| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne) Subject: SQL Slammer - lessons learned On 6 Feb 2003, Paul Schmehl wrote: > On Thu, 2003-02-06 at 06:32, John.Airey@...b.org.uk wrote: > > > > We've drifted from my original point, that ports used dynamically by IP > > stacks should be distinct from service ports, so that ISPs or administrator > > CAN block them without impacting the end user if they so wish. At the minute > > we need stateful filtering to rescue us from the port allocation mess we are > > in. SQL Slammer was only as successful as it was because stateful filtering > > isn't widespread, ie this one got past many administrators of large networks > > who are already careful about which services are publicly available. > > > > Given the choice between controlling traffic at the border or keeping > > thousands of "non-public" machines up to date, I know which I'd choose. > > > I think Slammer has pointed one of the biggest problems with security > today - hard shell on the outside, soft chewy middle. Any time I get > involved in discussions about security philosophy, it always seems to > drift to how to keep the bad guys out. Well, at a university, the bad > guys are *inside*. They're learning programming, networks, algorithmic > theories, security principles, etc, etc, and they're *very* eager to try > it out. > > For example, everybody gets really concerned about wireless network. > OMG, what are we going to do? WEP just isn't good enough. Well WEP is > a darn sight better than the plain text traffic on the hard wired > network. Why aren't we freaking out about that? I contend it's because > everyone (big generalization here) sees the wired network as "secure". > I mean who's going to tap in to that, right? WRONG!!! > > When I think about securing something, I think about securing it from > *everybody*, outside *and* inside the network. But that isn't the > present focus of the security industry *in general*. Teh focus of the industry, in general or not, has little to do with it's acceptance in the public/corporate world. Standard security advise for years has been about the strength of perimiters to protect the soft chewy center, and has expanded to include egress filtering and monitoring as well to protect from insiders. And thus one of the issues with proper perimiter maintainance. As many have stated over and over, there's no reason to directly expose an sql database to the public. Any access are best proxied to the backend sql server<s>, and there are a number of ways to do this. Not doing so exposes folks to security issues with the particulat database application being used being exposed over time. But, again, I'm starting to drift and digress. The main point here is that security costs, in time and other expenses, and few people are really into paying up. Thus for the last 100-200 years the locking mechanisms have been botched and no ones really ocncerned as the costs involved in fixing it are considered to high. The "talk" about security and all the new gov initiatives at enhancing security are mostly, window dressing. Has been and will be for sometime to come. Take alook at the security even now in the airports, sure, some windows dressing and those taksed with being anusiance at the passanger and package scanners are under gov management, yet, folks can still sneak knives and guns and other items past these 'enhanced' systems. And then admins and security airport screeners caught 'sleeping'on the job, ask, why folks want to give them a hard time cause they weren't paying attention. It's a fine mess that we'll honestly see litttle real change in for a long time... Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists