Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)

From: M. Dodge Mumford (dodge_at_dmumford.com)
Date: 06/01/04

Next message: Paul D. Robertson: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"

Previous message: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
In reply to: Paul D. Robertson: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Next in thread: Paul D. Robertson: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Reply: Paul D. Robertson: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Reply: Marcus J. Ranum: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Reply: R. DuFresne: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Paul D. Robertson" <paul@compuwar.net>
Date: Tue, 1 Jun 2004 12:00:33 -0400

Paul D. Robertson said:
> If it can't be attacked, then arguably, it doesn't need to be fixed.

That sentiment surprises me a bit. It appears to me to violate the concept
of defense in depth. Blocking the exploit path to a vulnerability may
mitigate the risk greatly, but the vulnerability still remains. In your
instance, the exploit path would involve attacking your host operating
system that's performing the firewalling.

I would think the point of mitigating the risk is to buy you time to fix the
vulnerability. That "time to fix" may be "until Longhorn is released." Which
assumes that Longhorn (or, broadly, version++) will fix the vulnerability.

-- 
Dodge

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

application/pgp-signature attachment: stored

Next message: Paul D. Robertson: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"

Previous message: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
In reply to: Paul D. Robertson: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Next in thread: Paul D. Robertson: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Reply: Paul D. Robertson: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Reply: Marcus J. Ranum: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Reply: R. DuFresne: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd)
... >>apparently it's so complicated that you can't fix it right away on your ... details of the vulnerability now: the black hats could use the ... OpenSSH version is the most straightforward solution. ... In my opinion, the advantages of immediate disclosure outweigh the ...
(FreeBSD-Security)
Re: MicroMonopoly aids Terrorism?
... It's the links at the bottom that demonstrate the vulnerability... ... "Tedd Riggs" wrote in message ... >> the actual Web site is at a different address in Pakistan." ... >> effin' hard to fix fully. ...
(microsoft.public.security)
Re: DCOM Hotfix breaks our software
... There was a workaround before the fix came out. ... vulnerability for the time being. ... DCOM Hotfix breaks our software ... Checked by AVG anti-virus system. ...
(Security-Basics)
Re: ~/.login_conf disabling exact reasons wanted
... This vulnerability is not a hoax--spreading this kind of mis-information ... well as FreeBSD 5.0-CURRENT. ... You can expect a security ... the time to properly evaluate a complete fix would be non-trivial (I would ...
(FreeBSD-Security)
Re: [Full-Disclosure] No Subject (re: openssh exploit code?)
... Now let's say you get a severe thunderstorm WATCH. ... not every vulnerability requires ... information and mitigating risk. ... delaying the fix, or even of not doing the fix at all sometimes. ...
(Full-Disclosure)