RE: Worms, Air Gaps and Responsibility

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

At 12:34 PM 5/18/2004 -0400, Gwendolynn ferch Elydyr wrote:
> On Tue, 18 May 2004, Dana Nowell wrote:
> > the nightmare.  Is that today, no.  Is that within say 5 years, possibly.
> > Show me YOUR plans for firewall protection of bluetooth, wireless USB, and
> > similar connections (yes some stuff is/can be built in by design but buffer
> > overflows and other exploits can be built in by accident;).
>
> Isn't that what this discussion started out with?  Whether we're talking
> about wired or wireless devices, the concept of an "air gap" [namely a
> complete lack of connectivity between devices] remains valid.

Yeah, I've drifted around to the beginning, sorry juggling too many things
this week.  I originally disliked Paul's example.  Then, having been sucked
into the discussion I tried to avoid, I tried (poorly) to make a point
about short term vs. long term environments.  The short term (usually less
technical) guys (home users, small business, etc.) are unlikely to take the
time or have the knowledge to analyse the proper 'air gaps', especially
when it includes things like cell phones and PDAs which are not thought of
as 'part of the network'.  Additionally they are less likely to approve
expenditures for security devices that they can't justify simply because
some security paper says so.  So this discussion is wonderful for
people/companies with full time staff and reasonable budgets dedicated to
security.  For the five man office with the secretary in charge of the
network, it is less than useful.  I'm willing to bet that the bulk of the
network connections (specifically the more insecure parts of the Internet)
falls into the short term bucket, especially with home use.  

Premise: these networks/hosts will be compromised, as air gaps are unlikely
to be implemented and new technology connected devices will flourish, that
creates a lot of places for bugs to breed.  

Premise: devices are moving toward interconnectivity via Infrared,
Bluetooth, WiFi, 802.11, and other technologies.  Direct peer-to-peer
connectivity between these devices is coming and one day 'soon' walking
down the street with one in your pocket will cause tens or hundreds of
connections to be attempted/created/broken, with all the inherent risks.

Premise: security typically lags functionality as new technology rolls out
(palms get synced to desktops before security knows a palm is in the
building in most companies). 

Conclusion: Air gaps will not solve the problem as large breeding grounds,
device connectivity, and security lag will allow networks to be
compromised.  At best air gaps are another stop gap measure, which is
certainly better than nothing. but not much. 

Whine: The security professionals in the Internet community need to take a
longer view.  Until we 'solve' the problem for the average guy playing a
short term game (or at least greatly reduce his risk) we can't really solve
the issue in our own networks, we can only play technology catch-up.  We
need to be involved either via this list or another mechanism in helping
set device/protocol 'best practices' and beating vendors about the head
until they do it, so security is designed in rather than cobbled on.  We
need to concentrate on how we solve the political/corporate/vendor issue
and not the technical issue because the technical issue isn't soluble (not
that the political issue is, but we might get more bang for the effort
buck).  Basically I'm damned tired of fighting the same war and upgrading
from a rock to a knife to a dagger to a sword to a flintlock to a ...  So
air gaps are nice, but in the long run, it's just another musket, one that
will be circumvented by targeting devices difficult to air gap (PDAs
syncing to desktop?).  Before you ask, no I don't have a plan.  Like most
in a small company I spend 95% of my day digging a deeper foxhole and
looking over the latest in flintlock design.  We have a lot of bright
people here and we ought to be using those IQ points for the long term
instead of designing today's Mark XII network rock.  

OK, read it twice, and think I finally am clear (at least to me :-).


-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards