Re: [fw-wiz] An article from Peter Tippett/TruSecure...

From: Mike Scher (mscher@neohapsis.com)
Date: 03/11/03

  • Next message: Martin Schoeman: "[fw-wiz] Nat+Port Forwarding"
    From: Mike Scher <mscher@neohapsis.com>
    To: 'firewall-wizards <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 11 Mar 2003 09:40:50 -0600 (CST)
    

    On Mon, 10 Mar 2003, Paul D. Robertson wrote:
    [...]

    > For me, "protection in place" isn't just a firewall, it's multiple things,
    > including configuration, substitution, filtering, proxying,
    > segmentation[3],..

    [...]
    > For some very large organizations, the difference between "patch tonight"
    > and "patch next week" can be *lots* of money. I've not looked at SANS'
    > data (and I don't use their list, I have my own,) but the data I have
    > shows effective savings.

    Paul,

    I think you're describing a dataset that enables one to present extraneous
    information backing up what is in fact not a new approach: defense in
    depth. Indeed, every large organization I have worked with is well aware
    that defense in depth 1) buys the organization time in dealing with new
    vulnerabilities to which they may be exposed, 2) may proactively obviate
    the need to address some vulnerabilities, 3) reduces the pressure to
    address issues without testing, and 4) thus removes significant costs
    incurred in addressing new "threats" by making them, proactively, not
    threats to that organization.

    As you say, defense in depth is not just layering external security
    mechanisms into place, like adding non-trunked, VLANs to one's firewall,
    though certainly that sort of approach has received the most air play.
    Jumping to the *NIX world: For many companies, accepting Darren Reed's
    ipfilter into their *NIX environments and using non-exec stacks radically
    changed the cost/threat profile, giving some breathing room, while raising
    costs of maintenance slightly. Using alternate portmapper (Venema's, for
    example), SMTP daemons, and resolvers is another step some organizations
    have taken. Accepting suid wrappers or using static MAC or MAC/IP/port
    associations raised the costs of maintenance too far for most
    organizations to realize significant benefit from the (proactive) move.

    In the upshot, bringing data to an old maxim helps make it more readily
    accepted, and adds statistical creedence to its supporters' position.
    That said, such a study does not reinvent the wheel; nor does it find a
    new use for wheels. Rather, it touts benefits in uses already present, if
    present less prevalently than the benefits would suggest.

          -M

    -- 
    Michael Brian Scher     |     Director, Neohapsis Labs
    mscher@neohapsis.com    |     General Counsel
    Fax: 773-394-8314       |     Vox: 773-394-8310
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Martin Schoeman: "[fw-wiz] Nat+Port Forwarding"

    Relevant Pages

    • Re: Technical: heels on foot plate?
      ... tantamount to picking a fight? ... that is not *picking* a fight, that is defense. ... What did I fool myself into proving, Paul? ... No, I did not lie. ...
      (rec.sport.rowing)
    • Re: MKV Yaw String??
      ... Soaring is fortunate to have dedicated retailers like Paul (who ... offer a $12 MKIV that costs almost that in quantity. ... value and what a pilot would pay*. ... bumper m at frontier period com ...
      (rec.aviation.soaring)
    • Re: Leftwing anti-semitism
      ... Ron Paul: Gaza is a Concentration Camp, Israel is Starving ... Now what if Paul and some of the other opponents of foreign aid are ... Not only would you accept what he says, without accepting ...
      (soc.culture.jewish.moderated)
    • Lakers united by team defense
      ... Lakers united by team defense ... Challenged by a superstar in Chris Paul, ... Lakers' first-round matchup began against the New Orleans Hornets ("Did ... postseason on the strength of their team defense. ...
      (alt.sports.basketball.nba.la-lakers)
    • Re: States with mercenaries
      ... Paul J Gans wrote: ... The costs of basic research come largely from US grants. ... normally tax deductible--because the tax is on profit, ...
      (soc.history.medieval)