Firewall Wizards mailing list archives
Re: The Outgoing Traffic Problem
From: "Fetch, Brandon" <BFetch () texpac com>
Date: Thu, 27 Jul 2006 09:45:37 -0500
Paul, Can you perhaps share your "interesting" notes from said Software Policy Restrictions in AD endeavor? Publicly, I'd hope. Thanks, Brandon -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Paul D. Robertson Sent: Tuesday, July 18, 2006 5:13 PM To: Marcus J. Ranum Cc: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] The Outgoing Traffic Problem On Tue, 18 Jul 2006, Marcus J. Ranum wrote:
Sigh. ANY authentication would be better than none at all.So now we're back to a conversation that I recall having several times in 1992/3: that outgoing connections should be authenticated as "belonging" to a real human behind a keyboard before they are allowed. I remember Fred and I floated that idea to a few customers (including folks who were considered to be very sophisticated, in terms of security) and getting blank stares in response.
Been there, done that, broke the Gauntlet. Authentication for HTTP didn't scale.
The end-game looks like: operating systems environments that execute only white-listed executables that have been authorized by the system owner or enterprise administrator, combined with a "tie connectivity to a live human" layer for originating network traffic, unless the system is a server (in which case it will be firewalled down to just authorized services).
Software Policy Restrictions in Active Directory do the first part, just finishing a live implementation- it's been um... interesting.
In the meantime, we'll get more emphasis on patching and anti-badness detectors. As we've seen, anti-badness detectors (IPS, A/V, IDS, anti-spyware, URL filtering, anti-spam) don't really work, unless you're an anti-badness vendor. And, we can see how well patching is working... http://www.ranum.com/security/computer_security/calendar/june.jpg Schneier has written interesting stuff about the difficulty of accurately tying a real human to a keyboard; there are signs that the bad guys are working on how to do man in the middle attacks against "captchas" and 2-factor authentication. For the time being, though, using something like a captcha to get a user to "unlock" their web access for 15 minutes (or whatever) would raise the bar, but that'll only be temporary. On the other hand, in the current ultra-target-rich environment, putting almost any check in the outgoing pipe would put you light years ahead of the rest of the pack. And, remember: you don't have to outrun the lion - you just have to outrun the slowest of the other people who are running away from the lion. Here's a prediction for you: as target-specific attacks begin to rise, the anti-badness approach is going to finally fail utterly. There are going to be a lot of very nervous IT professionals that have systems and networks that are way to permissive, and they'll all be looking around for "Plan B." The bad news is that most of the "Plan B" approaches reduce convenience and accessibility for the users. That collision will be met with denial. You'll notice that, except for the "target-specific attacks" aspect, the future (denial) looks a lot like the present (denial).
Target of Choice is always worse. Paul ------------------------------------------------------------------------ ----- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The Outgoing Traffic Problem Mike Barkett (Jul 17)
- Re: The Outgoing Traffic Problem lordchariot (Jul 17)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 18)
- Re: The Outgoing Traffic Problem Paul D. Robertson (Jul 18)
- Re: The Outgoing Traffic Problem Paul D. Robertson (Jul 18)
- Re: The Outgoing Traffic Problem ArkanoiD (Jul 20)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 19)
- Re: The Outgoing Traffic Problem Devdas Bhagat (Jul 19)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 19)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 18)
- Re: The Outgoing Traffic Problem lordchariot (Jul 17)
- <Possible follow-ups>
- Re: The Outgoing Traffic Problem vern (Jul 18)
- Re: The Outgoing Traffic Problem Fetch, Brandon (Jul 27)
- Re: The Outgoing Traffic Problem Paul D. Robertson (Jul 27)