[Dshield] Secure computing (was: Port 135)

Benjamin M.A. Robson ben at robson.ph
Mon Oct 28 00:01:49 GMT 2002

Time to have some buy-in on this discussion...

Jan Johansson wrote:
> On Sun, Oct 27, 2002 at 01:19:10PM -0700, Kenton Smith wrote:
>>I can understand your logic to a point. This seems a bit like
>>the John Wayne approach to me. What about some kind of layered
>>approach to security? Here's where your argument falls flat to
>>Our opinion is that "Firewalls are for cowards".
> This is a joke that we use when people suggest that the solution
> to all problems is a firewall. But it is also a golden rule of
> how we do things.
> A firewall may well have its place. We do not use it as our front
> door as it would cause more problems than it solves.

Securing any asset, be-it physical or informational (virtual *sic*) is always about mitigation, and 
making the asset not worth the effort required (where effort includes things like ease of access, 
hoops to jump through to acquire the asset, etc...).

The best way to prevent an asset from being stolen, vandalised, tampered with or copied is to not 
have the asset there in the first place.  This is where a baseline policy of securing individual 
network hosts comes in to play.  If the network device does not have a web server running, the 
kadmind service turned off, and any other services removed then the remote hacker/cracker is going 
to find it -very- challenging to gain access to that system (hence many attackers have gone for the 
client-side approach with agents propogated via email).

The firewall appliance, and other security devices (such as IDS systems) are all about risk 
mitigation when services need to be run.  If you had no services running on any devices you wouldn't 
need much more than a good acceptable use policy, a anti-virus toolkit, and tight restrictions on 
email access. (I know there are still ways around this, but I am making a point.  Keep in mind my 
earlier statement about effort etc...).

Its when you need to start turning services, such as www/ftp/etc..., on that these border protection 
appliances come in to their own.  What do you do with those 200 web servers, providing services to 
2000 paying clients, when Apache gets another vulnerability.  You can't afford to shut them down, 
until they are patched, as the revenue lost would be astronomical.  The only action left to you is 
to look at the exploit, see if there are any unique characteristics that can be blocked at the 
firewall (things like the agent sending data back to specific IP addresses/URLs), and look for other 
characteristics that might be detected on the wire by an ID system, for action at the time of exploit.

My appologies for those that see this as bleedingly obvious, but in my experience there are many who 
don't.  (That's discounting the possibility I am completely wrong.  ;-P )

Regards all,
Benjamin Robson

Operations Director
Achillean Pty. Ltd.
brobson at achillean.com.au
ben at robson.ph
The best way to secure your house is to tape your neighbours front door key to your letter box.

More information about the list mailing list