[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030929094709.J50824@dekadens.coredump.cx>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Re: Pudent default security - Was: CyberInsecurity: The cost of
Monopoly
On Sun, 28 Sep 2003, security@...enik.com wrote:
> The products like Okena, Entercept, BlackICE... all add another layer of
> protection that is essentially unnecessary when compared to function. I
> am not saying these products have no place but rather they are not the
> solution to this problem.
That's not true and misses the point.
> Typically, only one system in accounting needs to have services open on
> the network, a print server. The rest of the systems do not need any
> services open. W2K and XP both have firewalls capable of blocking ports.
> Every system on the network should have a deny all policy where
> appropriate.
And defining proper access and accounting rules for groups of systems
(such as "workstations in accounting"), not to mention enforcing and
auditing the compliance, is precisely what those tools are best for (I
mean their "corporate" versions, not standalone personal firewalls).
This is a very good way to make sure your network, internally, implements
the right trust model, and that only the services and subnets that need to
be made available, are (and only to the right parties).
You can't do it particularly easily just by configuring local built-in
firewall on each box. Or, you can, but you have no easy way to maintain
and audit the structure once it's done. The value of this software is the
ability to:
1) Integrate many security mechanisms (AV, firewalling, auditing,
local policy, IDS) under one roof and implement unified policies,
2) Provide an easy way to deploy and track agents and their
compliance with group policy,
3) Manage multiple group policies easily,
4) Deploy adaptative policies (say, different access levels when
on dial-up, different when in corporate network).
That's it. That is an effective tool that goes about as far as we can go
with pure IT without major changes to the existing technology to protect
the information (which is pretty much the limit of a sane discussion).
> But then people say that the personal firewall can prevent local
> intrusions too since it runs on the host. I simply counter that this is
> a rat race and you have to trust the person at the keyboard.
No, not really. I wasn't referring to the regular personal firewall
(unmanaged node), which indeed is mostly an amusement tool for the user
himself.
> The untrusted person will ultimately circumvent your controls. Then it
> becomes a hide and seek game.
Those tools (again, managed nodes) are quite useful for hunting down nodes
that went off the grid. Besides, it's not the point to win with people
skilled and determined enough to remove firewalling on their box, but to
protect the clueless and their data.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2003-09-29 09:47 --
http://lcamtuf.coredump.cx/photo/current/
Powered by blists - more mailing lists