Re: Know your enemy, Virtual Honeynets, Yet more information
From: Dragos Ruiu (dr@kyx.net)Date: 08/21/02
- Previous message: McCammon, Keith: "RE: Know your enemy, Virtual Honeynets, Yet more information"
- In reply to: Benjamin Robson: "Re: Know your enemy, Virtual Honeynets, Yet more information"
- Next in thread: McCammon, Keith: "RE: Know your enemy, Virtual Honeynets, Yet more information"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Dragos Ruiu <dr@kyx.net> To: Benjamin Robson <ben@robson.ph>, focus-ids@securityfocus.com Date: Wed, 21 Aug 2002 10:16:15 +0000
On August 21, 2002 05:46 am, Benjamin Robson wrote:
> In-Reply-To: <Pine.LNX.4.44.0208201310380.26371-100000@marge.spitzner.net>
> The point I am trying to make is that there are LOTS of security
> professionals out there today that claim if you don't have a firewall and
> IDS, a honeypot and a blender (in extreme cases), then you just aren't
> secure. They are advocating such systems where they are just not
> appropriate.
>
> *sigh* If only security professionals weren't so precious about these
> things, and a little more responsive to the real-world (at least as real-
> world as managers get), then the market as a whole might be a little more
> receptive to the security case.
>
> My overall comment intended to say that the security professionals of the
> world need to get down from their nice clean offices, and in to the
> trenches a bit more with the poor systems administrators who are the ones
> facing the real world scenarios. They are not called in on a case-by-
> case basis, nor do they get to just sit around playing with new "funky"
> security technology. They need things that are quick to deploy, easy to
> understand, and improve their workload, not make it worse.
Uh well a nice, clean, mostly empty, honeypot system, all nicely checksummed
is probably much easier and quicker to deploy (at least if your sysadmins
have their system deployments down pat and nicely standardized) than
either a good firewall or a good ids, but it provides less coverage too, and
should definitely not be a work item if at least the firewall is not in
place...
Though, I would hardly call honeypots "funky". The simple recipe version:
1. install
2. find / -type f -exec rmd160 \{\}\; >checksums
3. scp checksums <box of choice with cdburner>:.
4. rm checksums
5. Lather, rinse, repeat
Secondly, I'm afraid I'll have to disagree with you about the blender.
It _is_ de-rigeur. A sysadmin cannot adequately interact with the
management without a margarita for decompression afterwards. :-)
As far as "market" receptiveness to the "security case": well when the
"market" gets their customer list posted to a public forum or their customers
cc's stolen or similar they will change their mind. :-)
But your point is well taken, many times pragmatism is cast aside for
the glee of a new box with bells and whistles which may have dubious
overall improvement in security - for most security begins with humans
and processes not boxes with funky high LPSI(LED's per square inch).
But honeypots don't seem the best example to prove this point with.
cheers,
--dr
-- dr@kyx.net pgp: http://dragos.com/kyxpgp Advance CanSecWest/03 registration available: http://cansecwest.com "The question of whether computers can think is like the question of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
- Previous message: McCammon, Keith: "RE: Know your enemy, Virtual Honeynets, Yet more information"
- In reply to: Benjamin Robson: "Re: Know your enemy, Virtual Honeynets, Yet more information"
- Next in thread: McCammon, Keith: "RE: Know your enemy, Virtual Honeynets, Yet more information"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
