Re: [Full-disclosure] perfect security architecture (network)
Hi All, the point that i wanna make is "just make it simple".if i can work with what i got. why i have to invest . if no tool provides 100% security.why not invest little money in Awareness program. policy design and specially restrict user for unnecessary applications. thank you all for your valuable comments C0br4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] perfect security architecture (network)
That is the exact attitude of "Perfect Security". If you have a small 10 person shop your not going to purchase a big identity management solution. Your going to spend a couple of hundred dollars to train you and your people how to create and use strong passwords effectively. EVERYONE in the industry must remember that ROI and TCO are king and queen. If you can't justify the expenditure for the protection, then it's not working. The only exception to this rule is that everyone must take those basic minimum steps to protect the systems under their control. Such as, firewalls, anti-virus, and updates. I do a lot of work with the "Forgotten Market" of Small and Medium Business. At this level ROI and TCO are critical to the success of the plan. Smaller companies don't have the capital to waste and recover from other areas like the large enterprises do. Chuck Fullerton -Original Message- From: C0BR4 [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 10, 2005 3:01 AM To: [EMAIL PROTECTED] Cc: Chuck Fullerton; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] perfect security architecture (network) Hi All, the point that i wanna make is "just make it simple".if i can work with what i got. why i have to invest . if no tool provides 100% security.why not invest little money in Awareness program. policy design and specially restrict user for unnecessary applications. thank you all for your valuable comments C0br4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] perfect security architecture (network)
I don't think about perfect network security but I know an advanced security architecture includes at least psychological and sociological support systems. -- Aycan iRiCAN C0R3 Computer Security Group http://www.core.gen.tr ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] perfect security architecture (network)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Seeing as how this thread is RAPIDLY going OT (and is probably already OT for the list), in the interest of brevity You're playing on semantics. One can play the semantics game forever. What you're suggesting doesn't really hold water. You or I might not use a bank vault to store $50 bucks, but a homeless person might kill for it. Or I might use a bank vault if I'm going to put in $50 Bucks continually. Money is money, data is data, and more often than not, data is money. I'm not familiar with the OSSTMM, but I tend to follow the philosophies and guidance in the Network Security Credo: http://staff.washington.edu/gray/papers/credo.html . I like one of the quotes in the prologue: "It's naive to assume that just installing a firewall is going to protect you from all potential security threats. That assumption creates a false sense of security, and having a false sense of security is worse than having no security at all." Kevin Mitnick eWeek 28 Sep 00 Case in point, I don't have an enterprise network at my home that stores top secret proprietary or government data, but I still have an anti-virus solution, firewall(s), IDSs, and a few other tricks in my bag that help me to ensure my network is secure. Overkill? Not in my house. ;-) - -- - - Charlie, CBSFR 5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF > -Original Message- > From: Chuck Fullerton [mailto:[EMAIL PROTECTED] > Sent: Monday, August 08, 2005 7:51 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > full-disclosure@lists.grok.org.uk > Subject: RE: [Full-disclosure] perfect security architecture > (network) > > >There IS NO *perfect* security. > >If you have a customer that is asking for "perfect > security", tell them it > can't be done. > > I beg to differ. If you have a customer that's asking for > Perfect Security > then read the OSSTMM. (Better yet, send them to my company.) ;-) > > If you don't believe me then check out my whitepaper, "How to Make > the 'Perfect' PB&J". It can be downloaded at > http://www.infosecwriters.com/texts.php?op=display&id=236 > > People that are asking for Perfect Security are those that > want the level of > security they need for their environment. Your not going to > use a Bank > Vault to secure only $50.00. It's overkill and their ROI > won't match up. > > So the next time a customer asks you for "Perfect Security" They > are telling you that they don't want to be oversold. > > Sincerely, > > Chuck Fullerton > > > -Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Charles > Heselton > Sent: Monday, August 08, 2005 9:36 PM > To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk > Subject: RE: [Full-disclosure] perfect security architecture > (network) > > > *** PGP SIGNATURE VERIFICATION *** > *** Status: Bad Signature > *** Alert:Signature did not verify. Message has been altered. > *** Signer: Charles Heselton <[EMAIL PROTECTED]> > (0x4829EDCF) > *** Signed: 8/8/2005 6:36:24 PM > *** Verified: 8/8/2005 10:00:46 PM > *** BEGIN PGP VERIFIED MESSAGE *** > > Although Daniel's comments may be tongue-in-cheek, there is > some truth. > Here are a few ideas that have become more or less mantras for me, > personally > > There IS NO *perfect* security. > > Defense in depth. > > The larger your network is, the less effective your perimeter > becomes. > > The end user is always the weakest link. > > There may be a few more that people feel I have left out. > Basically, if > you're asking what I think you're asking, you have to be able > to cater the > level of security you're providing to the needs of your customer. > Anti-virus/spyware software, firewalls, IDS/IPSs, "Security Minded" > routing..all of these thing have a part in an ideally > secure situation. > The point is to identify the most critical assets and > possible vectors of > attack. Then you design a security architecture that 1) > addresses those > vectors, and 2) has multiple layers that should one > preventative method > fail, another will detect/prevent (defense in depth). There > will always be > someone out there who is able to figure out a hole, with > enough knowledge, > experience, persistence, and luck. > > If you have a customer that is asking for "perfect security", > tell them it > can't be done. If you're asking a philosophical question, well > secure application development
RE: [Full-disclosure] perfect security architecture (network)
>There IS NO *perfect* security. >If you have a customer that is asking for "perfect security", tell them it can't be done. I beg to differ. If you have a customer that's asking for Perfect Security then read the OSSTMM. (Better yet, send them to my company.) ;-) If you don't believe me then check out my whitepaper, "How to Make the 'Perfect' PB&J". It can be downloaded at http://www.infosecwriters.com/texts.php?op=display&id=236 People that are asking for Perfect Security are those that want the level of security they need for their environment. Your not going to use a Bank Vault to secure only $50.00. It's overkill and their ROI won't match up. So the next time a customer asks you for "Perfect Security" They are telling you that they don't want to be oversold. Sincerely, Chuck Fullerton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Heselton Sent: Monday, August 08, 2005 9:36 PM To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] perfect security architecture (network) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Although Daniel's comments may be tongue-in-cheek, there is some truth. Here are a few ideas that have become more or less mantras for me, personally There IS NO *perfect* security. Defense in depth. The larger your network is, the less effective your perimeter becomes. The end user is always the weakest link. There may be a few more that people feel I have left out. Basically, if you're asking what I think you're asking, you have to be able to cater the level of security you're providing to the needs of your customer. Anti-virus/spyware software, firewalls, IDS/IPSs, "Security Minded" routing..all of these thing have a part in an ideally secure situation. The point is to identify the most critical assets and possible vectors of attack. Then you design a security architecture that 1) addresses those vectors, and 2) has multiple layers that should one preventative method fail, another will detect/prevent (defense in depth). There will always be someone out there who is able to figure out a hole, with enough knowledge, experience, persistence, and luck. If you have a customer that is asking for "perfect security", tell them it can't be done. If you're asking a philosophical question, well secure application development can make a security professional's life a little easier, but it's not going to solve the fundamental problem. But, just like the rest of the security tools (firewalls, etc.), more secure applications and programming techniques only play a part. HTH. - -- - - Charlie 5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Daniel > H. Renner > Sent: Monday, August 08, 2005 9:08 AM > To: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] perfect security architecture > (network) > > Good Lord C0br4, > > Did your new client give you a shopping list or what? > > Use the force C0br4! The force (of the right forum) will protect you! > > -- > Dan Renner > Los Angeles Computerhelp > http://losangelescomputerhelp.com > > > On Mon, 2005-08-08 at 12:00 +0100, > [EMAIL PROTECTED] wrote: > > Date: Mon, 8 Aug 2005 11:04:34 +0530 > > From: C0BR4 <[EMAIL PROTECTED]> > > Subject: [Full-disclosure] perfect security architecture > > (network) To: [EMAIL PROTECTED] > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Hey guys, > > > > Have couple of questions need answers plz... > > > > There are three attacks that jeopardize Information security. > > > > -- > > - secure Network - > > -- > > - secure Host - > > -- > > - secure Application - > > --- > > > > How can we optimize security? Stopping attacks at network > or building > > secure applications.. > > > > How should we deal with these attacks? People talk about Firewall, > > IDS/IPS etc.. > > > > What's best? > > > > If asked to give a perfect security architecture (network) > what would > > you suggest? Given > > a Firewall, Router, IDS, IPS and Anti-virus . > > > > thank you > > C0br4 > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.
RE: [Full-disclosure] perfect security architecture (network)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Although Daniel's comments may be tongue-in-cheek, there is some truth. Here are a few ideas that have become more or less mantras for me, personally There IS NO *perfect* security. Defense in depth. The larger your network is, the less effective your perimeter becomes. The end user is always the weakest link. There may be a few more that people feel I have left out. Basically, if you're asking what I think you're asking, you have to be able to cater the level of security you're providing to the needs of your customer. Anti-virus/spyware software, firewalls, IDS/IPSs, "Security Minded" routing..all of these thing have a part in an ideally secure situation. The point is to identify the most critical assets and possible vectors of attack. Then you design a security architecture that 1) addresses those vectors, and 2) has multiple layers that should one preventative method fail, another will detect/prevent (defense in depth). There will always be someone out there who is able to figure out a hole, with enough knowledge, experience, persistence, and luck. If you have a customer that is asking for "perfect security", tell them it can't be done. If you're asking a philosophical question, well secure application development can make a security professional's life a little easier, but it's not going to solve the fundamental problem. But, just like the rest of the security tools (firewalls, etc.), more secure applications and programming techniques only play a part. HTH. - -- - - Charlie 5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Daniel H. Renner > Sent: Monday, August 08, 2005 9:08 AM > To: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] perfect security architecture > (network) > > Good Lord C0br4, > > Did your new client give you a shopping list or what? > > Use the force C0br4! The force (of the right forum) will protect > you! > > -- > Dan Renner > Los Angeles Computerhelp > http://losangelescomputerhelp.com > > > On Mon, 2005-08-08 at 12:00 +0100, > [EMAIL PROTECTED] wrote: > > Date: Mon, 8 Aug 2005 11:04:34 +0530 > > From: C0BR4 <[EMAIL PROTECTED]> > > Subject: [Full-disclosure] perfect security architecture > > (network) To: [EMAIL PROTECTED] > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Hey guys, > > > > Have couple of questions need answers plz... > > > > There are three attacks that jeopardize Information security. > > > > -- > > - secure Network - > > -- > > - secure Host - > > -- > > - secure Application - > > --- > > > > How can we optimize security? Stopping attacks at network > or building > > secure applications.. > > > > How should we deal with these attacks? People talk about > > Firewall, IDS/IPS etc.. > > > > What's best? > > > > If asked to give a perfect security architecture (network) > what would > > you suggest? Given > > a Firewall, Router, IDS, IPS and Anti-virus . > > > > thank you > > C0br4 > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQvgImHv40fZIKe3PEQIKUACg3rcR67ioI8s3UK2Lm8U1Tr+ytvQAoIu6 47spbOk+qXkqN09ep0nR9Dms =7fIa -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] perfect security architecture (network)
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of C0BR4 > Sent: Monday, August 08, 2005 11:05 AM > To: [EMAIL PROTECTED] > Subject: [Full-disclosure] perfect security architecture (network) > How should we deal with these attacks? People talk about > Firewall, IDS/IPS etc.. > > What's best? You can have all - specially security in layers is the best And it is best that you use all Have a restrictive firewall at the perimeter Separate the web exposed servers and applications in DMZ Anti-virus is mostly reactive use that but don't *rely* on it > > If asked to give a perfect security architecture (network) what would > you suggest? Given > a Firewall, Router, IDS, IPS and Anti-virus . Firewall - openbsd with pf or Selinux with ipchains / iptables - ( don't know the exact name ) but I am using pf Router - if you are running a low throughput net you can use Another Linux / bsd box to do this stuff also IDS - snort with proper configuration and fine-tuning - this takes Some time but once done this is rock solid IPS - same as above - snort Antivirus- Clamav Snort and Clamav also run on windows if you are not running UNIX and there are manuals about this on the net What system are you trying to design ? begin 666 smime.p7s M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )[EMAIL PROTECTED]@,"&@4`,( &"2J&2(;W#0$' M`0``H(()?3""`P4P@@)NH ,"`0("`P]$"# [EMAIL PROTECTED]&]PT!`00%`#!B,0LP M"08#500&$P):03$E,",&`U4$"A,<5&AA=W1E($-O;G-U;'1I;F<@*%!T>2D@ M3'1D+C$L,"H&`U4$`Q,C5&AA=W1E(%!E,1\P'08# M500#$Q94:&%W=&[EMAIL PROTECTED])E96UA:[EMAIL PROTECTED],3LP.08)*H9(AO<-`0D!%BQA M9&ET>6$N9&5S:&UU:VA ;VYL:6YE+F=A=&5W87DNW$3 M#Y[VQE1?27[6O))6O0TQLW<>.T@"MP_U8N/"P@'?3-Q4J_GR0P_=0B-%7T%] M/_*118FW>[EMAIL PROTECTED],1J*ZPO1$$IU5'0C]8<::RUXQP#U>TTOXC,;U" M0.[%) ]V#K2#6AY.E&P[2_W9XX=QE<<@]*K%%\;R6?<"W&ZX2A]ZU%K",% MBXMM!V2R'^.5P!5 A+R&K^$(G9?,MQBX5#NX"_6)%PTY-C Q M,#$P,# P,#!:%PTR,#$R,S$R,S4Y-3E:,('1,0LP"08#500&$P):03$5,!,& M`U4$"!,,5V5S=&5R;B!#87!E,1(P$ 8#500'$PE#87!E(%1O=VXQ&C [EMAIL PROTECTED] M! H3$51H87=T92!#;VYS=6QT:6YG,[EMAIL PROTECTED])@8#500+$Q]#97)T:69I8V%T:6]N M(%-EE'V Q1MNIRD;"$7GTM#8][$M^%)74H=#I"+&,GGY5[2^]^&8<=ANJC MW;G.EF0:PA1N1*Q\YH_H30]Q'T XI@"CAWCV^92&7JWJP%YVZ]D4HUUN>GP, MI4M5?P89*7^>FB;5:KLX) AJF,>QVJ.8D?UYV^5:Q!RY`@,!``&C$S 1, \& M`U4=$P$!_P0%, ,!`?\P#08)*H9(AO<[EMAIL PROTECTED]:E9V(J MI/!-$6#0;[EMAIL PROTECTED]&&L)KM2-5P(SS#[J$J6BA]B0B.,%P_TNF2<%ZQ'*=^=F%[2 M;&!Q7**LW'GCYVX`1Q^U#2CH`IWDFOT3]*;9?+'XW%\C)@F1@'/0%!O>0ZF# M)?+FG"\5ROZFJXH'=8L,W5&$:^3XT[EMAIL PROTECTED]'1D+C$L,"H& M`U4$`Q,C5&AA=W1E(%!E_0( "9->GIKN?9='%*E2% [EMAIL PROTECTED]>VT3QA!$ >9!ER8+?[`@,!``&[EMAIL PROTECTED]@[EMAIL PROTECTED]'_! @[EMAIL PROTECTED] M_P([EMAIL PROTECTED]'1\$/# Z,[EMAIL PROTECTED] TAC)H='1P.B\O8W)L+G1H87=T92YC;VTO M5&AA=W1E4&5R,!PQ&C [EMAIL PROTECTED] ,3$5!R:79A=&5,86)E;#(M,3,X, T&"2J& M2(;W#0$!!04``X&!`$B,T5"[EMAIL PROTECTED] VC9JQG#W^OK+["%Z%#EI2=?TPAN/@V M'ZHMGS8OP/0<4""3<#S]K>%A8L/9.AE^A+&9&P#%&@N"=)XE4)1BQ]LG<5[EMAIL PROTECTED]'1D+C$L,"H&`U4$`Q,C5&AA=W1E M(%!E[.\I+0$`@ $`,# P+H$L861I='EA+F1E 8)*P8!! &" M-Q $,6LP:3!B,0LP"08#500&$P):03$E,",&`U4$"A,<5&AA=W1E($-O;G-U M;'1I;F<@*%!T>[EMAIL PROTECTED]'1D+C$L,"H&`U4$`Q,C5&AA=W1E(%!E4I17>."PQ^TU334KUA:(S$<0X"NF"931VVS^G. [EMAIL PROTECTED]&6DA% 9F+(Z6_66D9UD,-_C,^WS8 MUPQ"O?;O0^(T[*>1^##YO":)1RX@, V X2P0/'/3'QZ3E0C\-A(#W*E5)M%V MY+A#$%+4G1KB,='ZP%@/++6(]T9:4I,2LX9S/'[EMAIL PROTECTED]<]HXN;SA,L128N M=X]]NG-^=37\O\7<"DS8+T'O<[EMAIL PROTECTED];\/+W-Z^UNJ=#.G,P9=4JYG+,HYL 6N]J+IX^P"_KX*8'%R<_'; `` ` end Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] perfect security architecture (network)
Good Lord C0br4, Did your new client give you a shopping list or what? Use the force C0br4! The force (of the right forum) will protect you! -- Dan Renner Los Angeles Computerhelp http://losangelescomputerhelp.com On Mon, 2005-08-08 at 12:00 +0100, [EMAIL PROTECTED] wrote: > Date: Mon, 8 Aug 2005 11:04:34 +0530 > From: C0BR4 <[EMAIL PROTECTED]> > Subject: [Full-disclosure] perfect security architecture (network) > To: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Hey guys, > > Have couple of questions need answers plz... > > There are three attacks that jeopardize Information security. > > -- > - secure Network - > -- > - secure Host - > -- > - secure Application - > --- > > How can we optimize security? Stopping attacks at network or building > secure applications.. > > How should we deal with these attacks? People talk about Firewall, > IDS/IPS etc.. > > What's best? > > If asked to give a perfect security architecture (network) what would > you suggest? Given > a Firewall, Router, IDS, IPS and Anti-virus . > > thank you > C0br4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/