Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
To: email@example.com Date: Thu, 27 May 2004 21:38:28 +0530
On 26/05/04 18:30 -0400, Marcus J. Ranum wrote:
> Ben Nagy wrote:
> >To me, amongst the plethora of product, service and snake oil there are two
> >evolving solution spaces that solve real problems. Host based vulnerability
> The big problem with host based anything is that the management effort
> scales with the number of hosts. That's just a losing battle in the long-term
Actually, it scales with the number of *unique* hosts. If each host is
unique, then the management effort does scale linearly or worse.
However, if we design the system so that we have fewer combinations of
hosts, then the system is actually easier to manage.
> because nobody's host-count is shrinking. Basically, the host-side problem
> is the same as the system administration problem - and the industry has
> made a frightening bodge out of its attempts to "solve" that issue.
http://www.infrastructures.org/ is a good way of designing a solution to
the system administration problem. The same approach can be applied to
the security administration issue.
Personally, I would go with a service centric approach to security,
rather than a host centric approach. This is where most security systems
appeared to lead, until we ended up with too many services to manage.
IMHO, a host centric approach (where "host" maps to a group of identical
systems) is a good idea for system management.
A service oriented approach is a good idea for security management.
Each system  offers a "service"  to its clients. The task for the
security system  is to ensure that only authorized clients are allowed to
access these services.
For example, the task of a MUA is to *display* email. Hence, the MUA
needs to be allowed access to functions that display email, but not to
functions that cause possibly harmful content to execute.
 A system is a single host or group of hosts.
 A service is an interaction between two processes, not necessarily
on the same system.
 The security system includes software, hardware *and* wetware. For
my given example, the security system would consist of not including
code that would execute the harmful content.
firewall-wizards mailing list