Firewall Wizards mailing list archives
Re: iso 17799
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 20 Jul 2004 23:49:40 -0400
Dana Nowell wrote: (in response to Paul Robertson)
Great, how do the rest of us learn to negate 90% of the risk? Got a paper somewhere? Written up an FAQ? Guideline? "Best Practice"? :-) Know of a good repository of that type of thing? Or is every newbie supposed to post the question to the list to extract your knowledge, say every other month? ('cause you KNOW they don't search the archives)
Well, there are 2 ways to negate 90% of your risk: a) do a few simple, obvious things that are not very fun -or- b) spend a ton of money on products and process Let me try to explain it a different way: Computer security, as it's done today by most practitioners, is fundamentally a con. It's a con the same way that most diet foods and "lose weight fast" schemes are a con: they cost a lot and they only work if you do something sensible that would have worked REGARDLESS of whether you were following the rules of the diet. Because, basically, successful diets involve taking in less than you burn. All of them. It's the 2nd law of thermodynamics, basically. If you burn more fuel than you take on, you'll get smaller. Well, security's the same way: if you only do smart safe stuff, you won't get hacked. If you buy a $100,000 security doo-dad that makes sure you only do smart safe stuff, you won't get hacked. But the actual presence of the $100,000 doo-dad has relatively little to do with it other than making the vendor happy and giving the stupid suits you work for something to point at that has neat-o blinky lights. It's a con. Simple, obvious things: 1) Make your network originate-only except for a very very very very (is that enough "very"s?) small handful of services a) lock down those services b) log usage of those services c) put error detection into service-specific places on those services (hey, you can even call it "intrusion detection" if you want to make Gartner happy) 2) Know what's going on in your network a) know who normally talks to whom b) log usage of your network and look at those logs c) know your security policy as well as normal usage d) look in your logs for indications that your policy is being violated (burglar alarms) 3) Your policy should be "deny all" a) only permit it if it needs to be permitted 4) Internally compartment your network a) mission critical machines should be behind screening routers, on separate networks, with a bare minimum (zero is a good start..) of services back and forth b) audit all traffic between mission critical systems and non-critical systems c) if someone can walk into your facility and plug into a network port, get an IP address assigned to them, and ping your mission critical machines, your network is a disaster waiting to happen d) if someone can walk into your facility and plug into a network port without you knowing about it, your network is a disaster area already; you're just blissfully ignorant 5) Delete incoming attachments at the gateway to your network except for a short-list of acceptable mime types 6) Don't outsource security; outsourcing is an admission that you are ignorant and that your management are clueless - or that your clueless management think you're ignorant 7) Know what goes out through your firewall a) if you don't know how much spyware is installed on your desktops, your network is 0wned b) if you don't know how much IRC traffic is leaving your firewall you're 0wned c) why the heck would you let IRC out through your firewall, anyhow? what are you, a born victim? 8) If you don't understand the difference between layer 7 security and "stateful inspection" - learn 9) Don't waste your time patching a) if you're running code on an internet-facing system that has a history of needing patches every week, you're running the wrong code b) your internet-facing machines should have exterior lock-downs that mitigate the damage of individual service/server failure, or they shouldn't be internet facing c) if they aren't internet facing don't make them internet facing just so you can get patches d) production systems 101: 10 SET IT UP 20 MAKE IT WORK 30 IF WORKING THEN 40 DON'T F- WITH IT 50 ENDIF 60 IF NOT WORKING 70 FIX IT 80 GOTO 20 90 ENDIF it's that BASIC (ok, that was a bad one...) 10) Why on earth would you have roaming users connecting straight into your corporate WAN after they have been at home surfing pornsites and downloading Warez? a) mobile users go on a separate network 11) Antivirus software is good a) updating it 4X / day is not necessary b) updating it 1X / week works fine but especially when combined with stripping attachments (see above) 12) No, your users do NOT need that stupid new chat/file sharing/ net-meeting/remote-control/powerpoint sales tool/virtual FAX garbage - it IS dangerous See? That's a list of great, simple, powerful ideas. If you do these things you will virtually never get hacked. Of course, in the immortal words of Ray Wylie Hubbard, "It's not so hard to do what's right; it's just not as much fun." (Conversations with the Devil, from Crusades of the Restless Knights)
IMO, the 'push for standards' is because the field is exploding AND maturing and many, many, newbies are being thrown in to the fire everyday.
The push for standards has nothing to do with the unfortunate newbies. Standardization is a long-running conversation (or battle) between vendors and customers over who has control over the market. Standards only happen (are allowed to happen) once the innovation has gone out of a market - or in the rare case where a standard happens in spite of vendors splitting the market - standards cause innovation to go out of the market. The vendors will innovate (read: make stuff that doesn't work together) someplace else. If you look at the effectiveness of standards bodies since the early 1990's (the beginning of the Internet era) you'll notice that they have been reduced to a bunch of squabbling vendor shills (with a few academics and idealists thrown in) that are only able to effectively ratify the installed base after throwing a few little tweaks on to show that NIH syndrome is alive and well.
The frustration is that people on this list 'generally' solve the same problems, use lots of the same references, sites, and resources.
Well, part of it is because some of us (heya Paul! Fred! Steve! Michael!) have been singing basically the same song for ever. I published a few verses of it above. We've been singing the song through rain and snow and we've been right all along. And when people ask for a solution, what they're really saying is "We don't LIKE the rules of the jungle! Surely if I just buy this new $100,000 doo-dad then I can rewrite them so they no longer apply to me!" Nu-huh.
This list is dedicated to answering specific questions about firewall implementations, a good thing. However no centralized list or repository exists to share the 'other' information required in the real world (training materials, reference materials, example risk assessments/documents, staff/food chain management issues, software, etc.). The list is good, it does its job well, too well, people want the other problems solved as well and currently they can't have it.
Conferences like SANS try to do this, as do most security-oriented conferences. Personally I think you can learn it all yourself if you are motivated enough. This list is not the right place for that. Not because nobody here knows what to do; it's just our throats are tired from singing the same song and then having people say, "that sounds like sense but there's no WAY my pointy-haired boss is gonna let me do that."
In one man's opinion, that's one of the main reasons why we see the push for 'standards'. It's not really standards people want, so much as direction/help with the 'other' parts of their job.
If you "standardize" enough then you've derived a "one size fits all" - which you can only do after something has commoditized to the point where it is no longer interesting. I'm not saying that's a bad thing - not by a long shot - but the implication of my view, if I am right, is that there will never be useful or meaningful standards regarding whatever the most interesting problem is that you have on your plate at any given moment. mjr. "A standard of one, since 1962" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 George Capehart (Jul 20)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 Christine Kronberg (Jul 20)
- Re: iso 17799 J. Oquendo (Jul 19)
- Re: iso 17799 Bennett Todd (Jul 19)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Devdas Bhagat (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: SMS ports John Adams (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)