Firewall Wizards mailing list archives
Re: RE: In defense of non standard ports
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 24 Jan 2006 22:20:14 -0500
Tim Shea wrote:
I've been monitoring this discussion and I have issues with two assumptions being made. The first is that all organizations have security professionals with some pull with management. Politics plays a big part and unless you can sell a solution or are hacked sideways nothing will be done. This is the frustration of many technical security professionals.
Well, yes. But we can't very well say, "Sure, there's ways to do it right but accept the fact that you WON'T do it right, so you may as well just chill out and settle for being owned and just not care." A lot of the folks on this list are opinion-influencers, teachers, and consultants - teaching people to walk down the path of immediate mediocrity is not doing anyone a favor. So a lot of us sound like we live in idealized worlds - that's because we have to.
Lets take the above issue - all tcp ports outbound are open. Throwing in an IDS is an quick way to gather appropriate information to help sell to management that they have a real problem. Just telling them "all ports outbound bad" does not work.
Correct. But, engage in root cause analysis. In your example, the problem is not the firewall and the solution is not the IDS. Root cause analysis says that the management are morons and the solution would be to de-moron the management team. In fact, it'd probably be cheaper than an IDS as well as being more effective. Of course your typical security practitioner doesn't get to fix problems at that level, so they're stuck with the IDS route.
Second issue I have is that running IDS's takes a lot of time. That is bull.
You are completely correct. IDS generate very little data in secured well-designed networks. And, they generate very little data in moron-managed IT departments (because they are turned off) -- IDS is only a problem in the all-too-common situation where you have a network that sucks, which someone is trying to secure. If you step back and think about that for a second, you'll realize that the IDS that generates too many alerts is far more likely to be an indicator of a sucky network, not an indicator of a sucky IDS. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: RE: In defense of non standard ports, (continued)
- RE: RE: In defense of non standard ports Bill Royds (Jan 23)
- Re: RE: In defense of non standard ports Tobias Reckhard (Jan 24)
- Re: RE: In defense of non standard ports James (Jan 24)
- Re: RE: In defense of non standard ports ArkanoiD (Jan 24)
- Re: RE: In defense of non standard ports Chuck Swiger (Jan 24)
- Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
- Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
- Re: RE: In defense of non standard ports Tim Shea (Jan 24)
- Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
- Message not available
- RE: In defense of non standard ports Brian Loe (Jan 24)
- Message not available
- Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
- Re: RE: In defense of non standard ports ArkanoiD (Jan 25)
- RE: RE: In defense of non standard ports Bill Royds (Jan 23)
- RE: RE: In defense of non standard ports Bill Royds (Jan 24)
- Re: RE: In defense of non standard ports Karl (Jan 24)