Firewall Wizards mailing list archives
RE: Vulnerability Response (was: BGP TCP RST Attacks)
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 1 Jun 2004 11:06:52 +0200
-----Original Message----- From: Marcus J. Ranum [mailto:mjr () ranum com]
[...]
mjr writes:
[...]
I think eventually time will tell and we'll give up on patch management as a security technique. [...]
(me)
| "CRAP!" As I said, I think time will tell. :) <RANT> Come on, Ben! Join me in challenging the preconceptions of an industry that has grown up around "if you can't do something RIGHT do something STUPID, HARDER!" That's what we're talking about, here, with all the focus on patch management: - Rather than run a good O/S: run a bad one and MANAGE it BETTER - Rather than understand your connectivity: leave it OPEN and FIDDLE WITH your endpoints CONSTANTLY - Rather than run good code: run bad code and UPGRADE IT DAILY Talk about not being able to yell "CRAP" loud enough?? What's wrong with this picture?!?!
I'm horribly torn here. I completely agree with you, but I just don't see any evidence of change. Essentially what you are claiming, when you say that "time will tell", is that little green men from the Planet Clue are going to invade earth with their rectal clue applicators and drag most of the IT industry in the world off to re-education camps. Until then, I applaud evangelism, but it won't stop me trying to secure the mess we have.
Take a look at the recent security record of MS RPC endpoints. You can't turn them off. You can't secure them. Windows will break.Yes. So? YOU ARE INSANE IF YOU ARE RELYING ON WINDOWS FOR INTERNET-FACING CRITICAL SYSTEMS.
Trouble is that it's not just internet facing systems that get owned. This idea of crunchy outside chewy centre has GOT to change. It's dead. Didn't work. Bye-bye. [...]
We have seen - CLEARLY - with software and O/S in general - that they are not reliable enough to provide a solid security platform. The evidence is manifest; it's been staring us in the face for at least the last 10 years and it's been covered in big, blinky neon signeage for the last 4 years. Everyone would rather be in denial. What do you think? If we install JUST ONE MORE PATCH it's gonna be SECURE? Heck, no. The only way to secure this crap is to hold it down and hammer a stake through its heart.
Ah c'mon. Given that we can't go back to the abacus, we need to work from where we are, and it is happening. I see MS doing GOOD WORK in improving the fundamental security core of their OS. I nearly passed out when I saw support for NX memory, no anonymous RPC and host firewall enabled by default in a general purpose service pack. They've come a long way from VMS. :) I see linux including easy (enough) to use stack protection in most major distributions, with DAC being doable In Real Life. I see MacOS....um...taking massive steps backwards, but hey, they've always "thought different". The other option to burning it all and starting again is to "get there from here". I say it's possible (eventually). Until that happens, we need auxilliary solutions to prop things up.
</RANT>How _ELSE_ do you want to deal with that problem? Let me put it a different way. However much you lock down machines, your biggest remaining worry will be software vulnerabilities in the services you _do_ run - the rest is just a matter of degrees. How do youeliminiate vulnerabilities? Patch. Ok... now let me catch my breath and we can talk sense... ;) You're absolutely right that the software vulnerabilities in services are what will kill you. That's why the old-school doctrine was [smart]
I think you're STILL thinking in terms of building hardened entry points. Yes, more people should do that as well. Now what about the other 99.9% of machines in the network? Some of the manufacturing places I talk to still have Windows 95 machines running production robots. Win 95! The only reason they didn't get knocked over by Sasser is that they didn't _have_ a Local Security Authority! [...]
You can only harden up until the OS will let you.Well, yeah. If you're using the wrong OS you're an idiot. The fact that there are a lot of idiots out there doesn't make them any less idiotic, either.
This line brings a smile to my face every time I read it. You're right, of course, but lots of people aren't going to admit it when you rub their nose in it like that. I'm writing this on a Windows box - and you just told me that your work box is Windows too. I vote that us "idiots" deserve security too.
Let me see here: "I am gonna build a 'bastion host' on an O/S that doesn't have chroot, or any notion of file permissions or execution control. But I like it because it automatically loads device drivers on demand and it has shared libraries and no CHANCE of producing a statically bound executable and by the way anyone can overwrite a shared library any time they get file level access because there are no file permissions enforced."
[...] What can I say? :) It's so useable! No, seriously, the argument about what to use if building a hardened single-service box was conceded a long time ago by all but the masochists. I'm talking about the _rest_. [...]
The idea that code needs to be patched frequently and often is predicated on the flawed concept that cruddy code is exposed to untrusted network. That's just dumb.
So this is, again, where we differ in opinion. The desktop - also known as Cruddy Code Central - is what is causing the problem. You "old school" genuises have been telling us "newbies" to build super duper amazing transit points between networks of different trust levels, which we have been trying to do. The trouble is that malware still gets in. Poot. Them dang worms is like roaches, I tell ya. Looks 'ifn that there trusted network weren't quite so trusted after all... There comes a point where we have to admit that "the security architecture operation was a complete success, but the patient died" is of limited value. One of the funniest things I ever saw was a small copper tail running out of a door in a military research institute - the building was a faraday cage, and so they needed the tail to make the radio work. People DO these things - it's HUMAN.
Fight back. Fight dumbness. Come over to the light. Turn away from the darkness. Fight the "accepted wisdom" of defeat. Use The Force, Ben.... ;)
Ha! "It's fun to use learning for evil!" [1]
Other solutions (like my famous "marketing" host based vulnerability mitigation ;) might save your backside for a while, but the real intent of thosesolutions is tobuy you time, not obviate the need to fix the real problem.Exactly!! Put another way - the intent of those solutions is to make it easier for you to survive doing something stupid that you may not survive anyhow.
That's correct. This is a bad thing, how? Seatbelts. The rail around Niagra. etc... [...]
I have never had a worm or virus since I got interested in security. NEVER. And I use Windows as my primary desktop platform.
Because you have one machine to take care of, plus you have some idea what you are doing maybe? [...]
Yes, desktops that are vulnerable to malcode should have malcode protection (my desktop AV clobbers about 1 or 2 viruses a week that get through my spam filters and attachment blockers)
!! So we agree! Yay! It's just that AV is not really effective against network-borne threats because the threat clobbers the network service before the AV gets a crack at it. AV is OK at stopping stuff that comes in from Layer 8, but doesn't cover lots of other threats. Other stuff _can_ cover some of those threats. [...]
With you I will just say that you are five years ahead of your time.What?? I've been saying EXACTLY THE SAME THING since 1990. *BUT* Peter Neumann has been saying EXACTLY THE SAME THING since 1963 or thereabouts. I was 1 year old then. Dude, I'm not "advanced" I'm "retro" !!!! :)
Computing since the 60s has proved that those two words are effectively synonyms. ;)
I am 100% behind you as an idealist, but, as a professional, I don't see that as useful right now. :DBecause you're stuck in the dumbness.[...] Keep shovelling, mjr.
<shovel, shovel> ben [1] http://www.dieselsweeties.com/shirts/ This is not my company, I have no affiliation, I make no money from shirt sales - I just didn't wanna steal a possibly-trademarked line. ;) PS: I am ten ninjas. [1] _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Vulnerability Response (was: BGP TCP RST Attacks), (continued)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 02)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) David Lang (Jun 02)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Gwendolynn ferch Elydyr (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 04)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 04)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) M. Dodge Mumford (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)