lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0302061446210.25789-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: SQL Slammer - lessons learned

On 6 Feb 2003, Paul Schmehl wrote:

> On Thu, 2003-02-06 at 06:32, John.Airey@...b.org.uk wrote:
> >
> > We've drifted from my original point, that ports used dynamically by IP
> > stacks should be distinct from service ports, so that ISPs or administrator
> > CAN block them without impacting the end user if they so wish. At the minute
> > we need stateful filtering to rescue us from the port allocation mess we are
> > in. SQL Slammer was only as successful as it was because stateful filtering
> > isn't widespread, ie this one got past many administrators of large networks
> > who are already careful about which services are publicly available.
> >
> > Given the choice between controlling traffic at the border or keeping
> > thousands of "non-public" machines up to date, I know which I'd choose.
> >
> I think Slammer has pointed one of the biggest problems with security
> today - hard shell on the outside, soft chewy middle.  Any time I get
> involved in discussions about security philosophy, it always seems to
> drift to how to keep the bad guys out.  Well, at a university, the bad
> guys are *inside*.  They're learning programming, networks, algorithmic
> theories, security principles, etc, etc, and they're *very* eager to try
> it out.
>
> For example, everybody gets really concerned about wireless network.
> OMG, what are we going to do?  WEP just isn't good enough.  Well WEP is
> a darn sight better than the plain text traffic on the hard wired
> network.  Why aren't we freaking out about that?  I contend it's because
> everyone (big generalization here) sees the wired network as "secure".
> I mean who's going to tap in to that, right?  WRONG!!!
>
> When I think about securing something, I think about securing it from
> *everybody*, outside *and* inside the network.  But that isn't the
> present focus of the security industry *in general*.

Teh focus of the industry, in general or not, has little to do with it's
acceptance in the public/corporate world.  Standard security advise for
years has been about the strength of perimiters to protect the soft chewy
center, and has expanded to include egress filtering and monitoring as
well to protect from insiders.  And thus one of the issues with proper
perimiter maintainance.  As many have stated over and over, there's no
reason to directly expose an sql database to the public.  Any access are
best proxied to the backend  sql server<s>, and there are a number of ways
to do this.  Not doing so exposes folks to security issues with the
particulat database application being used being exposed over time.  But,
again, I'm starting to drift and digress.  The main point here is that
security costs, in time and other expenses, and few people are really into
paying  up.  Thus for the last 100-200 years the locking mechanisms have
been botched and no ones really ocncerned as the costs involved in fixing
it are considered to high.  The "talk" about security and all the new gov
initiatives at enhancing security are mostly, window dressing.  Has been
and will be for sometime to come.  Take alook at the security even now in
the airports, sure, some windows dressing and those taksed with being
anusiance at the passanger and package scanners are under gov management,
yet, folks can still sneak knives and guns and other items past these
'enhanced' systems.  And then admins and security airport screeners caught
'sleeping'on the job, ask, why folks want to give them a hard time cause
they weren't paying attention.  It's a fine  mess that we'll honestly see
litttle real change in for a long time...


Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ