Re: [fw-wiz] An article from Peter Tippett/TruSecure...
From: Mike Scher (mscher@neohapsis.com)
Date: 03/11/03
- Previous message: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mike Scher <mscher@neohapsis.com> To: 'firewall-wizards <firewall-wizards@honor.icsalabs.com> Date: Tue, 11 Mar 2003 09:40:50 -0600 (CST)
On Mon, 10 Mar 2003, Paul D. Robertson wrote:
[...]
> For me, "protection in place" isn't just a firewall, it's multiple things,
> including configuration, substitution, filtering, proxying,
> segmentation[3],..
[...]
> For some very large organizations, the difference between "patch tonight"
> and "patch next week" can be *lots* of money. I've not looked at SANS'
> data (and I don't use their list, I have my own,) but the data I have
> shows effective savings.
Paul,
I think you're describing a dataset that enables one to present extraneous
information backing up what is in fact not a new approach: defense in
depth. Indeed, every large organization I have worked with is well aware
that defense in depth 1) buys the organization time in dealing with new
vulnerabilities to which they may be exposed, 2) may proactively obviate
the need to address some vulnerabilities, 3) reduces the pressure to
address issues without testing, and 4) thus removes significant costs
incurred in addressing new "threats" by making them, proactively, not
threats to that organization.
As you say, defense in depth is not just layering external security
mechanisms into place, like adding non-trunked, VLANs to one's firewall,
though certainly that sort of approach has received the most air play.
Jumping to the *NIX world: For many companies, accepting Darren Reed's
ipfilter into their *NIX environments and using non-exec stacks radically
changed the cost/threat profile, giving some breathing room, while raising
costs of maintenance slightly. Using alternate portmapper (Venema's, for
example), SMTP daemons, and resolvers is another step some organizations
have taken. Accepting suid wrappers or using static MAC or MAC/IP/port
associations raised the costs of maintenance too far for most
organizations to realize significant benefit from the (proactive) move.
In the upshot, bringing data to an old maxim helps make it more readily
accepted, and adds statistical creedence to its supporters' position.
That said, such a study does not reinvent the wheel; nor does it find a
new use for wheels. Rather, it touts benefits in uses already present, if
present less prevalently than the benefits would suggest.
-M
-- Michael Brian Scher | Director, Neohapsis Labs mscher@neohapsis.com | General Counsel Fax: 773-394-8314 | Vox: 773-394-8310 _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] An article from Peter Tippett/TruSecure..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
