Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Host-Base Firewall

Re: Host-Base Firewall

From: Adriel Desautels <adriel_at_netragard.com>
Date: Fri, 30 May 2008 11:56:36 -0400

Certainly,
        While hardware security solutions do serve a purpose and do defeat some
attacks, they can not solve the human element problem or the evolution
problem.

        The human element problem is one where a human being makes the decision
to trust something and as a result suffers a compromise. Social
engineering attacks specifically exploit this trust issue. I don't know
of any hardware appliance or software package that can defend against
that attack successfully even 50% the time.

        The evolution problem is the mathematical guarantee that very nearly
all software will at some point contain an exploitable vulnerability.
That is a guarantee because humans are fallible and unless software is
mathematically proved to be secure then it isn't 100% secure, its
created by humans. Hardware appliances are just computer systems that
run software. They need to be maintained and patched just like
everything else.

        A while back our research team performed an assessment of several
security appliances as a part of an R&D project. During that assessment
we learned that security appliances are not maintained by the vendor as
well as regular computer systems are maintained by IT staff.

        Getting more specific. One of the appliances that we studied was one
that was used to send secure email. A user would login to the appliance,
write an email and click the send button. Then an email containing a URL
would be sent to the recipient. The recipient would read the email by
clicking on the URL and get redirected to an SSL based website where the
actual message was located. The real message never left the server.

        When we assessed the appliance technology we discovered that the
libraries and software that were being used were on average 1-3 years
old. We also found several known and exploitable vulnerabilities in
those software packages. The vendor never released any fixes for those
issues in any of their "updates". In fact, the vendor very rarely
released any updates at all.

        This risk of vulnerability is the same in all technologies regardless
of what the technology is supposed to do. The only real way to protect
against such a risk is with policies, procedures, and good training. You
need to remember that you are not defending against technology, you are
trying to protect yourself from a smart human enemy.

        Does that answer your question?
        

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn

forgottenwizard wrote:
> On 11:03 Thu 29 May , Adriel Desautels wrote:
>> All,
>> Firewalls are packet control devices. They do little more than control the
>> flow of traffic into and out of your network. Some of them contain
>> "defensive" capabilities such as IPS. Those defenses make decisions based
>> on the nature of the traffic. Those decisions aren't as accurate as they
>> should be because the very medium from which they are forming "opinions" is
>> flawed. Traffic can be spoofed/forged/manipulated, so how can one trust it.
>>
>> Security is more of a process than anything else. It is enforced by
>> policies, procedures, and the people using technology. Security can not be
>> found via hardware. This is a bit philosophical, but I can back this up if
>> anyone doesn't understand my perspective.
>>
>> Regards,
>> Adriel T. Desautels
>> Chief Technology Officer
>> Netragard, LLC.
>> Office : 617-934-0269
>> Mobile : 617-633-3821
>> http://www.linkedin.com/pub/1/118/a45
>>
>> Join the Netragard, LLC. Linked In Group:
>> http://www.linkedin.com/e/gis/48683/0B98E1705142
>>
>> ---------------------------------------------------------------
>> Netragard, LLC - http://www.netragard.com - "We make IT Safe"
>> Penetration Testing, Vulnerability Assessments, Website Security
>>
>> Netragard Whitepaper Downloads:
>> -------------------------------
>> Choosing the right provider : http://tinyurl.com/2ahk3j
>> Three Things you must know : http://tinyurl.com/26pjsn
>>
>>
>
> I would like for you to expound upon your comment if you wouldn't mind,
> especially your comment that it cannot be found via hardware.
>
Received on May 30 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]