Re: SANS Top Ten and Commercial Firewalls

["Paul D. Robertson" <proberts () patriot net>]

On Fri, 4 Oct 2002, manatworkyes moderator wrote:

> This is a very good question. I'd like to extend that question to other 
> security solutions. IDS for examples: How many IDS systems can deal with the 
> slapper worm ? How many AV blocks bugbear (Before it was publicly available 
> ?)

I'd bet that lots of AV products could deal with the e-mail vector well 
ahead of signature generation, but the AV industry has found (and the IDS 
industry is about to find) that false positives are the major issue.  
Nobody turns on hueristic AV scanning because of false positives, even 
though the engines catch more early attempts at seeding if it's done.

> Do you (or anyone else) knwo if there is any *network based generic* 
> security device that deals with the latest Solaris bug ?

Anything that deals well with the latest bug won't deal well with the 
latest application.  There's a number of people who never saw the 
originating mail in this thread because it contained the name of a common 
executable that was exploited last year- those people would never have 
known if there was a new attack because of the false positive (some of 
them are the same as the last time someone mentioned that executable, so 
we know they're unaware of the false positive rate, or have chosen to 
accept it.)  Some people have bounced messages with signatures- about the 
only type of attachment I'll let on the list.  False positives stop you 
from getting real and useful information.  In the network, that can be a 
disaster, and most places the discipline to weed out the false positives 
degrades significantly over time.

> IMO, the SmartDefense stuff, is more then signature blocking. It looks for 
> the roots of the problem. So, if SSLv2 is vulenrable, use only SSLv3.

Forcing protocol upgrades isn't always easy, and isn't common- most SSH 
installations still allow protocol version 1.5.  

At work, we've been introducing the concepts of essential configurations 
and historically broken.  Both of those concepts though, need either a 
valid generic risk assessment (with alternatives,) or someone to make a 
specific organizational risk assessment (i.e. 52% of my customers have a 
browser that won't speak SSLv3, therefore I can't *afford* to lock them 
out...)  

Paul 
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards