Re: [fw-wiz] Defense in Depth to the Desktop
From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 12/14/04
- Previous message: R. DuFresne: "Re: [fw-wiz] How to Save The World"
- In reply to: Devdas Bhagat: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Next in thread: David Lang: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Devdas Bhagat <devdas@dvb.homelinux.org>, firewall-wizards@honor.icsalabs.com Date: Tue, 14 Dec 2004 12:34:03 -0500
Devdas Bhagat wrote:
>What we need is a PFW that can be controlled by the central IT
>department and global policies applied to similar sets of desktops.
Most of the PFW makers are heading that way. Some of the
companies (e.g.: Sygate) have been doing it for a long time.
I'm (no business association with Sygate or their products)
pretty impressed with the policy framework they have built.
But, fundamentally, we need to assess where we're heading
with the whole thing. PFW is a piece of it, but as malware is
showing us beyond the shadow of a doubt, the final battle
is going to be fought over what gets executed on the desktop.
The orange book guys knew this ages ago, and we've just
been in denial about it, as we thrash desperately back and
forth between "can we secure it at the network?" (no) "can
we secure it at the host?" (no)
Eventually, we'll find ourselves accepting the reality that we
need total, granular, management of execution and network
connectivity network-wide. That's the truth we've been
dodging since the "desktop revolution."
>But it *is* the most common way for malicious code to replicate.
>Windows file and print sharing is one huge hole.
Close one common vector and it'll just make another
vector the new most popular and most common pathway.
That's the fundamental problem with playing computer
security whack-a-mole -- the underlying premise is
"if we just close this one hole" - and it's wrong. That's
why the folks who say "If we just blow away Windows"
are wrong (yes; I have said that) or "If we just stop using
IE" are wrong (yes; I have said that). A more accurate
statement would be "if we just blow away IE, we will
force the bad guys to reassess their attack vectors
and learn new ones." Which is not an entirely bad thing.
Note that I am usually recommending blowing away
Windows and IE in the context of replacing them with
an absolutely controlled execution environment, so I
am not exactly in favor of playing whack-a-mole. I would
describe my position more as "driving a stake through
its heart" -- and, yes, I would be willing to operate in
such an environment.
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: R. DuFresne: "Re: [fw-wiz] How to Save The World"
- In reply to: Devdas Bhagat: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Next in thread: David Lang: "Re: [fw-wiz] Defense in Depth to the Desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
