Firewall Wizards mailing list archives
Re: Vulnerability Response (was: BGP TCP RST Attacks)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 01 Jun 2004 13:13:20 -0400
M. Dodge Mumford wrote:
Paul D. Robertson said:If it can't be attacked, then arguably, it doesn't need to be fixed.That sentiment surprises me a bit. It appears to me to violate the concept of defense in depth.
This is Peter Tippett's theory of synergistic controls. If you have several things that each reduce the likelihood of something bad happening, then it's really good to do more of them a little bit because the marginal returns eventually go down. So, if making your network separated so that "it can't be attacked" is going to address 95% of the risks (ninjas, nanobots, etc, are still a problem) and hardening the system is going to address another 95% you're best off if you do the easiest/cheapest one first. In the case of using my "perfect firewall" it's usually easier since it's almost always easier and cheaper to NOT DO SOMETHING than to DO something. The equipment cost for an air gap is low. ;) What's interesting is that if you have 2 security controls that each help block (on average, assuming random distribution of attack vectors - which is an interesting assumption) 50% of the attacks, then you've got 75% of the attacks blocked. Again, the assumption of random distribution is an interesting and important problem in the theory. If the attacks distribute disproportionately - if you can whack 50% of the network attacks and 90% of the attacks are networked - then your air gap is going to show a much higher value (95% of 90%) One of the things that makes firewalls remain attractive is that a disproportion of attacks are networked AND the effort factor to install them at a perimeter is low. The concept of defense in depth is to do some pretty basic stuff in lots of places. And it works. So if you're willing to assume in Paul's example that "the system cannot be attacked is ONLY 95% effective - then a 50% effective antivirus system on the desktop behind the airgap bumps your likelihood of an attack getting through down to a whopping 2.5%. But if you think about it, your first line of defense makes a lot of the difference and after that it's all diminishing returns. Hmm... Did I just say that "just doing ANYTHING" is a good start? I think I did. ;) Perhaps that's why we find ourselves on the fence about the host/network - where do I secure it ? issue - doing *anything* that's not manifestly stupid helps a great deal. Doing any 2 things that aren't manifestly stupid gets you most of the rest of the way 100% for all intents and purposes. If you accept some of the logic I've thrown at you above, then it stands to reason that doing things that help less than 40-50% of the time is probably a waste of time unless you're doing 3 or more of them. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Vulnerability Response (was: BGP TCP RST Attacks), (continued)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Jim Seymour (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) M. Dodge Mumford (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re:Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 03)