Re: [fw-wiz] Mis-attribution - Re: How automate firewall tests



-----Original Message-----
Subject: [fw-wiz] Mis-attribution - Re: How automate firewall tests


That's OK. It doesn't matter whether you do or not. You can choose to
go around not believing in the laws of physics, either. But that
doesn't change the fact that "the bigger they come, the harder they hit."

There is no doubt that, given infinite resources, a perfect security
implementation could be created.

...for time T where T is less than 1 business day. Then it would need to be
changed.

Man I'm sorry I missed this thread. I figured out last week that Gmail's
been marking large portions of fw-wiz as spam. Also sorry I missed you guys
at IANETSEC's event in Lincolnshire last week.

I did a presentation last year on security models and why they're a red
herring. The audience was a group of developers, so I focused more on
actual models like MAC, TAM, etc. (as opposed to the rebundling of
least-privilege as the "positive security model"). The bottom line was that
I urged the audience to think more about modular design than about models so
that systems are easier to modify to adapt to meet new needs and mitigate
new threats.

And while you can argue the merit of modeling either way - and I don't
believe that access models are worthless, far from it, in fact - you miss
the point by focusing on it. Marcus likes to say that "the hackers don't
care...," and he's right. Hackers exploit security outside of the
assumptions of security models*, including least-privilege.

If access models or least-privilege worked, then taking away local admin
rights on workstations would be a huge step towards stopping the spread of
malware. And using RBAC in your payroll app would prevent data disclosure.
But the problems are that even when these models are followed to their
letter (if not their spirit), they fail to prevent common problems because
malware can survive in unprivileged space and because confidential
information disclosures occur outside of the application.

My $0.02 on the subject, anyway.

PaulM

* I stole this from Dorothy Denning. You should read the speech I lifted it
from:
http://www.cs.georgetown.edu/~denning/infosec/award.html

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards