RE: Worms, Air Gaps and Responsibility

[Gwendolynn ferch Elydyr <gwen () reptiles org>]

On Tue, 18 May 2004, Dana Nowell wrote:
> Exactly, so none of this filters down to the average guy.

That's badly disingenious.  It certainly does filter down.  The average
guy these days knows what a firewall is, in basic terms, and that they're
a Good Thing (tm).  This wasn't at all true 5 years ago.

In -every field-, things that were esoteric to the average guy gradually
become common knowledge.  Everybody today knows what "germs" are as a
general concept - but that certainly wasn't the case in 1840, among
specialists, never mind the average guy.

> Some have been doing it awhile, hasn't worked yet.  We can check the
> archives but you've done it, Marcus has, and several others (including me a
> few times).  Glaciers move quicker, we need more people and preferably
> people with bigger armorments.  If you mean the ENTIRE security community,
> put me in coach.  Oh, that's just as soon as we get them to agree as well.

Agree on what? There's plenty of information about best practices out
in the wild - and increasing awareness and implementation.  Things do
change.

> Yup, I'm one.  Total company staff across all divisions and locations ~35,
> not exactly a huge multinational here.  Now that I'm a charter member of
> the club, exactly how much does that increase my clout with vendors and
> customers that have outrageous network requests.

Well - first off I'd suggest communicating risk effectively.  That means
explaining it as a -business issue-, not as a technical complaint. It's
certainly been discussed here [and elsewhere] many times - but your
management and customers will hear "lose money" where they won't hear
"technical wazzit".

Secondly - try to find out what the customer wants to do, and help them
to do it securely.  Most folks given a reasonable alternative that improves
their security and bottom line - take it.

> > Premise:  Every network operator we get to do the right thing[tm] means
> > one less network to produce traffic which attacks us.
>
> Unfortunately I feel we are creating a hundred networks a day and
> converting ten admins a day, the ship is sinking captain.

It sounds, to be honest, like you could do with a vacation ;> I think
that we've all suffered from this particular form of "nothing I do will
make any difference, so why bother" at various times - and it does seem
like an uphill battle some days.  On the other hand, if you consider
the lake, rather than the water in your boat... it really is shrinking.

> Never intended to argue air gaps aren't effective, intended to argue that
> the definition of air gap changes and that business demands will cause
> bridging (i.e., not effective long term).  Consequently it is like every
> other tool in our belt.  Theoretically proxies work just fine, if they
> greatly restrict what you can do and validate all the input.  They don't
> always work in practice because people don't do that and they always need
> another hole through the wall or another appliction running over HTTP.  Air
> gaps will work well, until devices cross the gap because we didn't notice
> (or have a choice).  When we notice the device will be ingrained into the
> business process and we will not be able to stop it at the door.  Then we
> cobble together something just like always and start searching for the next
> evolution of the tool.

Hrm. I'm not sure that you're thinking about the same type of environment
as Paul.  He's talking about coast guard systems, cat scanners and the
like - where you seem to be talking about corporate systems. Different
demands and different risk levels.

> Not my point, I was claiming the 'strategic thinking' wasn't strategic
> enough (in fact I'm not sure it is strategic, really).  Strategic thinking
> that claims people need to understand their critical infrastructure vs.
> their non critical and they need to understand the concept of air gaps
> across technology that doesn't exist yet and enforce all that, only works
> for the best and brightest not the average guy.  It also is not truely long
> term strategic thinking, IMO, more like medium term.  Why, because it will
> eventually fail, maintaining a true air gap is difficult and requires
> complex planning, not good.

I -really- don't see what's problematic with explaining technology that's
hundreds of years old.  Translate "air gap" into "fire break" if you
like...  It still comes down to "can't get there from here".  That's
really not a difficult concept.

> I want to expand the pool to a broader base, not just critical 'national'
> or 'large company' infrastructure but critical small company
> infrastructure.  Why, because those guys become government contractors and
> contractors to large companies.  A knowledge based economy can mean a
> critical VPN to a one guy shop to debug a showstopper production problem.
> This is especially true in the financial sector when an overnight delay can
> cost millions.  I can assure you that if it is 'bridge the air gap' or be
> out several tens of millions each day, some one WILL walk into your office
> (been there, seen that).

Uhhh... Okay. We've definitely wandered off here ;> This started out as
"let's remember that systems such as air traffic control and stop lights
don't need to be on the Internet", and has now veered off into trying
to apply the idea of an air gap to everything.

I doubt that anybody here would say that disconnecting everything is
a good business solution.  I -do- think that many people here would
agree that isolating critical systems is a Good Thing(tm) - and that
an air gap is one of the most effective means of isolating systems.

> No but at some point the CAT scanner will be on the same network that the
> tech's diagnostic computer is on, and where was that last?  Or are you
> saying that every CAT scanner installed will have a dedicated diagnostic
> computer and that media with diagnostic software upgrades will be vetted
> before being allowed to cross the air gap (remember the difficult to
> maintain, complex planning comment)?

Most of the diagnostic devices that I've seen function via serial ports,
fwiw - and they're typically limited purpose devices, or at worst,
laptops with very specific software and drivers, which aren't taken
home to be played with.

> And last I checked some desktops exist in production areas, like monitoring
> systems and operator consoles.  I never intended to imply it was the mail
> clerk's desktop.  How about we make it the operator's desktop and he wants
> to download a log to take and study.  He does it via his new wizbang toy
> that is not on this week's list of 'leave that device at the door before
> you enter' devices.  You know, the one he plugged into his home network
> this morning to download some mail to read on break, oops.

Well, no. A properly implemented policy means that -all- devices are left
at the door, not just the ones on the list.  Similarly, taking logs
home to "study" is a serious infringement in many industries - never
mind plugging in an unauthorized device  That's one swift way to lose
your job.


cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards