Firewall Wizards mailing list archives
Re: Vulnerability Response (was: BGP TCP RST Attacks)
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 27 May 2004 21:38:28 +0530
On 26/05/04 18:30 -0400, Marcus J. Ranum wrote:
Ben Nagy wrote:To me, amongst the plethora of product, service and snake oil there are two evolving solution spaces that solve real problems. Host based vulnerability mitigationThe big problem with host based anything is that the management effort scales with the number of hosts. That's just a losing battle in the long-term
Actually, it scales with the number of *unique* hosts. If each host is unique, then the management effort does scale linearly or worse. However, if we design the system so that we have fewer combinations of hosts, then the system is actually easier to manage.
because nobody's host-count is shrinking. Basically, the host-side problem is the same as the system administration problem - and the industry has made a frightening bodge out of its attempts to "solve" that issue.
http://www.infrastructures.org/ is a good way of designing a solution to the system administration problem. The same approach can be applied to the security administration issue. Personally, I would go with a service centric approach to security, rather than a host centric approach. This is where most security systems appeared to lead, until we ended up with too many services to manage. IMHO, a host centric approach (where "host" maps to a group of identical systems) is a good idea for system management. A service oriented approach is a good idea for security management. To clarify: Each system [1] offers a "service" [2] to its clients. The task for the security system [3] is to ensure that only authorized clients are allowed to access these services. For example, the task of a MUA is to *display* email. Hence, the MUA needs to be allowed access to functions that display email, but not to functions that cause possibly harmful content to execute. <snip> Devdas Bhagat [1] A system is a single host or group of hosts. [2] A service is an interaction between two processes, not necessarily on the same system. [3] The security system includes software, hardware *and* wetware. For my given example, the security system would consist of not including code that would execute the harmful content. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 21)
- <Possible follow-ups>
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 25)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response Ben Nagy (May 27)
- RE: Vulnerability Response Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Dave Piscitello (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Devdas Bhagat (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)