Firewall Wizards mailing list archives
RE: Vulnerability Response (was: BGP TCP RST Attacks)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 26 May 2004 18:30:10 -0400
Ben Nagy wrote:
To me, amongst the plethora of product, service and snake oil there are two evolving solution spaces that solve real problems. Host based vulnerability mitigation
The big problem with host based anything is that the management effort scales with the number of hosts. That's just a losing battle in the long-term because nobody's host-count is shrinking. Basically, the host-side problem is the same as the system administration problem - and the industry has made a frightening bodge out of its attempts to "solve" that issue.
and anything that allows an organisation to condense and prioritise information about where they are exposed to known vulnerabilities in realtime.
Asset management, change control, and security workflow are all good, yes. Condensing and prioritizing is just part of it. I'm not at all convinced that it's enough. After all, if you condense and prioritize the "must fix: disaster" list for many companies you'll get a list so long that they'll decide to do something else, instead. Anything else, in fact. :)
Firewalls remain a critical part of any infrastructure, of course, but, to be frank, they just don't work as well anymore.
Firewalls are perfectly good tools that are regularly mis-used. It says more about the intellectual state of security than it does about the technical usefulness of firewalls. The problem is that firewalls are a tool that was intended to be used in "default deny" mode and the technical user community is operating in a "vulnerabilty centric" mode. Rather than focusing on doing a few things safely, the idea is always to figure out what the current threats and vulnerabilities are, and whack those. That's a really useless approach in the long run. I'd guess that a significant number of the firewalls I've seen are being used to knock down "well known bad things" instead of "only allow a few good things." I did a talk the other day in which I outlined the "old-school" secure firewall approach (non-routed networks, proxy everything, default deny, audit policy violations) and people in the room were amazed: "None of our users would accept that kind of solution!" they cried. Therein lies the rub. As long as something so important as security is the tail trying to wag the dog, it's not going to go anyplace. You *think* host-based vulnerability mitigation (what *is* that, by the way? it sounds like marketing...) is going to work. But that's just because not enough users have TRIED it enough to figure out how to politically sandbag it, yet. But don't worry, they will. Remember, users are supposed to be running host-based antivirus, too. :P mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 21)
- <Possible follow-ups>
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 25)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response Ben Nagy (May 27)
- RE: Vulnerability Response Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Dave Piscitello (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Devdas Bhagat (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)