Re: [fw-wiz] An article from Peter Tippett/TruSecure...

From: Mike Scher (
Date: 03/11/03

  • Next message: Martin Schoeman: "[fw-wiz] Nat+Port Forwarding"
    From: Mike Scher <>
    To: 'firewall-wizards <>
    Date: Tue, 11 Mar 2003 09:40:50 -0600 (CST)

    On Mon, 10 Mar 2003, Paul D. Robertson wrote:

    > For me, "protection in place" isn't just a firewall, it's multiple things,
    > including configuration, substitution, filtering, proxying,
    > segmentation[3],..

    > For some very large organizations, the difference between "patch tonight"
    > and "patch next week" can be *lots* of money. I've not looked at SANS'
    > data (and I don't use their list, I have my own,) but the data I have
    > shows effective savings.


    I think you're describing a dataset that enables one to present extraneous
    information backing up what is in fact not a new approach: defense in
    depth. Indeed, every large organization I have worked with is well aware
    that defense in depth 1) buys the organization time in dealing with new
    vulnerabilities to which they may be exposed, 2) may proactively obviate
    the need to address some vulnerabilities, 3) reduces the pressure to
    address issues without testing, and 4) thus removes significant costs
    incurred in addressing new "threats" by making them, proactively, not
    threats to that organization.

    As you say, defense in depth is not just layering external security
    mechanisms into place, like adding non-trunked, VLANs to one's firewall,
    though certainly that sort of approach has received the most air play.
    Jumping to the *NIX world: For many companies, accepting Darren Reed's
    ipfilter into their *NIX environments and using non-exec stacks radically
    changed the cost/threat profile, giving some breathing room, while raising
    costs of maintenance slightly. Using alternate portmapper (Venema's, for
    example), SMTP daemons, and resolvers is another step some organizations
    have taken. Accepting suid wrappers or using static MAC or MAC/IP/port
    associations raised the costs of maintenance too far for most
    organizations to realize significant benefit from the (proactive) move.

    In the upshot, bringing data to an old maxim helps make it more readily
    accepted, and adds statistical creedence to its supporters' position.
    That said, such a study does not reinvent the wheel; nor does it find a
    new use for wheels. Rather, it touts benefits in uses already present, if
    present less prevalently than the benefits would suggest.


    Michael Brian Scher     |     Director, Neohapsis Labs    |     General Counsel
    Fax: 773-394-8314       |     Vox: 773-394-8310
    firewall-wizards mailing list

  • Next message: Martin Schoeman: "[fw-wiz] Nat+Port Forwarding"