Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 05/27/04 

To: Devdas Bhagat <devdas@dvb.homelinux.org>, firewall-wizards@honor.icsalabs.com
Date: Thu, 27 May 2004 14:55:40 -0400

Devdas Bhagat wrote:
>Personally, I would go with a service centric approach to security,
>rather than a host centric approach. This is where most security systems
>appeared to lead, until we ended up with too many services to manage.

You're totally correct.

I used to preach that back in 1990 when I was first teaching firewall
systems analysis. You can see how well it's worked!! <LOL>

When I used to audit clients' firewalls (back in the days when people
actually wanted their firewall policies to be understood and thought
about before implementing them) the first question was "what are
the different roles of computing on your network?" So we'd take
all the roles of computing (back in the days when organizations actually
KNEW that they did with their networks) and we'd draw a connectivity
matrix between those different roles. Internet access was just another
role. The cells of the connectivity matrix got loaded with the services
that were necessary between the different roles. The details of how the
services got back and forth was left to the final stage, once it was
agreed that the service was necessary. Services were treated as
high-level concepts (e.g: "file transfer" not "FTP" or "port 24")
Then you could walk through and talk about transport for services
and mitigation for attacks at an enterprise-role level. It was always
a very "clarifying" exercise.

Usually part way through someone would stand on their chair and
yell, "this is COMPLICATED!"" Well, yeah. Transitive trust and
transitive access *are* complicated. And if you don't think about
them, you can have firewalls and host security until you're purple
in the face and you've accomplished nothing except making your
firewall and host security vendors happy.

Nobody wants to think about transitive trust and transitive access.
Those are big issues that most organizations treat as "solved" or
"nonexistent" depending on their maturity. In truth, they are extremely
complex problems that should not be swept under the rug lightly.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: securing linux webserver?
    ... Here's a couple of links to get you started, google is your friend on this ... I'd also suggest running something like bastille on your host as well, ... Is this host behind a firewall at all, as if not, then you should look ... > a security list and stating it is insecure. ...
    (Security-Basics)
  • Re: Network Penetration Test
    ... >> Your Free Network Security Scan Interrupted. ... >> A number of reasons could have caused the scan to interrupt. ... >> Your host is inactive and does not respond to our QualysGuard scanner. ... >> Your host is behind a firewall. ...
    (microsoft.public.win2000.security)
  • Re: [SSHd] Limiting access from authorized IPs
    ... firewall on an individual host accomplish? ... I have maintained publicly available servers for a small hobby domain ... never run a firewall on a publicly available host since. ... We think about security from the outside in when we should be thinking about security from the inside out. ...
    (freebsd-questions)
  • newsgroups
    ... I have turned off the firewall and security. ... The host 'pop3' could not be found. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)