Firewall Wizards mailing list archives
RE: Firewalls and 802.1q trunking
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 10 Dec 2002 23:01:05 -0500
Steve Evans wrote:
And can you say that the traffic coming from the internet is the most dangerous traffic on the network. I've always understood that the vast majority of the attacks come from the inside.
The "80% of attacks come from the inside" statistic that has been broadly quoted by INFOSEC practitioners is, as far as I can tell, completely made up. In fact, the shocking results of a recent study revealed that 99.5% of statistics regarding Internet Security are made up, or otherwise based on flawed assumptions.* If it _were_ a real statistic it'd have had to take into account some interesting questions: - What percentage of "attacks" did damage? - Were the "attacks" counted as "successful attacks" or did probes count as well? - Is a Nessus scan an "attack"? - Does an "attack" like a Nessus scan (if counted as an attack) count as one "attack" or as "N attacks" where N is the number of discrete tests attempted? - How many "attacks" does a Code Red worm launch? 1? 25? What about a mass-rooter? Does a "cluster attack" count as a single attack or a multiple attack. - Does a scan of a subnet count as 255 hosts attacked? Or 255 * number of ports scanned? Or what? - Is a virus an "attack"? What I think the people who made that saying up were trying to do was get people to keep a balanced perspective on the relative insider/outsider threat. But making up bullsh@+ is not the way to do it. The way to do it is to point out that, as an enterprise grows, the personnel perimeter grows with it, and sooner or later you'll have a Bad Guy on the inside. And, it's probably a safe bet, a Bad Guy on the inside will have a higher level of access, a lower level of audit, and a greater knowledge of where the goodies are - and will be accordingly more dangerous. Will they be 80% dangerous to the Internet script-kiddy's 20%? It's silly to put a number on it. If you're out in the jungle someplace, do you worry more about a tiger, or a bacterium? The wise man worries about both! :) mjr. (* Poll source: I asked my horse. He appeared dubious.) --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls and 802.1q trunking Eric Vyncke (Dec 04)
- Re: Firewalls and 802.1q trunking Luca Berra (Dec 04)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Steffen Kluge (Dec 04)
- RE: Firewalls and 802.1q trunking Steve Evans (Dec 10)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 11)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Bill Royds (Dec 13)
- Re: Firewalls and 802.1q trunking t (Dec 13)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Sloane, David (Dec 11)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- RE: Firewalls and 802.1q trunking R. DuFresne (Dec 13)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- Re: Firewalls and 802.1q trunking Mike Hoskins (Dec 14)
- Re: Firewalls and 802.1q trunking Brian Ford (Dec 15)