Re: Host-Base Firewall

[Adriel Desautels <adriel () netragard com>]

Certainly,
	While hardware security solutions do serve a purpose and do defeat some 
attacks, they can not solve the human element problem or the evolution 
problem.

	The human element problem is one where a human being makes the decision 
to trust something and as a result suffers a compromise. Social 
engineering attacks specifically exploit this trust issue. I don't know 
of any hardware appliance or software package that can defend against 
that attack successfully even 50% the time.

	The evolution problem is the mathematical guarantee that very nearly 
all software will at some point contain an exploitable vulnerability. 
That is a guarantee because humans are fallible and unless software is 
mathematically proved to be secure then it isn't 100% secure, its 
created by humans. Hardware appliances are just computer systems that 
run software. They need to be maintained and patched just like 
everything else.

	A while back our research team performed an assessment of several 
security appliances as a part of an R&D project. During that assessment 
we learned that security appliances are not maintained by the vendor as 
well as regular computer systems are maintained by IT staff.

	Getting more specific. One of the appliances that we studied was one 
that was used to send secure email. A user would login to the appliance, 
write an email and click the send button. Then an email containing a URL 
would be sent to the recipient. The recipient would read the email by 
clicking on the URL and get redirected to an SSL based website where the 
actual message was located. The real message never left the server.

	When we assessed the appliance technology we discovered that the 
libraries and software that were being used were on average 1-3 years 
old. We also found several known and exploitable vulnerabilities in 
those software packages. The vendor never released any fixes for those 
issues in any of their "updates". In fact, the vendor very rarely 
released any updates at all.

	This risk of vulnerability is the same in all technologies regardless 
of what the technology is supposed to do. The only real way to protect 
against such a risk is with policies, procedures, and good training. You 
need to remember that you are not defending against technology, you are 
trying to protect yourself from a smart human enemy.

        Does that answer your question?
        

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


forgottenwizard wrote:
> On 11:03 Thu 29 May     , Adriel Desautels wrote:
> > All,
> > 	Firewalls are packet control devices. They do little more than control the 
> > flow of traffic into and out of your network. Some of them contain 
> > "defensive" capabilities such as IPS. Those defenses make decisions based 
> > on the nature of the traffic. Those decisions aren't as accurate as they 
> > should be because the very medium from which they are forming "opinions" is 
> > flawed. Traffic can be spoofed/forged/manipulated, so how can one trust it.
> >
> > 	Security is more of a process than anything else. It is enforced by 
> > policies, procedures, and the people using technology. Security can not be 
> > found via hardware. This is a bit philosophical, but I can back this up if 
> > anyone doesn't understand my perspective.
> >
> > Regards,
> >         Adriel T. Desautels
> >         Chief Technology Officer
> >         Netragard, LLC.
> >         Office : 617-934-0269
> >         Mobile : 617-633-3821
> >         http://www.linkedin.com/pub/1/118/a45
> >
> >         Join the Netragard, LLC. Linked In Group:
> >         http://www.linkedin.com/e/gis/48683/0B98E1705142
> >
> > ---------------------------------------------------------------
> > Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> > Penetration Testing, Vulnerability Assessments, Website Security
> >
> > Netragard Whitepaper Downloads:
> > -------------------------------
> > Choosing the right provider : http://tinyurl.com/2ahk3j
> > Three Things you must know  : http://tinyurl.com/26pjsn
>
> I would like for you to expound upon your comment if you wouldn't mind,
> especially your comment that it cannot be found via hardware.