Firewall Wizards mailing list archives

RE: OT: Av and Gartner...

From: Yinal Ozkan <Yinal.Ozkan () Integralis Com>
Date: Thu, 31 Jul 2003 10:13:26 -0400

There is no black and white when defining how much security is needed. That
is why you should know your assets and their value. Then you should analyze
the threats, risks and the vulnerabilities (and their costs). To justify a
security solution (a.k.a. safeguard) you should be saving something.(things
you saved > money you spent) So after your risk analysis you should be able
to say how  much security is needed. For 25K hosts, I am quite sure that you
will get quite impressive numbers. I may post more data on calculation if
needed.

There is no limit in maximum security. Imagine a museum which has precious
jewels in the main showroom. It is possible that you may hire some guardians
at the main door (firewall) and you may go home (That should be enough, why
are you repeating yourself as posted in another e-mail e.g. " I never
understand"). Or you may hire  additional guardians from a different
security firm just for the showroom (serially connected firewalls from
different vendors). The visitors entering the museum should be scanned in
eitherbound direction even if they have tickets (gateway content security
for authenticated traffic). Not enough? put a scanner for the showroom, and
even one scanner for the display box..You may consider another guardian team
who are specialized in searching the visitors nothing else since only the
visitors are allowed to enter the jewel room (port 80 firewall) Well you
still think that someone may steal your jewels. Pay the money and buy a
sophisticated alarm system (a.k.a intrusion detection). Your alarm system
may either control the perimeter and the halls that lead the your showroom,
or the display case itself. Of course your staff must be trusted (certified
software) and audited. Use trusted sources and have audit as much as you
need it. Hire professional burglars to test your security....

Authentication is another story. You may have factor 1,2,3 .... As long as
you need it.

cheers,
-yinal


p.s. regarding your question about a memory resident thread: Any executable
that may create such a  hole are analyzed at the gateways and the servers
before reaching to the final destination . THere are also anamoly based
scanner. It is not just the files. All host based IDS systems analyze memory
resident applications.

-----Original Message-----
From: John Keeton [mailto:jkeeton () nettoxin net]
Sent: Thursday, July 31, 2003 8:24 AM
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] OT: Av and Gartner...


Everyone, thanks for the replys. I am somewhat suprised that everyone
doesn't
scan http/ftp. My worry is that something could be d/l'ed and reside only
in memory, and then do something.

But what could it do?
DOS someone else..
rm -rf /.. 
Worm out to spread. 
Spread via files.. 

The last 2 should be caught becaue AV is installed on every single MS box. 

As far as my setup, no one can talk out anything w/o going through the
proxy. 
IDS kills[1] .exe's..  But, the problem is, the 1% of people that violate
policy, and build their own machine[2] don't have AV a lot of times, and
these
are the people who scare the heck out of me because they think they
know what they are doing, and in reality, they are our biggest threat. 

I am torn if I am more worried about virus's via http malware in Java or 
ActiveX puke.. I don't think AV would/could catch the latter even if it was 
installed everywhere.. 

The PL on this effort, has already had her decision on this. But she always
does that after speaking with one person. 


Thanks again, 
jkeeton

[1] Sometimes on a good day, unless you hit reload enough so that it misses 
the .exe
[2] We are rather large, ~25k machines, and there is a small % of "accepted"
violation of IS/Security policy, because the admin support team can't/won't/
aren't allowed to support people. We are STILL running NT4.0.. A lot of 
stuff needs 2k, or xp.. 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


Please note that:
 
1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this 
confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in 
any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business 
practices.
3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is sent.

http://www.integralis.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: OT: Av and Gartner..., (continued)
- - Re: OT: Av and Gartner... R. DuFresne (Jul 30)
  - Re: OT: Av and Gartner... Luca Berra (Jul 31)
- Re: OT: Av and Gartner... Paul A. Henry (Jul 30)
- Re: OT: Av and Gartner... Marcus J. Ranum (Jul 31)
  - Re: OT: Av and Gartner... Fritz Ames (Jul 31)
    - Re: OT: Av and Gartner... Marcus J. Ranum (Jul 31)
  - Re: OT: Av and Gartner... Dave Piscitello (Jul 31)
- Re: OT: Av and Gartner... Luca Berra (Jul 31)
- Re: OT: Av and Gartner... Gary Flynn (Jul 31)
- Re: OT: Av and Gartner... John Keeton (Jul 31)
- RE: OT: Av and Gartner... Yinal Ozkan (Jul 31)
- RE: OT: Av and Gartner... Behm, Jeffrey L. (Jul 31)