Firewall Wizards mailing list archives
Re: Vulnerability Response (was: BGP TCP RST Attacks)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 27 May 2004 14:55:40 -0400
Devdas Bhagat wrote:
Personally, I would go with a service centric approach to security, rather than a host centric approach. This is where most security systems appeared to lead, until we ended up with too many services to manage.
You're totally correct. I used to preach that back in 1990 when I was first teaching firewall systems analysis. You can see how well it's worked!! <LOL> When I used to audit clients' firewalls (back in the days when people actually wanted their firewall policies to be understood and thought about before implementing them) the first question was "what are the different roles of computing on your network?" So we'd take all the roles of computing (back in the days when organizations actually KNEW that they did with their networks) and we'd draw a connectivity matrix between those different roles. Internet access was just another role. The cells of the connectivity matrix got loaded with the services that were necessary between the different roles. The details of how the services got back and forth was left to the final stage, once it was agreed that the service was necessary. Services were treated as high-level concepts (e.g: "file transfer" not "FTP" or "port 24") Then you could walk through and talk about transport for services and mitigation for attacks at an enterprise-role level. It was always a very "clarifying" exercise. Usually part way through someone would stand on their chair and yell, "this is COMPLICATED!"" Well, yeah. Transitive trust and transitive access *are* complicated. And if you don't think about them, you can have firewalls and host security until you're purple in the face and you've accomplished nothing except making your firewall and host security vendors happy. Nobody wants to think about transitive trust and transitive access. Those are big issues that most organizations treat as "solved" or "nonexistent" depending on their maturity. In truth, they are extremely complex problems that should not be swept under the rug lightly. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 21)
- <Possible follow-ups>
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (May 25)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response Ben Nagy (May 27)
- RE: Vulnerability Response Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Dave Piscitello (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Devdas Bhagat (May 27)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (May 27)