Re: Host-Base Firewall

["Kurt Buff" <kurt.buff () gmail com>]

The second edition of Ross Anderson's book Security Engineering is
also just out. ISBN 0470068523

For those in the US, this is one of my favorite online bookstores:
http://www.bookpool.com/sm/0470068523

I've received my copy, but haven't cracked it (as it were) yet...

Kurt

On Fri, May 30, 2008 at 10:07 AM, Nelson, James <jnelson () ad nmsu edu> wrote:
> For a real understanding of "security" and what it means you might want to read the "bible" that's been around for 
> several years. "Enterprise Security Architecture" by Sherwood, Clark, & Lynas,  ISBN 1-57820-318-x. Firewalls can be 
> a small, but important part of what your organization defines as "security".
>
> James A. Nelson, Ph.D.
> Chartered Security Architect - SABSA
> New Mexico State University
>
>
> ________________________________________
> From: listbounce () securityfocus com [listbounce () securityfocus com] On Behalf Of krymson () gmail com [krymson () 
> gmail com]
> Sent: Friday, May 30, 2008 10:14 AM
> To: security-basics () securityfocus com
> Subject: Re: Host-Base Firewall
>
> Thank you for the response to my question and others. The tone of some of your responses is very dismissive of 
> technology (Windows firewall != security), while you trumpet "policies, procedures, and training" in a way that makes 
> it sound like that will save us all.
>
> I think this might just be a communication issue, since you blend them together more in your response below...
>
> I think, however, you and I would simply disagree (which is fine since there is no correct answer!) on the weight 
> given to each of the building blocks of security, which include technology, policies, procedures, and training. I'm 
> far more on the side of technology, because ultimately I can't force anyone to chose to do anything smart and secure.
>
> Just like the technology you say will be broken someday (an assumption I share), I would counter that people will 
> always be broken someday as well. I see this break down just as much or more so (ever hold the door for the cutie 
> behind you?) than technology, but I at least know which one I can trust to some degree.
>
> In the end, it is a blending of everthing that can add value, not the denouncing of measures. I think we maybe agree 
> on that, to a varied degree, so I won't drag this out further. :)
>
>
>
> <- snip ->
> Incorrect, but firewalls do not equal security. They equal a component
> of security that provides you with a reasonable demarcation point
> between one network and another. Good and strong security is a process
> that includes well written policies, procedures, training, technology,
> etc. Technology is near useless if the people that are using it are not
> trained properly and are unaware of what threat they are trying to
> defend against.
>
> Fancy door licks, card/biometric authentication, and mantraps can all be
> circumvented, especially if well trained people are not present.
>
> I remember once we were testing a facility that had a mantrap with
> biometric hand scanners. I watched one of the employees let me into the
> server area and took note of his pin code as he typed it into the hand
> scanner. Later on during the test I managed to take his card from his
> desk, stick my hand in the scanner, and type in the code and the door
> opened! As it turns out the so called biometric scanner only measured
> the size of my hand which was nearly the same size as his (pretty weak).
>
> So, not all scanners, door locks, etc are effective. IMHO, most
> biometric scanners, not all, are good for show and thats about it. There
> are other more obvious ways to bypass such technologies, but I won't go
> into those unless people want to hear it.
>
> Had the security guard been well trained and not let me see his pin, not
> left his card on his desk in his open office, then I would have had to
> use a different technique to get in. Had the policies and procedures
> that were written been followed, I would not have been able to get in.
>
> Technology is far from useless, but it can become ineffective when the
> people supporting it don't know how to do their jobs, or just become lazy.
>
> Regards,
> Adriel T. Desautels
> Chief Technology Officer
> Netragard, LLC.
> Office : 617-934-0269
> Mobile : 617-633-3821
> http://www.linkedin.com/pub/1/118/a45
>
> Join the Netragard, LLC. Linked In Group:
> http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com - "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>
> Netragard Whitepaper Downloads:
> -------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j
> Three Things you must know : http://tinyurl.com/26pjsn
>
> krymson (at) gmail (dot) com [email concealed] wrote:
> > So, are you saying that because a firewall can't make every perfect decision, they do not equal security? I wonder, 
> > do they add any value to you at all? What if they do DPI and make smarter decisions?
> >
> > So if security cannot be found in hardware, does that mean a fancy door lock, card/biometric authentication, and 
> > mantrap have no value?
> >
> > Personally, I find value in firewalls. Sure, the security they offer is not perfect, but that doesn't discount them 
> > as being a part of a solid security regimen. In fact, while there are journalists and other part-time ITers who 
> > regularly call out about the widening or diminishing perimeters, there is still a definite need to separate networks 
> > of different trust levels to some degree or other.
> >
> >
> >
> > I know there will be some here that can smell the straw for the hay in the above, but such a tactic can be useful to 
> > find the boundaries.
> >
> >
> > <- snip ->
> > All,
> > Firewalls are packet control devices. They do little more than control
> > the flow of traffic into and out of your network. Some of them contain
> > "defensive" capabilities such as IPS. Those defenses make decisions
> > based on the nature of the traffic. Those decisions aren't as accurate
> > as they should be because the very medium from which they are forming
> > "opinions" is flawed. Traffic can be spoofed/forged/manipulated, so how
> > can one trust it.
> >
> > Security is more of a process than anything else. It is enforced by
> > policies, procedures, and the people using technology. Security can not
> > be found via hardware. This is a bit philosophical, but I can back this
> > up if anyone doesn't understand my perspective.
> >
> > Regards,
> > Adriel T. Desautels
> > Chief Technology Officer
> > Netragard, LLC.