Firewall Wizards mailing list archives
RE: Vulnerability Response (was: BGP TCP RST Attacks)
From: "Ben Nagy" <ben () iagu net>
Date: Fri, 28 May 2004 14:56:34 +0200
[...]
Dave Piscitello wrote:But don't you think you can manage risk better if youmitigate by central policy definition and patch management?
[this level is mjr]
I don't think patch management is the solution for any significant aspect of the problem. I know that flies in the face of the "common wisdom" of security these days, but I think eventually time will tell and we'll give up on patch management as a security technique. [...]
If I stood on top of a very large building with a hundred foot stack of Marshall amps and used the entire building as a pre-amp and subwoofer, I still could not yell "CRAP!" loud enough. Take a look at the recent security record of MS RPC endpoints. You can't turn them off. You can't secure them. Windows will break. How _ELSE_ do you want to deal with that problem? Let me put it a different way. However much you lock down machines, your biggest remaining worry will be software vulnerabilities in the services you _do_ run - the rest is just a matter of degrees. How do you eliminiate vulnerabilities? Patch.
Put differently, I see the "patch it everyplace" approach as an over-extension of an approach that *did* work OK: policy-centric host hardening.
You can only harden up until the OS will let you. If the core service has an exploitable bug then only a patch will fix it. Other solutions (like my famous "marketing" host based vulnerability mitigation ;) might save your backside for a while, but the real intent of those solutions is to buy you time, not obviate the need to fix the real problem. Even assuming that you could have pre-hardened a box (it is true that hardening _might_ have let you dodge Blaster and Sasser, but wait until the multiple vectored worms really start hitting us) then most people just won't do it. In any case, having a huge freaking gaping security hole in a core service is not something I feel comfortable about, same as running a thousand Win95 boxes "behind a firewall" sends shivers down my spine. It may be just me, but it sounds like you are arguing that people's mainstream desktop OSes should be something that can be easily hardened on a service-centric basis, understand true user / kernel / virtualisation separation and yet have full enterprise functionality. If anybody else advanced this theory I would snort milk through my nose. With you I will just say that you are five years ahead of your time. I am 100% behind you as an idealist, but, as a professional, I don't see that as useful right now. :D Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Vulnerability Response (was: BGP TCP RST Attacks), (continued)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 02)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) David Lang (Jun 02)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Gwendolynn ferch Elydyr (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 04)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 04)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) M. Dodge Mumford (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)