RE: Vulnerability Response (was: BGP TCP RST Attacks)

["Ben Nagy" <ben () iagu net>]

[...]
> Dave Piscitello wrote:
> > But don't you think you can manage risk better if you 
> mitigate by central policy definition and patch management? 

[this level is mjr]
> I don't think patch management is the solution for any 
> significant aspect of the problem. I know that flies in the 
> face of the "common wisdom" of security these days, but I 
> think eventually time will tell and we'll give up on patch 
> management as a security technique. [...]

If I stood on top of a very large building with a hundred foot stack of
Marshall amps and used the entire building as a pre-amp and subwoofer, I
still could not yell "CRAP!" loud enough.

Take a look at the recent security record of MS RPC endpoints. You can't
turn them off. You can't secure them. Windows will break.

How _ELSE_ do you want to deal with that problem? Let me put it a different
way. However much you lock down machines, your biggest remaining worry will
be software vulnerabilities in the services you _do_ run - the rest is just
a matter of degrees. How do you eliminiate vulnerabilities? Patch.

> Put differently, I see the "patch it everyplace" approach as 
> an over-extension of an approach that *did* work OK: 
> policy-centric host hardening.

You can only harden up until the OS will let you. If the core service has an
exploitable bug then only a patch will fix it. Other solutions (like my
famous "marketing" host based vulnerability mitigation ;) might save your
backside for a while, but the real intent of those solutions is to buy you
time, not obviate the need to fix the real problem.

Even assuming that you could have pre-hardened a box (it is true that
hardening _might_ have let you dodge Blaster and Sasser, but wait until the
multiple vectored worms really start hitting us) then most people just won't
do it. In any case, having a huge freaking gaping  security hole in a core
service is not something I feel comfortable about, same as running a
thousand Win95 boxes "behind a firewall" sends shivers down my spine.

It may be just me, but it sounds like you are arguing that people's
mainstream desktop OSes should be something that can be easily hardened on a
service-centric basis, understand true user / kernel / virtualisation
separation and yet have full enterprise functionality.

If anybody else advanced this theory I would snort milk through my nose.
With you I will just say that you are five years ahead of your time. I am
100% behind you as an idealist, but, as a professional, I don't see that as
useful right now. :D

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards