On Wed, 26 May 1999, Jen wrote:
> Firewalls do logging, etc., which routers generally don't. I think this
I don't know what etc. stands for, but Ciscos certainly do logging.
Configurable logging at that.
> is at least half the value of a firewall. That said, your point about a
> firewall providing no better protection than a well configured router is
> well taken. However, the vast majority of the people responsible for
> network security have neither the time nor the skill to do that kind of
> configuration. Yes, that's a sad state of affairs, but I don't think
> that as a result we should all lie down and wait for death. We'll make
> do with what we have, even if it's not the best.
But we are lying down and waiting for death. That's the point. We're
sitting on some train tracks, we can see that locomotive headed straight
for us, but since our feet are tired, sitting is at least doing something
to solve the problem. Oh yeah- wrong problem!
> Ultimately, I think what most of us on this list are after is a degree
> of acceptable security, not absolute security (which I'd argue is not
> possible). Saying that we need to use protocols designed to be secure
> is a nice ideal, but it's not practical -- what we actually need is to
> bring in revenue, which always entails risks.
No, this is a very bad way of looking at things. When the security
administrator hat is on, the job is providing the most security possible
within the scope of the business requirements. Bringing in revenue is a
different hat and they shouldn't be confused. What happens when you get
a repeatable event that shuts down that revenue stream and there's no way
to stop it? What good do you do your customers having built on an
insecure foundation if the house falls over just when they have a
critical need for a product or service?
> This isn't a pessimistic outlook, just a pragmatic one. Security is
> about improving the odds, not removing all risk. So when we discuss
No, security is about minimizing risk. Improving odds is something that
shouldn't be confused with providing security. If your business is
gambling, then odds matter - but risk still matters more. A system that
has security in a certain context has that security no matter what the
odds of it being attacked. A system with low odds of being attacked and
a similar system with high odds of being attacked which both have low
security are equally insecure. That's the diffence between _engineering_
and not engineering. If you need to dam a major river to provide
power, you can throw up some half-assed structure with ready-mix concrete
and no clue of what you're doing and call it damed (it's really damned, but
hey). All your users will build their houses downstream of that dam, and
when it comes falling down you'll have victims and no power. Immediate need
is the antithesis of infrastructure engineering. You can kid yourself by
calling it "pragmatic" to get that dam up, and you can build your market
in the new land you've uncovered. Don't expect an engineer who knows how
to build structures like the Grand Coulee Dam to agree with your analysis of
the odds of it coming down around the to-be-victims it's supposed to be
servicing. Don't expect them to consider daily odds of it coming
crashing down a good substitute for doing the right thing up-front either.
> things like allowing DCOM (or allowing modems behind the firewall) --
> sure, it's good to point out reasons you wouldn't want to do this. This
Absolutes don't work. That's why it's better to engineer than to gamble.
> info might even help someone convince management not to do it. But, in
> the end, if the business decides to go forward with the plan even
> knowing the risks, let's help the poor person who's stuck with a bad
> situation make it less bad.
What happens when your expensive placebo doesn't function at a critical
moment and the business suffers irrevokable harm? Do you get extra
points for trying to make people happy? Minimizing the severity of poor
security and infrastructure planning by glossing over inane products
doesn't make inane product producers make better products. It ignores
the problem and leads to a downward spiral. Things like DCOM exist
because *people let them through firewalls even when they know better.*
If nobody let them through you can _bet_ (at higher odds) that the
protocols would be redesigned faster than you can pull the handle on a
slot machine. I'd rather increase security than lower odds of attack, your
milage may vary.
> As an aside, here's something to ponder: Yes, it's sad that most folks
> responsible for security aren't experts. But are sophisticated hackers
> multiplying at a greater rate than expert security professionals? Or are
Yes, they _most_definitely_ are multiplying at a greater rate. Attackers
take the time to learn to attack in larger numbers than defenders take
the time to learn to defend.
> they mostly novices, too? I suspect that, to a large degree, what we're
> using firewalls to protect against is hacker tools. Kind of ironic,
> isn't it? We have security tools for novices to protect against hacking
> tools for novices.
No, we mostly have pseudo-security tools to protect agains real cracking
tools. That's the issue. Worse yet, the novices are telling us all that real
security isn't important to them, and when we ask them "Why bother?", they
say they're making people feel better. Palm readers make some people
feel better - but we don't generally confuse them with doctors.
> Jen
>
> P.S. I fall into that category you despair over -- a novice who's doing
> security (actually, I'm worse -- I'm a manager of novices doing
> security). There's no way any of us could configure a router to be more
> secure than our firewall is (or should I say to be less insecure than
> our firewall is?). But I'll bet our network is more secure than most.
> Scary.
Ok, so let's say that you only have 10 gaping security holes that anyone
can exploit to take down your network instead of 50 - that makes you feel
better? I don't know what kind of router you have, but my preferred router
vendor has a single document that discusses providing network security with
their product. It's a hell of a lot shorter than the documentation for
any commercial firewall product I've ever seen, and I've seen a lot of
them. To me, "more secure than most" means that a determined attacker
can't get in without compromising an internal host by coopting a user.
Insecurity isn't about the number of holes, it's about the exploitability of
the holes that are there. If you have 10 gaping holes instead of 50,
you're just as insecure as the person with 50. Thinking otherwise is
pure folly.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
