Firewall Wizards mailing list archives
Weakest Links Best Practices
From: "J. Oquendo" <sil () politrix org>
Date: Tue, 14 Dec 2004 09:17:21 -0500 (EST)
Is this really an improvement? This is where I can't help but play devil's advocate. Are we really better off when our security is dependent on hundreds or thousands of desktops (the weakest link) that we fight desperately to control in a never ending futile battle? One of the first tenets of systems security is physical security and you can never claim that you have physical control over a machine at your user's fingertips.
Thanks for the reading material so far, but I have to disagree with some of the following statements. Whn you state "you can never claim physical control" you're mistaken. One of the problems I see with too many businesses is their lack of control over their business. You don't run a car dealer and allow your employees to snag up the latest 740iL and drive it off the lot for the sake of them being able to do so. Flags and checks should be placed from the minute the employee is hired. As a matter of safe practice, it is wiser for the business to take some painful steps beforehand to lock down a machine before throwing it on their network, removing the unneccessary whether it is by some ACL to heavy modifications of the Windows registry. Anything short of that is an excuse, and the company's fault for their lack of proper measures to ensure data integrity, security, etc., at least from my POV (which means little to anyone outside of the voices in my head).
What's wrong with a model that acknowledges that while we will do our best to protect the security of user machines, they are a resource we can not ultimately control, so rather than making the security of the entire organization dependent on them, we are going to reduce our effective security perimeter to a known subset of systems that we do maintain absolute physical control over? I'm not suggesting that we abandon user machines, I'm suggesting that we remove them from being available to be the weakest link in the security of the organization. I'm suggesting that we acknowledge that desktops are going to get hacked and infected (especially laptops) and make a concerned effort to protect the rest of the organization from that inevitable compromise.
Isn't this more or less what every other company releases every other week under the terms "Guidelines for a Secure $INSERT_OS_HERE" practices? My personal favorite is Cisco's SAFE practices. I'm not a stickler for any particular OS anymore, not firewall, nor IDS. I believe you have to make due with the resources in front of you, whether it is going to be an open source solution or some $1.5 kajillion contraption. Proper measures - whether its taking an extra minute to configure AV software properly, creating an access list, modifying the registry, etc., from the onset can minimize most of the silly woes that plague networks. This is almost never done and its visible judging from the number of woes I read about on lists.
I'm not abandoning the desktops, I'm trying to minimize the potential of one infected desktop infecting all of the desktops. One machine is easier to clean than hundreds, or thousands. I'm also addressing the critical files issue. If I was an insider trying the steal juicy data I'm going to attack the desktops and laptops of the people that have that data directly. It will be a lot easier and more discreet than attacking the fortified, guarded, and watched servers.
Isn't this what ACL's are for? Segmenting networks, setting proper permissions. Looking at things from an admin perspective, why not template system settings across the board so when machines go live, they are as tight as possible. Why not just have the IT departments take that extra few minutes removing the clutter off an employees laptop before handing it over. No one should really need to hold competent staffers' hands to have them think how to properly do their job. I lay blame on upper crust CTO's who don't lay the foundation down properly.
I'm not discounting this approach, I just need to noodle it some more to understand all of the implications. Do you have any references to this being applied and used?
Cisco SAFE ;) http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html If you can stomach all of the ©_foo ™_yuck substitute it with the tools at your disposal, I think the models there are as competent and secure as you would need. On the internal side of a corporation, only the workers there could know of their own needs, and only those people can implement those needs. Anything else is just shoddy work and slackage. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster?" Joseph McCarthy "America's Retreat from Victory" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Weakest Links Best Practices J. Oquendo (Dec 14)