Firewall Wizards mailing list archives
RE: How to Save The World (was: Antivirus vendor conspiracy theories)
From: "Ben Nagy" <ben () iagu net>
Date: Wed, 8 Dec 2004 17:47:40 +0100
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Devdas Bhagat
[...]
We need to publish a book of rants ;).
In all seriousness, I have often thought it would be cool to have a 'best-of' compilation from the archives. It would just be a freaking nightmare for someone to read it all and pick 'em, sadly.
I blame the protocols more than the proxies, but that's still how I see it.Some protocols are easier to proxy than others.
I'm sure that's what HTTP people were smugly thinking, before SOAP. ;)
[...]We don't disagree on everything. Only on the best way to slaughter the malicious.
Hmm. Evocative phrasing. Personally I am against capital punishment - whipping, indentured servitude and the Dixie Chix should be severe enough.
[...]Wouldn't it be far easier for the A/V vendors to just ship an alternative browserNo. That would be the commercial equivalent of stuffing hundreds of marshmellows up their nostrils and hoping to burp cotton candy.Not really. An alternative browser would work as a better solution. Given that most of the exploits are IE specific, using Firefox, or Opera would be a much nicer solution.
There is a strong possibility that the only reason there are less Firefox vulnerabilities is because attackers can't be bothered attacking it. You may notice that there have been several nasty bugs since it started becoming more popular. That hypothesis won't be provable either way for a while yet, although I acknowledge that it's an emotive issue. Everyone wants so badly to believe that IE is 3vil and Firefox r0cks. Well, I'll agree with the first half and reserve judgement on the second until it has been under hostile fire a little longer. In any case, changing away from IE is simply not going to happen for many environments, and Desktop Support aren't liable to consider their AV vendor to be the world authority on what browser they should be running. [...]
the "firewIDS"[...]I think of it as proxies done wrong. Instead of trying to allow known good traffic through, they are attempting to filter out known bad traffic. That this approach does not work very well is a well known factoid, but this appears to be ignored. Those who do not learn from history are destined to repeat it and all that...
Well, in theory they should actually be "default deny plus", since you set 'em up just like a normal firewall, except that for the 'open' ports you have another chance to catch attacks by inspecting the data you're allowing. In theory. [...]
Ok, analogy time. A firewall is like a locked door.[...]
I love this quote. ;) "If you are using a house analogy, you have stopped saying anything interesting about information security." - Dave Aitel, Sep 01 2004. [...]
IMO all the guys doing "behaviour blocking", "deepinspection" blah blahblah are onto a much better bet. Signatures are basically sucky.Oh hell, if you want to speak about deep inspection, why not think of it like this: Deep inspection looks at the contents of a packet or group of packets, and tries to match it to known bad patterns. [...] So what it boils down to is that the deep inspection filters are just proxies done badly.
Yes. Deep inspection is application level smarts applied to network streams, but really fast. "Any sufficiently advanced application proxy is indistinguishable from any sufficiently advanced stateful inspection engine." - Carson Gaspar, 15 Apr 2000 Quotes for all occasions. :) There are two reasons why I like "Deep Inspectotron Application Fireweasels (DIAF)" better than true proxies. 1. You don't have to implement the whole damn thing, which leaves you more time to get to grips with filtering out badstuff. This is the key reason DIAF != "Proxy But Different" 2. You can do it way, way faster with little effort. It's very amenable to turning into circuits. Lots of people probably see 1. above as a negative, not a positive, and I used to think that way as well. However, I do not believe that it is possible to implement the same kind of strict proxy that we used to be able to do with, say, SMTP or FTP. Given that vendors don't/won't/can't do that, they make cop-out proxies for the tricky protocols, which basically just take attack traffic and add 150ms latency. Like Gauntlet. (I can tease them now they're dead ;) Rather than do that, why _not_ pull out known bad stuff based on generic "you probably don't want that much data in this header", or "I doubt this mail address is meant to contain a 300K uuencoded attack payload" type rules. Now I don't use DIAFs, we don't sell 'em, I have no vested interest, I just think it's slighter nicer to have a DIAF than a plain ol' boring FW, PROVIDED that it doesn't use IDS style signatures. I do not, however, think that a DIAF goes any significant way to obviating the need for defence in depth and host protection, as some marketeers will try to claim. It's more like version upgrading your firewall than implementing a 'new' technology. [me]
There are other flaws too, but I risk setting myself off on a rant.
Oops, I slipped.
Oh come on, rants are fun. use rant;
You talked me into it. [...]
As MJR argued trying to fix a broken system is a waste of time and not worth the effort.Well, as _I_ said in that thread, it is possible to do apretty damn goodjob of bolt-on protection for both Windows and Linux (thesystems that needit the most), without designing it into the kernel in thefirst place. You mean, on a filesystem like FAT32?
Ouch. Ok, you got me. FAT32 is bad, m'kay? But, to be fair, I was thinking about 'real' operating systems. [...]
"Dumb" systems like stackguard, linux / windows kernelmodules that do somesimple function hooking, detecting system calls made fromwriteable memoryand the like are NOT rocket science.Kernel modules are in kernel space, by definition.
Yeah, but they're not designed in. They can be easily implemented as a band-aid, which is my whole point.
Microsoft Windows has really bad defaults.
Pet Peeve. Yes, OK, but they're getting better. I don't wail on Linux for how crappy its security was back in 1999-2000 (well not much). XPSP2 is actually moderately cool, from memory management up. Win2K3 likewise.
All that is being asked of them is that they set better defaults, and not require users to run as administrators all the time. Oh, and do not start up all those services at boot time.
Users have been able to not run as administrators since 'runas'. Kinda. OK, I'm probably lying, I admit. *sigh*
Of course, hitting users over the head with iron bars is likely to work better in the long run.
[southern twang] "Ahhh lews mo' yewwwwsers that way!"
Hell, the Windows ICF,"High Security"browser setting and a copy of Spybot is adequate for homeusers. It's just "High security browser setting" results in sites throwing up warnings or simply not working. This is just not going to work in /that/ market.
Meh, OK, XPSP2 then. ;) Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Antivirus vendor conspiracy theories Ames, Neil (Dec 02)
- Message not available
- RE: Antivirus vendor conspiracy theories Mark Teicher (Dec 05)
- Message not available
- <Possible follow-ups>
- Re: Antivirus vendor conspiracy theories Danny (Dec 05)
- Re: Antivirus vendor conspiracy theories Devdas Bhagat (Dec 05)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 07)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Devdas Bhagat (Dec 07)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 11)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Devdas Bhagat (Dec 11)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Paul D. Robertson (Dec 12)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Marcus J. Ranum (Dec 12)
- Book of rants (was Re: How to Save The World (was: Antivirus vendor conspiracy theories)) Devdas Bhagat (Dec 12)
- Re: Book of rants Jason Lewis (Dec 12)
- Re: Re: Book of rants Devdas Bhagat (Dec 12)
- Re: Re: Book of rants Christopher Hicks (Dec 12)
- Archives (was Re: Re: Book of rants) Devdas Bhagat (Dec 12)
- Re: Archives (was Re: Re: Book of rants) Jason Lewis (Dec 12)
- Re: Archives (was Re: Re: Book of rants) Paul D. Robertson (Dec 13)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 07)