from scratch, an offering that 
definitely did address a significant chunk of the need for a significant 
chunk of the world's population, though often enough only with more 
hand-holding and rubber mallets than you would have seen had I gotten it 
perfectly correct the first time.

The Producers (vendors and those who actually understand all this stuff) 
need to keep sharpening their tools and methods until the Consumers (the 
folks who buy the output of Producers, but specifically the 
all-but-two-people who work for a Consumer and will *never* understand or 
even really care) can utilize the output of Producers without altering 
significantly from their established orbits.

What does all this proselytizing actually mean in real actions?  Force the 
evolutionary process on both ends.

o  Keep up the pressure on the granular end.  Producers who both make 
products/services as well as those working for Consumer organizations have 
to continue to fight the good fight.  Every opportunity to change the 
organism's genetics in a way that increases the odds of it surviving the 
next Darwinian Incident is a good one.  Every action of everyone reading 
this increments in some way the survival characteristics of our 
generation's descendants.

o  Keep refining the Consumable solution.  If Consumers can't chew the 
fiber that they need to get the calories of Egress Filtering into their 
diet (to use the current example), process the damn stuff until they 
can.  [nod to Marcus, who summed up the state of evolutionary progress in 
the market real well in a recent pres.  I could almost hear The Sheep Look 
Up :-]  In a world where Lazlò can't see his traffic without asking this 
gaggle of gurus you just know there are millions of people staring blankly 
at their networks like cows at a passing train.  This is the Producers' 
failing to achieve the End Goal.

I try to work for Producers who have some intent of considering the use 
their Product will see in the real world.  In almost all cases the result 
has become highly consumable, but I have yet to see any effort reach the 
End Goal - being available and usable for all possible Consumer scenarios 
without requiring any hand-cranking (PIX has come the closest, but even 
that bullet falls short of the final-final target).

Security is never going to be for the faint-hearted nor the hopelessly 
incompetent.  It will, however, get (and has gotten) more available and 
more connected and more consumable.  The question is, "Which Producers and 
Consumers will be around to see it, and what were the characteristics that 
helped them survive the Purge of 20XX?".

No big challenge, we just need to safely connect 6,000,000,000 people 
intimately to each other in ways they can't even begin to understand using 
tools and methods we haven't developed yet, but which will be blindingly 
obvious to the smart-assed future ("If you're so smart, *you* come back 
here and invent it!").

And we need it by Friday.  :-)

-cheers

-chris

At 10:35 AM 2/4/2004 -0500, Marcus J. Ranum wrote:

> >egress filtering is basically what is being discussed here, and has long
> >been recommended, and long been rejected by the mass majority for quite
> >sometime.
>
> Time was that I'd explain the value of egress filtering to non-technical
> managers and they'd immediately grab their security people and the
> dialog went like this:
> CIO:
>          "So, why aren't we applying any controls to outgoing traffic?"
> Security guy:
>         "Because we can't make the networking guys do it. They say
>         it can't be done!"
> CIO:
>         "Get the networking guys in here!"
> Networking guy:
>         "You rang?"
> CIO:
>         "Let's put some access controls in outgoing traffic, OK?"
> Networking guy:
>         "Can't do it. It'd KILL PERFORMANCE!"



> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Chris Blask
Vice President, Business Development
Protego Networks Inc.

(1) 416-358-9885 - Direct/Mobile
(1) 408 262 5220 - HQ
(1) 408 262 5280 - Fax

blask () protegonetworks com
www.protegonetworks.com

"The first purpose-built appliance for Real-Time Security Threat Mitigation"




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards