Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Mon, 29 May 2006 05:08:07 +0530
On 26/05/06 12:49 -0700, Tina Bird wrote: <snip>
MS, heaven help us all, has taken the idea of user authentication and authorization a step further by building the *only* possible enterprise wide IPsec management infrastructure in the world, by allowing orgs to tie user rights and machine communications policies into a crypto infrastructure.
Other than the breakage of the Kerberos standard, there isn't much wrong with the _design_ of Microsoft's infrastructure management systems. The implementations suck. The worse part is that MSFT has been selling Windows as easy to administer, and encouraging clueless MCSEs. They have created a culture where computers are unreliable and black magic. Microsoft is great in an all Microsoft shop. In a mixed ecosystem? I wouldn't think so (but I have no real experience of that environment, so take a very large pinch of salt).
they've been using that capability since before blaster, to give admins a better way to do firewalling than using the silly firewall that comes with XP. this is a huge big deal, and they've done it very quietly. i don't understand *why* they're so quiet about it, actually, especially with all
The threats against Windows? Viruses, software which needs administrator access to run, lousy administrators, users, backwards compatibility.... The most recent security requirement I heard in a Linux IRC channel was "If an attacker guesses my password, and logs into my machine, he should not be able to do anything, but I should have no such restrictions". That is the level of security desired by a lot of people. There isn't much you can do to stop this. I don't need to actively attack your servers directly. I just need to hijack your browser most of the time. Does it matter how good your credential and policy management tools are, if the attackers controls the credentials? The crackers are already ahead of the security tools. If you stop buffer overflows, the attacks move up the stack. The problem has just been shuffled, not fixed. With everything moving to a browser based thin client, yesterday's buffer overflow is today's SQL injection. With administrators gaining control over identity mappings, the game is on to steal identities. The final weakness is not in the digital systems. We can control those. The weakness is not in the analog components. We have been dealing with those for years and have a fair idea of failure modes (though they keep repeating). The weakness is where the analog world meets the digital. If you can secure that boundary, you can actually be secure. An additional requirement is that failure modes in analog components also need to be safe. The credentials questions is finally one of proving your analog world identity to the digital world interface. This can be answered by one or more of "who you are, what you have, and what you know". The amount of authority in each of these keeps on decreasing from left to right. Who you are is the most authoritative answer (biometrics). What you have is slightly less authoritative (a keyfob? an access card?) What you know is the least authoritative (a password?). However, when your security systems fail, what you know is the easiest and cheapest to replace. What you have is more expensive. Who you are isn't exactly replacable. Note that I am not saying _if_ they fail, I am saying _when_ they fail. We also have to consider that we all have multiple roles and authentication requirements for every role. Every website you visit, every online and offline transaction you do, every email you send or receive .... Your personal data is scattered everywhere. There are so many sites which need passwords and logins. If a lot of these moved to real two factor authentication, we would still end up carrying a huge number of keyfobs or cards or other tokens. If you build a single token for everything, you lose on anonymity. Real world security depends to a certain extent on anonymity, or at least on certain information not being available to other parties. Identify theft is pretty common, and damaging. There have been other, worse excesses triggered by having too much information available to the wrong set of people. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG), (continued)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 30)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Oliver Humpage (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Tina Bird (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Mark (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 30)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)