Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)

From: Devdas Bhagat (
Date: 05/27/04

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
    Date: Thu, 27 May 2004 21:38:28 +0530

    On 26/05/04 18:30 -0400, Marcus J. Ranum wrote:
    > Ben Nagy wrote:
    > >To me, amongst the plethora of product, service and snake oil there are two
    > >evolving solution spaces that solve real problems. Host based vulnerability
    > >mitigation
    > The big problem with host based anything is that the management effort
    > scales with the number of hosts. That's just a losing battle in the long-term
    Actually, it scales with the number of *unique* hosts. If each host is
    unique, then the management effort does scale linearly or worse.
    However, if we design the system so that we have fewer combinations of
    hosts, then the system is actually easier to manage.

    > because nobody's host-count is shrinking. Basically, the host-side problem
    > is the same as the system administration problem - and the industry has
    > made a frightening bodge out of its attempts to "solve" that issue. is a good way of designing a solution to
    the system administration problem. The same approach can be applied to
    the security administration issue.
    Personally, I would go with a service centric approach to security,
    rather than a host centric approach. This is where most security systems
    appeared to lead, until we ended up with too many services to manage.

    IMHO, a host centric approach (where "host" maps to a group of identical
    systems) is a good idea for system management.

    A service oriented approach is a good idea for security management.
    To clarify:
    Each system [1] offers a "service" [2] to its clients. The task for the
    security system [3] is to ensure that only authorized clients are allowed to
    access these services.

    For example, the task of a MUA is to *display* email. Hence, the MUA
    needs to be allowed access to functions that display email, but not to
    functions that cause possibly harmful content to execute.

    Devdas Bhagat
    [1] A system is a single host or group of hosts.
    [2] A service is an interaction between two processes, not necessarily
    on the same system.
    [3] The security system includes software, hardware *and* wetware. For
    my given example, the security system would consist of not including
    code that would execute the harmful content.
    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"