RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)

• Previous message: ArkanoiD: "[fw-wiz] certificate management requirements"
• In reply to: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Reply: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Reply: R. DuFresne: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Tue, 1 Jun 2004 11:06:52 +0200

> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjr@ranum.com]
[...]
> >mjr writes:
[...]
> > I think eventually time will tell
> > and we'll give up on patch management as a security
> > technique. [...]
(me)
> | "CRAP!"
>
> As I said, I think time will tell. :)
>
> <RANT>
>
> Come on, Ben! Join me in challenging the preconceptions of an
> industry that has grown up around "if you can't do something
> RIGHT do something STUPID, HARDER!" That's what we're
> talking about, here, with all the focus on patch management:
> - Rather than run a good O/S: run a bad one and MANAGE it BETTER
> - Rather than understand your connectivity: leave it OPEN and
> FIDDLE WITH
> your endpoints CONSTANTLY
> - Rather than run good code: run bad code and UPGRADE IT DAILY
>
> Talk about not being able to yell "CRAP" loud enough?? What's
> wrong with this picture?!?!

I'm horribly torn here. I completely agree with you, but I just don't see
any evidence of change. Essentially what you are claiming, when you say that
"time will tell", is that little green men from the Planet Clue are going to
invade earth with their rectal clue applicators and drag most of the IT
industry in the world off to re-education camps. Until then, I applaud
evangelism, but it won't stop me trying to secure the mess we have.

> >Take a look at the recent security record of MS RPC endpoints. You
> >can't turn them off. You can't secure them. Windows will break.
>
> Yes. So? YOU ARE INSANE IF YOU ARE RELYING ON WINDOWS FOR
> INTERNET-FACING CRITICAL SYSTEMS.

Trouble is that it's not just internet facing systems that get owned. This
idea of crunchy outside chewy centre has GOT to change. It's dead. Didn't
work. Bye-bye.

[...]
> We have seen - CLEARLY - with software and O/S in general -
> that they are not reliable enough to provide a solid security
> platform. The evidence is manifest; it's been staring us in
> the face for at least the last 10 years and it's been covered
> in big, blinky neon signeage for the last 4 years. Everyone
> would rather be in denial.
>
> What do you think? If we install JUST ONE MORE PATCH it's
> gonna be SECURE? Heck, no. The only way to secure this crap
> is to hold it down and hammer a stake through its heart.

Ah c'mon.

Given that we can't go back to the abacus, we need to work from where we
are, and it is happening. I see MS doing GOOD WORK in improving the
fundamental security core of their OS. I nearly passed out when I saw
support for NX memory, no anonymous RPC and host firewall enabled by default
in a general purpose service pack. They've come a long way from VMS. :) I
see linux including easy (enough) to use stack protection in most major
distributions, with DAC being doable In Real Life. I see
MacOS....um...taking massive steps backwards, but hey, they've always
"thought different".

The other option to burning it all and starting again is to "get there from
here". I say it's possible (eventually). Until that happens, we need
auxilliary solutions to prop things up.

> </RANT>
>
> >How _ELSE_ do you want to deal with that problem? Let me put it a
> >different way. However much you lock down machines, your biggest
> >remaining worry will be software vulnerabilities in the services you
> >_do_ run - the rest is just a matter of degrees. How do you
> eliminiate vulnerabilities? Patch.
>
> Ok... now let me catch my breath and we can talk sense... ;)
>
> You're absolutely right that the software vulnerabilities in
> services are what will kill you. That's why the old-school
> doctrine was [smart]

I think you're STILL thinking in terms of building hardened entry points.
Yes, more people should do that as well. Now what about the other 99.9% of
machines in the network? Some of the manufacturing places I talk to still
have Windows 95 machines running production robots. Win 95! The only reason
they didn't get knocked over by Sasser is that they didn't _have_ a Local
Security Authority!

[...]
> >You can only harden up until the OS will let you.
>
> Well, yeah. If you're using the wrong OS you're an idiot. The
> fact that there are a lot of idiots out there doesn't make
> them any less idiotic, either.

This line brings a smile to my face every time I read it.

You're right, of course, but lots of people aren't going to admit it when
you rub their nose in it like that. I'm writing this on a Windows box - and
you just told me that your work box is Windows too. I vote that us "idiots"
deserve security too.

> Let me see here: "I am gonna build a 'bastion host' on an O/S
> that doesn't have chroot, or any notion of file permissions
> or execution control. But I like it because it automatically
> loads device drivers on demand and it has shared libraries
> and no CHANCE of producing a statically bound executable and
> by the way anyone can overwrite a shared library any time
> they get file level access because there are no file
> permissions enforced."
[...]

What can I say? :) It's so useable!

No, seriously, the argument about what to use if building a hardened
single-service box was conceded a long time ago by all but the masochists.
I'm talking about the _rest_.

[...]
> The idea that code needs to be patched frequently and often
> is predicated on the flawed concept that cruddy code is
> exposed to untrusted network. That's just dumb.

So this is, again, where we differ in opinion. The desktop - also known as
Cruddy Code Central - is what is causing the problem. You "old school"
genuises have been telling us "newbies" to build super duper amazing transit
points between networks of different trust levels, which we have been trying
to do. The trouble is that malware still gets in. Poot. Them dang worms is
like roaches, I tell ya. Looks 'ifn that there trusted network weren't quite
so trusted after all...

There comes a point where we have to admit that "the security architecture
operation was a complete success, but the patient died" is of limited value.
One of the funniest things I ever saw was a small copper tail running out of
a door in a military research institute - the building was a faraday cage,
and so they needed the tail to make the radio work. People DO these things -
it's HUMAN.

> Fight back. Fight dumbness.
> Come over to the light. Turn away from the darkness. Fight
> the "accepted wisdom" of defeat. Use The Force, Ben.... ;)

Ha! "It's fun to use learning for evil!" [1]

> > Other solutions (like my
> >famous "marketing" host based vulnerability mitigation ;) might save
> >your backside for a while, but the real intent of those
> solutions is to
> >buy you time, not obviate the need to fix the real problem.
>
> Exactly!! Put another way - the intent of those solutions is
> to make it easier for you to survive doing something stupid
> that you may not survive anyhow.

That's correct. This is a bad thing, how? Seatbelts. The rail around Niagra.
etc...

[...]
> I have never had a worm or virus since I got interested in security.
> NEVER. And I use Windows as my primary desktop platform.

Because you have one machine to take care of, plus you have some idea what
you are doing maybe?

[...]
> Yes,
> desktops that are vulnerable to malcode should have malcode
> protection (my desktop AV clobbers about 1 or 2 viruses a
> week that get through my spam filters and attachment
> blockers)

!! So we agree! Yay! It's just that AV is not really effective against
network-borne threats because the threat clobbers the network service before
the AV gets a crack at it. AV is OK at stopping stuff that comes in from
Layer 8, but doesn't cover lots of other threats. Other stuff _can_ cover
some of those threats.

[...]
> >With you I will just say that you are five years ahead of your time.
>
> What?? I've been saying EXACTLY THE SAME THING since 1990.
>
> *BUT* Peter Neumann has been saying EXACTLY THE SAME THING
> since 1963 or thereabouts. I was 1 year old then.
>
> Dude, I'm not "advanced" I'm "retro" !!!! :)

Computing since the 60s has proved that those two words are effectively
synonyms. ;)

> >I am
> >100% behind you as an idealist, but, as a professional, I don't see
> >that as useful right now. :D
>
> Because you're stuck in the dumbness.[...]
>
> Keep shovelling,
> mjr.

<shovel, shovel>

ben

[1] http://www.dieselsweeties.com/shirts/ This is not my company, I have no
affiliation, I make no money from shirt sales - I just didn't wanna steal a
possibly-trademarked line. ;)

PS: I am ten ninjas. [1]

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: ArkanoiD: "[fw-wiz] certificate management requirements"
• In reply to: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Reply: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Reply: R. DuFresne: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]