Re: [fw-wiz] Defense in Depth to the Desktop
From: Paul D. Robertson (paul_at_compuwar.net)
To: Chris Pugrud <email@example.com> Date: Tue, 14 Dec 2004 09:05:57 -0500 (EST)
On Mon, 13 Dec 2004, Chris Pugrud wrote:
> > PFWs seem to me to be a pretty good stop-gap. The ability to get back
> > some control over the desktop is worth its weight in gold- losing that
> > ground is what made the war swing against us!
> Is this really an improvement? This is where I can't help but play devil's
I think so...
> advocate. Are we really better off when our security is dependent on hundreds
> or thousands of desktops (the weakest link) that we fight desperately to
> control in a never ending futile battle? One of the first tenets of systems
It is no matter what- one Trojan on the internal network can remove the
power of all of the other security controls if the environment is such
that that desktop has access to critical resources, vulnerable systems, or
whatever. Let's not forget that peer-to-peer isn't the only way to spread
malice in an organization.
> security is physical security and you can never claim that you have physical
> control over a machine at your user's fingertips.
Perfect is the enemy of good enough.
> What's wrong with a model that acknowledges that while we will do our best to
> protect the security of user machines, they are a resource we can not
> ultimately control, so rather than making the security of the entire
> organization dependent on them, we are going to reduce our effective security
> perimeter to a known subset of systems that we do maintain absolute physical
> control over? I'm not suggesting that we abandon user machines, I'm suggesting
You're only as strong as the weakest link. That's the user desktop.
> that we remove them from being available to be the weakest link in the security
> of the organization. I'm suggesting that we acknowledge that desktops are
> going to get hacked and infected (especially laptops) and make a concerned
> effort to protect the rest of the organization from that inevitable compromise.
Ah, but if we can reduce the compromise rate significantly, then why not?
Especially if it's at a cost that's less than the current level of
compromise events? I really think we're at that point, essentially it's
that or ripping out IE- something that's only now becoming an option, and
even then you still have the e-mail vector.
Strengthen the weakest link, and you strengthen the overall posture.
> > You're still going to have to deal with the desktops, because the users
> > are going to have to work and have critical files there. I think that I'm
> > probably more worried about spyware Trojans than worms right now- worm
> > events get lots of press, but the infestations are really ugly.
> I'm not abandoning the desktops, I'm trying to minimize the potential of one
> infected desktop infecting all of the desktops. One machine is easier to clean
> than hundreds, or thousands. I'm also addressing the critical files issue. If
I'm not sure the degree of difficulty is all that much higher, the real
argument here is for degree of completeness.
> I was an insider trying the steal juicy data I'm going to attack the desktops
> and laptops of the people that have that data directly. It will be a lot
> easier and more discreet than attacking the fortified, guarded, and watched
A clued outsider doing a target of choice attack should reach the same
conclusion... Hence my assertion that hardening the desktop is important.
> >But then you've got a single point of failure, and just using a
> >255.255.255.255 subnet mask and a static route seems to be not that messy
> >to me. Plus it works no matter what vendor's gear you happen to hit-
> >that's always a bonus to me because the "switch just went down and we need
> >to put in whatever we can" scenario with little sleep needs to not carry a
> >bunch of administrative overhead.
> I'm not discounting this approach, I just need to noodle it some more to
> understand all of the implications. Do you have any references to this being
> applied and used?
I've done it on *nix boxes occasionally by turning off dynamic ARP and
adding an interface route to the gateway. On Windows nets, I've typically
supernetted the internal side, and handed out subnets to the clients with
no inter-subnet routing through the gateway. It doesn't protect from a
really clued attacker or user, but it gets rid of the 90th percentile of
stuff without a lot of overhead, and leaves me to focus on detection of
folks who get past it (obvious places to apply the clue bat, rather than
noise-level attacks.) Taking down from the subnet to the system level
shouldn't be a big deal, if there's no gratuitous ARP- dynamic ARP should
be taken care of by the routing- assuming something like WINS doesn't
screw it all up.
Paul D. Robertson "My statements in this message are personal opinions
firstname.lastname@example.org which may have no basis whatsoever in fact."
firewall-wizards mailing list