RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)

• Previous message: edp.lists_at_acerbis.it: "R: R: [fw-wiz] PIX dropping packets with source port 80"
• In reply to: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Reply: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Marcus J. Ranum" <mjr@ranum.com>, "Ben Nagy" <ben@iagu.net>, "'Claussen, Ken'" <Ken@kccweb.com>
Date: Thu, 27 May 2004 09:29:45 -0400

At 06:30 PM 5/26/2004 -0400, Marcus J. Ranum wrote:
>Ben Nagy wrote:
> >there are two evolving solution spaces that solve real problems. Host
> based vulnerability mitigation
>
>The big problem with host based anything is that the management effort
>scales with the number of hosts.

Agreed. Done in a vaccuum, host vulnerability assessment illustrates how
poorly you are configuring and maintaining your hosts. Moreover, if
vulnerability mitigation is addressed per host, based on scanning results,
you have to question whether you ever achieve uniform security policy. But
don't you think you can manage risk better if you mitigate by central
policy definition and patch management? I've used the CIS security tool
(includes HFnetchk) and templates one-off with both MMC plug-in and local
policy editing. This is hours per computer, and does not scale even in my
home office. But if you use a template and push a configuration from a
central policy server to all clients, it's more efficient, and uniform.

> > and anything that allows an organisation to condense and
> >prioritise information about where they are exposed to known vulnerabilities
> >in realtime.
>
>Asset management, change control, and security workflow are all
>good, yes. Condensing and prioritizing is just part of it. I'm not
>at all convinced that it's enough. After all, if you condense and
>prioritize the "must fix: disaster" list for many companies you'll get
>a list so long that they'll decide to do something else, instead.
>Anything else, in fact. :)

Perhaps initially, but this is a systemic problem, no? Anyone with kids
knows the "clean the room" syndrome, and security operations are like
parents with lots of messy children. Each child does little or nothing for
a long long time, until the only way to clean his or her room is to
literally empty it and restore order and cleanliness. But if the effort to
establish the baseline is followed by more disciplined administration and
housekeeping, the must fix disaster list is shorter, and more suitable to
prioritization.

>"None of our users would accept that kind of solution!" they cried.

If this attitude is pervasive, then the client wasted your time and spent
their money unwisely.

>Therein lies the rub.

Hamlet, Act III,
"To die, to sleep; To sleep, perchance to dream-there's the rub;...

>You *think* host-based vulnerability mitigation (what *is* that,
>by the way? it sounds like marketing...) is going to work. But
>that's just because not enough users have TRIED it enough to
>figure out how to politically sandbag it, yet. But don't worry, they
>will. Remember, users are supposed to be running host-based
>antivirus, too. :P

Curmudgeon factor is high today, eh Marcus?

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: edp.lists_at_acerbis.it: "R: R: [fw-wiz] PIX dropping packets with source port 80"
• In reply to: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Reply: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]