Re: [fw-wiz] Firewalls and 802.1q trunking

From: Dragos Ruiu (
Date: 12/12/02

From: Dragos Ruiu <>
To: "Marcus J. Ranum" <>
Date: Thu Dec 12 16:58:01 2002

Lies, damn lies, and statistics. - Mark Twain

On Tue, 10 Dec 2002 23:01:05 -0500
"Marcus J. Ranum" <> wrote:

> Steve Evans wrote:
> >And can you say that the traffic coming from the internet is the most
> >dangerous traffic on the network. I've always understood that the vast
> >majority of the attacks come from the inside.
> The "80% of attacks come from the inside" statistic that
> has been broadly quoted by INFOSEC practitioners is, as far
> as I can tell, completely made up. In fact, the shocking
> results of a recent study revealed that 99.5% of statistics
> regarding Internet Security are made up, or otherwise based
> on flawed assumptions.*
> If it _were_ a real statistic it'd have had to take into
> account some interesting questions:
> - What percentage of "attacks" did damage?
> - Were the "attacks" counted as "successful attacks" or did
> probes count as well?
> - Is a Nessus scan an "attack"?
> - Does an "attack" like a Nessus scan (if counted as an attack)
> count as one "attack" or as "N attacks" where N is the
> number of discrete tests attempted?
> - How many "attacks" does a Code Red worm launch? 1? 25?
> What about a mass-rooter? Does a "cluster attack"
> count as a single attack or a multiple attack.
> - Does a scan of a subnet count as 255 hosts attacked? Or
> 255 * number of ports scanned? Or what?
> - Is a virus an "attack"?
> What I think the people who made that saying up were trying to
> do was get people to keep a balanced perspective on the relative
> insider/outsider threat. But making up bullsh@+ is not the way to
> do it. The way to do it is to point out that, as an enterprise
> grows, the personnel perimeter grows with it, and sooner or later
> you'll have a Bad Guy on the inside. And, it's probably a safe bet,
> a Bad Guy on the inside will have a higher level of access, a
> lower level of audit, and a greater knowledge of where the goodies
> are - and will be accordingly more dangerous. Will they be 80% dangerous
> to the Internet script-kiddy's 20%? It's silly to put a number on
> it.
> If you're out in the jungle someplace, do you worry
> more about a tiger, or a bacterium? The wise man worries about
> both! :)
> mjr.
> (* Poll source: I asked my horse. He appeared dubious.)
> ---
> Marcus J. Ranum
> Computer and Communications Security
> _______________________________________________
> firewall-wizards mailing list

--dr                  pgpkey:
        0 = 1 , for large values of zero and small values of one.