Weakest Links Best Practices

["J. Oquendo" <sil () politrix org>]

> Is this really an improvement?  This is where I can't help but play devil's
> advocate.  Are we really better off when our security is dependent on hundreds
> or thousands of desktops (the weakest link) that we fight desperately to
> control in a never ending futile battle?  One of the first tenets of systems
> security is physical security and you can never claim that you have physical
> control over a machine at your user's fingertips.

Thanks for the reading material so far, but I have to disagree with some
of the following statements. Whn you state "you can never claim physical
control" you're mistaken. One of the problems I see with too many
businesses is their lack of control over their business. You don't run a
car dealer and allow your employees to snag up the latest 740iL and drive
it off the lot for the sake of them being able to do so. Flags and checks
should be placed from the minute the employee is hired.

As a matter of safe practice, it is wiser for the business to take some
painful steps beforehand to lock down a machine before throwing it on
their network, removing the unneccessary whether it is by some ACL to
heavy modifications of the Windows registry. Anything short of that is an
excuse, and the company's fault for their lack of proper measures to
ensure data integrity, security, etc., at least from my POV (which means
little to anyone outside of the voices in my head).

> What's wrong with a model that acknowledges that while we will do our best to
> protect the security of user machines, they are a resource we can not
> ultimately control, so rather than making the security of the entire
> organization dependent on them, we are going to reduce our effective security
> perimeter to a known subset of systems that we do maintain absolute physical
> control over?  I'm not suggesting that we abandon user machines, I'm suggesting
> that we remove them from being available to be the weakest link in the security
> of the organization.  I'm suggesting that we acknowledge that desktops are
> going to get hacked and infected (especially laptops) and make a concerned
> effort to protect the rest of the organization from that inevitable compromise.

Isn't this more or less what every other company releases every other week
under the terms "Guidelines for a Secure $INSERT_OS_HERE" practices? My
personal favorite is Cisco's SAFE practices. I'm not a stickler for any
particular OS anymore, not firewall, nor IDS. I believe you have to make
due with the resources in front of you, whether it is going to be an open
source solution or some $1.5 kajillion contraption. Proper measures -
whether its taking an extra minute to configure AV software properly,
creating an access list, modifying the registry, etc., from the onset can
minimize most of the silly woes that plague networks. This is almost never
done and its visible judging from the number of woes I read about on
lists.


> I'm not abandoning the desktops, I'm trying to minimize the potential of one
> infected desktop infecting all of the desktops.  One machine is easier to clean
> than hundreds, or thousands.  I'm also addressing the critical files issue.  If
> I was an insider trying the steal juicy data I'm going to attack the desktops
> and laptops of the people that have that data directly.  It will be a lot
> easier and more discreet than attacking the fortified, guarded, and watched
> servers.

Isn't this what ACL's are for? Segmenting networks, setting proper
permissions. Looking at things from an admin perspective, why not template
system settings across the board so when machines go live, they are as
tight as possible. Why not just have the IT departments take that extra
few minutes removing the clutter off an employees laptop before handing it
over. No one should really need to hold competent staffers' hands to have
them think how to properly do their job. I lay blame on upper crust CTO's
who don't lay the foundation down properly.

> I'm not discounting this approach, I just need to noodle it some more to
> understand all of the implications.  Do you have any references to this being
> applied and used?

Cisco SAFE ;)
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html

If you can stomach all of the ©_foo ™_yuck substitute it with
the tools at your disposal, I think the models there are as competent and
secure as you would need. On the internal side of a corporation, only the
workers there could know of their own needs, and only those people can
implement those needs. Anything else is just shoddy work and slackage.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards