Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Botnets, IRC servers and firewalls?

Re: Botnets, IRC servers and firewalls?

From: Chris Blask <blask_at_protegonetworks.com>
Date: Wed, 04 Feb 2004 10:01:12 -0800

Hey folks!

While I know what all y'all are saying and I feel the pain and frustration
("been there, heard that") it always leads me to a slightly more complex
conclusion: Darwin works on both camps, the consumer and the producer.

Consumer:

o Egress Filtering. Buy a bigger bloody router (if necessary) and invest
the time to use it properly, and it may well save you from the maw of the
Big Cat lurking just outside your campfire light.
o Identity, traffic monitoring, IDS, encryption (in all its
forms)... Sigh. These things are meant to help you, investigate them.
o The future will be littered with the descendants of those consumers not
eaten by Big Cats.

Producer:

o Read the first bit of Plato's Republic. I know it's not a shiny new
idea, but the FOCUS of the art of being a PRODUCER is to accommodate the
needs of the CONSUMER.
o If the consumer does not successfully experience the output of the
producer it CANNOT, by definition, be the consumer's fault. If the clay
does not successfully experience the output of the sculptor it cannot be
the fault of the clay, if the patient cannot appreciate the output of the
doctor it is to the doctor's shame.
o Producers, tell your Consumers about building and managing a secure and
efficient network and they will often listen. (Building some decent
management tools wouldn't hurt, either).
o The future will be littered with the descendants of those producers who
addressed a consumer's needs.

As I postulate in my last rant, the Internet Protocol camp of the
Electronic Engineering tribe has to date done a bang up job of (massive
shortcomings notwithstanding) building an Internet that most people can, in
most ways, use most of the time. We, the Security Brigade of the IP camp
(in this case we, all of us and not just the vendors, become the Producers)
have not, however, succeeded yet in polishing the edges of the thing so
that it fits into very many Consumers' daily lives without at least modest
reworking.

I have worked at a number of places - both very small and very large -
where it can be safely said that I and my fellow Producers did not achieve
the penultimate goal of crafting our output in a way that flowed seamlessly
into every Consumers' world. In some cases I could say that, circumstances
being different (read: "politics, decisions made, in some cases competence
levels"), the outcome would have more effectively met the goal of providing
something that truly matched more Consumers' needs and usage
scenarios. Most of the time, however, it's been a matter of taking some
tiny handful of people and making, from scratch, an offering that
definitely did address a significant chunk of the need for a significant
chunk of the world's population, though often enough only with more
hand-holding and rubber mallets than you would have seen had I gotten it
perfectly correct the first time.

The Producers (vendors and those who actually understand all this stuff)
need to keep sharpening their tools and methods until the Consumers (the
folks who buy the output of Producers, but specifically the
all-but-two-people who work for a Consumer and will *never* understand or
even really care) can utilize the output of Producers without altering
significantly from their established orbits.

What does all this proselytizing actually mean in real actions? Force the
evolutionary process on both ends.

o Keep up the pressure on the granular end. Producers who both make
products/services as well as those working for Consumer organizations have
to continue to fight the good fight. Every opportunity to change the
organism's genetics in a way that increases the odds of it surviving the
next Darwinian Incident is a good one. Every action of everyone reading
this increments in some way the survival characteristics of our
generation's descendants.

o Keep refining the Consumable solution. If Consumers can't chew the
fiber that they need to get the calories of Egress Filtering into their
diet (to use the current example), process the damn stuff until they
can. [nod to Marcus, who summed up the state of evolutionary progress in
the market real well in a recent pres. I could almost hear The Sheep Look
Up :-] In a world where Lazlò can't see his traffic without asking this
gaggle of gurus you just know there are millions of people staring blankly
at their networks like cows at a passing train. This is the Producers'
failing to achieve the End Goal.

I try to work for Producers who have some intent of considering the use
their Product will see in the real world. In almost all cases the result
has become highly consumable, but I have yet to see any effort reach the
End Goal - being available and usable for all possible Consumer scenarios
without requiring any hand-cranking (PIX has come the closest, but even
that bullet falls short of the final-final target).

Security is never going to be for the faint-hearted nor the hopelessly
incompetent. It will, however, get (and has gotten) more available and
more connected and more consumable. The question is, "Which Producers and
Consumers will be around to see it, and what were the characteristics that
helped them survive the Purge of 20XX?".

No big challenge, we just need to safely connect 6,000,000,000 people
intimately to each other in ways they can't even begin to understand using
tools and methods we haven't developed yet, but which will be blindingly
obvious to the smart-assed future ("If you're so smart, *you* come back
here and invent it!").

And we need it by Friday. :-)

-cheers

-chris

At 10:35 AM 2/4/2004 -0500, Marcus J. Ranum wrote:

> >egress filtering is basically what is being discussed here, and has long
> >been recommended, and long been rejected by the mass majority for quite
> >sometime.
>
>Time was that I'd explain the value of egress filtering to non-technical
>managers and they'd immediately grab their security people and the
>dialog went like this:
>CIO:
> "So, why aren't we applying any controls to outgoing traffic?"
>Security guy:
> "Because we can't make the networking guys do it. They say
> it can't be done!"
>CIO:
> "Get the networking guys in here!"
>Networking guy:
> "You rang?"
>CIO:
> "Let's put some access controls in outgoing traffic, OK?"
>Networking guy:
> "Can't do it. It'd KILL PERFORMANCE!"

>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards_at_honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Chris Blask
Vice President, Business Development
Protego Networks Inc.

(1) 416-358-9885 - Direct/Mobile
(1) 408 262 5220 - HQ
(1) 408 262 5280 - Fax

blask_at_protegonetworks.com
www.protegonetworks.com

"The first purpose-built appliance for Real-Time Security Threat Mitigation"

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 04 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos