RE: Vulnerability Response (was: BGP TCP RST Attacks)

["Marcus J. Ranum" <mjr () ranum com>]

Ben Nagy wrote:
> To me, amongst the plethora of product, service and snake oil there are two
> evolving solution spaces that solve real problems. Host based vulnerability
> mitigation

The big problem with host based anything is that the management effort
scales with the number of hosts. That's just a losing battle in the long-term
because nobody's host-count is shrinking. Basically, the host-side problem
is the same as the system administration problem - and the industry has
made a frightening bodge out of its attempts to "solve" that issue.

> and anything that allows an organisation to condense and
> prioritise information about where they are exposed to known vulnerabilities
> in realtime.

Asset management, change control, and security workflow are all
good, yes. Condensing and prioritizing is just part of it. I'm not
at all convinced that it's enough. After all, if you condense and
prioritize the "must fix: disaster" list for many companies you'll get
a list so long that they'll decide to do something else, instead.
Anything else, in fact. :)

> Firewalls remain a critical part of any infrastructure, of
> course, but, to be frank, they just don't work as well anymore.

Firewalls are perfectly good tools that are regularly mis-used.
It says more about the intellectual state of security than it
does about the technical usefulness of firewalls.

The problem is that firewalls are a tool that was intended to be used
in "default deny" mode and the technical user community is operating
in a "vulnerabilty centric" mode. Rather than focusing on doing a few
things safely, the idea is always to figure out what the current threats
and vulnerabilities are, and whack those. That's a really useless
approach in the long run. I'd guess that a significant number of the
firewalls I've seen are being used to knock down "well known bad things"
instead of "only allow a few good things."   I did a talk the other day
in which I outlined the "old-school" secure firewall approach (non-routed
networks, proxy everything, default deny, audit policy violations) and
people in the room were amazed: "None of our users would accept
that kind of solution!" they cried. Therein lies the rub. As long as something
so important as security is the tail trying to wag the dog, it's not going
to go anyplace.

You *think* host-based vulnerability mitigation (what *is* that,
by the way? it sounds like marketing...) is going to work. But
that's just because not enough users have TRIED it enough to
figure out how to politically sandbag it, yet. But don't worry, they
will. Remember, users are supposed to be running host-based
antivirus, too. :P

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards