Firewall Wizards mailing list archives

Re: RE: In defense of non standard ports

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 24 Jan 2006 22:20:14 -0500

Tim Shea wrote:

I've been monitoring this discussion and I have issues with two
assumptions being made.  The first is that all organizations have security
professionals with some pull with management.  Politics plays a big part
and unless you can sell a solution or are hacked sideways nothing will be
done.  This is the frustration of many technical security professionals.


Well, yes. But we can't very well say, "Sure, there's ways to do it
right but accept the fact that you WON'T do it right, so you
may as well just chill out and settle for being owned and just not
care."  A lot of the folks on this list are opinion-influencers,
teachers, and consultants - teaching people to walk down the
path of immediate mediocrity is not doing anyone a favor. So a
lot of us sound like we live in idealized worlds - that's because
we have to.

Lets take the above issue  - all tcp ports outbound are open.  Throwing in
an IDS is an quick way to gather appropriate information to help sell to
management that they have a real problem.  Just telling them "all ports
outbound bad" does not work.


Correct.

But, engage in root cause analysis. In your example, the problem is
not the firewall and the solution is not the IDS. Root cause analysis
says that the management are morons and the solution would be
to de-moron the management team. In fact, it'd probably be cheaper
than an IDS as well as being more effective. Of course your
typical security practitioner doesn't get to fix problems at that
level, so they're stuck with the IDS route.

Second issue I have is that running IDS's takes a lot of time.  That is
bull.


You are completely correct. IDS generate very little data in
secured well-designed networks. And, they generate very little
data in moron-managed IT departments (because they are turned
off) -- IDS is only a problem in the all-too-common situation
where you have a network that sucks, which someone is trying
to secure. If you step back and think about that for a second,
you'll realize that the IDS that generates too many alerts is 
far more likely to be an indicator of a sucky network, not an
indicator of a sucky IDS.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: RE: In defense of non standard ports, (continued)
- RE: RE: In defense of non standard ports Bill Royds (Jan 23)
  - Re: RE: In defense of non standard ports Tobias Reckhard (Jan 24)
  - Re: RE: In defense of non standard ports James (Jan 24)
    - Re: RE: In defense of non standard ports ArkanoiD (Jan 24)
    - Re: RE: In defense of non standard ports Chuck Swiger (Jan 24)
    - Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
    - Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
    - Re: RE: In defense of non standard ports Tim Shea (Jan 24)
    - Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
    - Message not available
    - RE: In defense of non standard ports Brian Loe (Jan 24)
    - Message not available
    - Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
    - Re: RE: In defense of non standard ports ArkanoiD (Jan 25)
    - RE: RE: In defense of non standard ports Bill Royds (Jan 24)
- RE: RE: In defense of non standard ports Fetch, Brandon (Jan 23)
- RE: RE: In defense of non standard ports Behm, Jeffrey L. (Jan 24)
  - Re: RE: In defense of non standard ports Karl (Jan 24)