Full Disclosure mailing list archives
Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Mon, 29 Sep 2003 10:00:10 +0200 (CEST)
On Sun, 28 Sep 2003, security () brvenik com wrote:
The products like Okena, Entercept, BlackICE... all add another layer of protection that is essentially unnecessary when compared to function. I am not saying these products have no place but rather they are not the solution to this problem.
That's not true and misses the point.
Typically, only one system in accounting needs to have services open on the network, a print server. The rest of the systems do not need any services open. W2K and XP both have firewalls capable of blocking ports. Every system on the network should have a deny all policy where appropriate.
And defining proper access and accounting rules for groups of systems (such as "workstations in accounting"), not to mention enforcing and auditing the compliance, is precisely what those tools are best for (I mean their "corporate" versions, not standalone personal firewalls). This is a very good way to make sure your network, internally, implements the right trust model, and that only the services and subnets that need to be made available, are (and only to the right parties). You can't do it particularly easily just by configuring local built-in firewall on each box. Or, you can, but you have no easy way to maintain and audit the structure once it's done. The value of this software is the ability to: 1) Integrate many security mechanisms (AV, firewalling, auditing, local policy, IDS) under one roof and implement unified policies, 2) Provide an easy way to deploy and track agents and their compliance with group policy, 3) Manage multiple group policies easily, 4) Deploy adaptative policies (say, different access levels when on dial-up, different when in corporate network). That's it. That is an effective tool that goes about as far as we can go with pure IT without major changes to the existing technology to protect the information (which is pretty much the limit of a sane discussion).
But then people say that the personal firewall can prevent local intrusions too since it runs on the host. I simply counter that this is a rat race and you have to trust the person at the keyboard.
No, not really. I wasn't referring to the regular personal firewall (unmanaged node), which indeed is mostly an amusement tool for the user himself.
The untrusted person will ultimately circumvent your controls. Then it becomes a hide and seek game.
Those tools (again, managed nodes) are quite useful for hunting down nodes that went off the grid. Besides, it's not the point to win with people skilled and determined enough to remove firewalling on their box, but to protect the clueless and their data. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-09-29 09:47 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: CyberInsecurity: The cost of Monopoly, (continued)
- Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 28)
- Pudent default security - Was: CyberInsecurity: The cost of Monopoly security () brvenik com (Sep 28)
- Re: Pudent default security Paul Schmehl (Sep 28)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Ed Carp (Sep 29)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Ed Carp (Sep 29)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Shannon Johnston (Sep 29)
- Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 29)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Steve Wray (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Steve Wray (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly j (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 30)
- Re: CyberInsecurity: The cost of Monopoly Florian Weimer (Sep 28)
- Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) Curt Purdy (Sep 28)
- Re: Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) George Capehart (Sep 29)
- Re: Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) Michael Scheidell (Sep 29)
- Re: Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) George Capehart (Sep 29)