Firewall Wizards: RE: Vulnerability Response

["Ben Nagy" <ben () iagu net>]

:) OK, let's go. Forgive me if you think my snips have distorted your
message, I tried to avoid that.

> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjr () ranum com] 
[...]
> Ben Nagy wrote:
> > > The big problem with host based anything is that the management 
> > > effort scales with the number of hosts.
> > Not linearly, though.
> It scales non-linearly if the problem area is well-defined.
[...]
> Consider A/V as a case study. [...]
> There's no case where a user is going to need to be able to 
> run Netsky.V3 on his desktop, or whatever. So administration 
> scales because there's no real complexity.
>
> Now - if you're gonna make a firewall policy for 10,000 
> desktops [then it gets hard]
I agree.

However, there are a LOT of protocol problems that you can pick up at a host
level which are basically the same thing. No user will ever want to see
/../../../../../ on their webserver, no user will ever want
A[...]AAAAAA\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\[...] blah blah blah.

A network protocol firewall is just one example of "things that are hard to
do on a granular basis". All the "good" solutions contain much more generic
protections.

Just one example - "kernel" (kernel32.dll in windows runs in userspace.
Nice.) protection. I stop LoadLibrary from being called from writeable
memory on windows. Boom, I stop a huge percentage of casually written attack
payloads[1]. One vendor uses this as one of their _core_ strategies - the
dumb thing is that it _works_.

> > I don't hear users screaming that XP is "less compatible" than Win95.
> Wrong!
[...]
> It doesn't matter if you have desktops that ship with 
> potentially useful tools if they only remain at the potential 
> stage. Therein lies the rub.
That's a very cynical view (although I admit you have cause).

Sticking with Hamlet, I think you're taking arms against a sea of troubles,
while I am suffering the slings and arrows of outrageous Windows.

Windows is a security issue that most companies need to live with. Limited
understanding of security is an issue that all experts need to live with.
Those who don't know better and don't want to learn STILL need to be
protected, if only for the sake of the rest of us.

Windows is getting more secure _by_default_. Fact. I will have that argument
with anybody. However, it is still EXTREMELY susceptible to worms, malware
and targeted attack. 

However, there are a bunch of things we can do to make things better for the
overwhelmingly VAST population of organisations that fit the following
profile: "I do not really buy into real security theory. I want to buy a
product that will let me have my cake and eat it too - fragmented or
non-existant policies without catastrophic security failure."

I believe it can be done to a much greater extent than currently, but a
"Firewall, IDS, AV" approach will fail to do so.

> When someone talks about doing mitigation at the host level, 
> it needs to be [good]. Sygate, for example, is 
> probably the best-thought-out enterprise firewall 
> concept/system. But I won't get enthused about host-side 
> mitigation until I see more than 1% of companies using 
> something like that.
So we agree that the concept is worthwhile, and implementations vary.
Peachy. I am happy now.

[...]
> > If you start with a million desktop PCs, build a standard 
> image based 
> > on what works for all the corporate apps and then run change control 
> > then you end up with a million insecure PCs that nobody has the 
> > authority to fix with any kind of agility.
> That's not change control; "that's centralized management 
> using a stupid configuration."  :)
Tomahto, Tomayto. Go word up some CSOs, nobody here but us chickens. :P

Bring on the cat and the horse, I'll fight youse all!

(kidding)

ben

[1] When executing an attack program on the stack of the victim computer I
will want to _do_ something. To get the address of the make_this_my_box()
function, or whatever I am calling, the "lazy" way is to call LoadLibrary.
Since your standard malware is executing on the stack, we can look at the
calling address and then nix the execution. Easy, right?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards