Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: Gwendolynn ferch Elydyr <gwen () reptiles org>
Date: Tue, 18 May 2004 22:01:12 -0400 (EDT)
On Tue, 18 May 2004, Dana Nowell wrote:
Exactly, so none of this filters down to the average guy.
That's badly disingenious. It certainly does filter down. The average guy these days knows what a firewall is, in basic terms, and that they're a Good Thing (tm). This wasn't at all true 5 years ago. In -every field-, things that were esoteric to the average guy gradually become common knowledge. Everybody today knows what "germs" are as a general concept - but that certainly wasn't the case in 1840, among specialists, never mind the average guy.
Some have been doing it awhile, hasn't worked yet. We can check the archives but you've done it, Marcus has, and several others (including me a few times). Glaciers move quicker, we need more people and preferably people with bigger armorments. If you mean the ENTIRE security community, put me in coach. Oh, that's just as soon as we get them to agree as well.
Agree on what? There's plenty of information about best practices out in the wild - and increasing awareness and implementation. Things do change.
Yup, I'm one. Total company staff across all divisions and locations ~35, not exactly a huge multinational here. Now that I'm a charter member of the club, exactly how much does that increase my clout with vendors and customers that have outrageous network requests.
Well - first off I'd suggest communicating risk effectively. That means explaining it as a -business issue-, not as a technical complaint. It's certainly been discussed here [and elsewhere] many times - but your management and customers will hear "lose money" where they won't hear "technical wazzit". Secondly - try to find out what the customer wants to do, and help them to do it securely. Most folks given a reasonable alternative that improves their security and bottom line - take it.
Premise: Every network operator we get to do the right thing[tm] means one less network to produce traffic which attacks us.Unfortunately I feel we are creating a hundred networks a day and converting ten admins a day, the ship is sinking captain.
It sounds, to be honest, like you could do with a vacation ;> I think that we've all suffered from this particular form of "nothing I do will make any difference, so why bother" at various times - and it does seem like an uphill battle some days. On the other hand, if you consider the lake, rather than the water in your boat... it really is shrinking.
Never intended to argue air gaps aren't effective, intended to argue that the definition of air gap changes and that business demands will cause bridging (i.e., not effective long term). Consequently it is like every other tool in our belt. Theoretically proxies work just fine, if they greatly restrict what you can do and validate all the input. They don't always work in practice because people don't do that and they always need another hole through the wall or another appliction running over HTTP. Air gaps will work well, until devices cross the gap because we didn't notice (or have a choice). When we notice the device will be ingrained into the business process and we will not be able to stop it at the door. Then we cobble together something just like always and start searching for the next evolution of the tool.
Hrm. I'm not sure that you're thinking about the same type of environment as Paul. He's talking about coast guard systems, cat scanners and the like - where you seem to be talking about corporate systems. Different demands and different risk levels.
Not my point, I was claiming the 'strategic thinking' wasn't strategic enough (in fact I'm not sure it is strategic, really). Strategic thinking that claims people need to understand their critical infrastructure vs. their non critical and they need to understand the concept of air gaps across technology that doesn't exist yet and enforce all that, only works for the best and brightest not the average guy. It also is not truely long term strategic thinking, IMO, more like medium term. Why, because it will eventually fail, maintaining a true air gap is difficult and requires complex planning, not good.
I -really- don't see what's problematic with explaining technology that's hundreds of years old. Translate "air gap" into "fire break" if you like... It still comes down to "can't get there from here". That's really not a difficult concept.
I want to expand the pool to a broader base, not just critical 'national' or 'large company' infrastructure but critical small company infrastructure. Why, because those guys become government contractors and contractors to large companies. A knowledge based economy can mean a critical VPN to a one guy shop to debug a showstopper production problem. This is especially true in the financial sector when an overnight delay can cost millions. I can assure you that if it is 'bridge the air gap' or be out several tens of millions each day, some one WILL walk into your office (been there, seen that).
Uhhh... Okay. We've definitely wandered off here ;> This started out as "let's remember that systems such as air traffic control and stop lights don't need to be on the Internet", and has now veered off into trying to apply the idea of an air gap to everything. I doubt that anybody here would say that disconnecting everything is a good business solution. I -do- think that many people here would agree that isolating critical systems is a Good Thing(tm) - and that an air gap is one of the most effective means of isolating systems.
No but at some point the CAT scanner will be on the same network that the tech's diagnostic computer is on, and where was that last? Or are you saying that every CAT scanner installed will have a dedicated diagnostic computer and that media with diagnostic software upgrades will be vetted before being allowed to cross the air gap (remember the difficult to maintain, complex planning comment)?
Most of the diagnostic devices that I've seen function via serial ports, fwiw - and they're typically limited purpose devices, or at worst, laptops with very specific software and drivers, which aren't taken home to be played with.
And last I checked some desktops exist in production areas, like monitoring systems and operator consoles. I never intended to imply it was the mail clerk's desktop. How about we make it the operator's desktop and he wants to download a log to take and study. He does it via his new wizbang toy that is not on this week's list of 'leave that device at the door before you enter' devices. You know, the one he plugged into his home network this morning to download some mail to read on break, oops.
Well, no. A properly implemented policy means that -all- devices are left at the door, not just the ones on the list. Similarly, taking logs home to "study" is a serious infringement in many industries - never mind plugging in an unauthorized device That's one swift way to lose your job. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Worms, Air Gaps and Responsibility, (continued)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 18)
- Re: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 19)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 19)
- Best Practices Paul D. Robertson (May 19)
- Re: Best Practices Dana Nowell (May 21)
- Re: Best Practices Gwendolynn ferch Elydyr (May 21)
- Re: Best Practices Dana Nowell (May 21)
- Re: Re: Best Practices R. DuFresne (May 21)
- Message not available
- Re: Re: Best Practices Dana Nowell (May 21)
- Re: Worms, Air Gaps and Responsibility Nate Campi (May 21)