Re: The Outgoing Traffic Problem

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 18 Jul 2006, Marcus J. Ranum wrote:

> > Sigh. ANY authentication would be better than none at all.
>
> So now we're back to a conversation that I recall having several
> times in 1992/3: that outgoing connections should be authenticated
> as "belonging" to a real human behind a keyboard before they are
> allowed. I remember Fred and I floated that idea to a few customers
> (including folks who were considered to be very sophisticated, in
> terms of security) and getting blank stares in response.

Been there, done that, broke the Gauntlet.  Authentication for HTTP didn't 
scale.

> The end-game looks like: operating systems environments that
> execute only white-listed executables that have been authorized
> by the system owner or enterprise administrator, combined with
> a "tie connectivity to a live human" layer for originating network
> traffic, unless the system is a server (in which case it will be
> firewalled down to just authorized services).

Software Policy Restrictions in Active Directory do the first part, just 
finishing a live implementation- it's been um... interesting.

> In the meantime, we'll get more emphasis on patching and
> anti-badness detectors. As we've seen, anti-badness detectors
> (IPS, A/V, IDS, anti-spyware, URL filtering, anti-spam) don't
> really work, unless you're an anti-badness vendor. And, we can
> see how well patching is working...
> http://www.ranum.com/security/computer_security/calendar/june.jpg
>
> Schneier has written interesting stuff about the difficulty of
> accurately tying a real human to a keyboard; there are signs
> that the bad guys are working on how to do man in the middle
> attacks against "captchas" and 2-factor authentication. For the
> time being, though, using something like a captcha to get a
> user to "unlock" their web access for 15 minutes (or whatever)
> would raise the bar, but that'll only be temporary. On the other
> hand, in the current ultra-target-rich environment, putting almost
> any check in the outgoing pipe would put you light years ahead
> of the rest of the pack. And, remember: you don't have to outrun
> the lion - you just have to outrun the slowest of the other people
> who are running away from the lion.
>
> Here's a prediction for you: as target-specific attacks begin to
> rise, the anti-badness approach is going to finally fail utterly.
> There are going to be a lot of very nervous IT professionals
> that have systems and networks that are way to permissive,
> and they'll all be looking around for "Plan B." The bad news
> is that most of the "Plan B" approaches reduce convenience
> and accessibility for the users. That collision will be met with
> denial.
>
> You'll notice that, except for the "target-specific attacks"
> aspect, the future (denial) looks a lot like the present (denial).

Target of Choice is always worse.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards