Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)

From: Marcus J. Ranum (
Date: 06/01/04

  • Next message: Brian Ford: "Re:[fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
    To: "M. Dodge Mumford" <>, "Paul D. Robertson" <>
    Date: Tue, 01 Jun 2004 13:13:20 -0400

    M. Dodge Mumford wrote:
    >Paul D. Robertson said:
    >> If it can't be attacked, then arguably, it doesn't need to be fixed.
    >That sentiment surprises me a bit. It appears to me to violate the concept
    >of defense in depth.

    This is Peter Tippett's theory of synergistic controls. If you have
    several things that each reduce the likelihood of something bad
    happening, then it's really good to do more of them a little bit
    because the marginal returns eventually go down.

    So, if making your network separated so that "it can't be attacked"
    is going to address 95% of the risks (ninjas, nanobots, etc, are still
    a problem) and hardening the system is going to address another 95%
    you're best off if you do the easiest/cheapest one first. In the case
    of using my "perfect firewall" it's usually easier since it's almost
    always easier and cheaper to NOT DO SOMETHING than to DO
    something. The equipment cost for an air gap is low. ;)

    What's interesting is that if you have 2 security controls that each
    help block (on average, assuming random distribution of attack
    vectors - which is an interesting assumption) 50% of the attacks,
    then you've got 75% of the attacks blocked. Again, the assumption
    of random distribution is an interesting and important problem
    in the theory. If the attacks distribute disproportionately - if you
    can whack 50% of the network attacks and 90% of the attacks
    are networked - then your air gap is going to show a much higher
    value (95% of 90%) One of the things that makes firewalls
    remain attractive is that a disproportion of attacks are networked
    AND the effort factor to install them at a perimeter is low.

    The concept of defense in depth is to do some pretty basic
    stuff in lots of places. And it works. So if you're willing to
    assume in Paul's example that "the system cannot be attacked
    is ONLY 95% effective - then a 50% effective antivirus system
    on the desktop behind the airgap bumps your likelihood of an
    attack getting through down to a whopping 2.5%. But if you
    think about it, your first line of defense makes a lot of the
    difference and after that it's all diminishing returns.

    Hmm... Did I just say that "just doing ANYTHING" is a good
    start? I think I did. ;) Perhaps that's why we find ourselves
    on the fence about the host/network - where do I secure it ?
    issue - doing *anything* that's not manifestly stupid helps
    a great deal. Doing any 2 things that aren't manifestly
    stupid gets you most of the rest of the way 100% for all
    intents and purposes. If you accept some of the logic I've
    thrown at you above, then it stands to reason that doing
    things that help less than 40-50% of the time is probably
    a waste of time unless you're doing 3 or more of them.


    firewall-wizards mailing list

  • Next message: Brian Ford: "Re:[fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"

    Relevant Pages

    • Re: A poor mans activity check :)
      ... Is a firewall worth the memory it occupies? ... If you are on a closed network and trust all other users not to abuse ... To balance cost against benefit, you need to know something about cost, ... Can a firewall prevent attacks? ...
    • A Network IPS Proposal (was Definition of Zero Day Protection)
      ... I did a research on Network IPS a while back when the ... > api gating layers and are continuing to greatly ... > implementations have detection properties for zero ... > day attacks. ...
    • Re: Ask EU - firewalls
      ... The addresses to use in a "private network" ("your side of the ... but that is a different subject, and this is not how a software firewall ... Yes, routers could be hacked potentially, wireless routers have already ... an important and often weak target for attacks is partly due to its near ...
    • Re: IDS on Switched Networks
      ... connecting a network IDS to it would be fine. ... Higher state of alert you know what attacks you are ... If your firewall has NAT turned on, ...
    • RE: Need help from a group of experts. I am not a network expert but I play one on tv.
      ... preventing file attachments alone won't stop all email attacks. ... Sonicwall is a good firewall...but any firewall depends on how well you ... I am not a network expert ... - Precisely Define and Implement Network Security ...