mailing list archives
Re: The Outgoing Traffic Problem
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 18 Jul 2006 17:12:45 -0400 (EDT)
On Tue, 18 Jul 2006, Marcus J. Ranum wrote:
Sigh. ANY authentication would be better than none at all.
So now we're back to a conversation that I recall having several
times in 1992/3: that outgoing connections should be authenticated
as "belonging" to a real human behind a keyboard before they are
allowed. I remember Fred and I floated that idea to a few customers
(including folks who were considered to be very sophisticated, in
terms of security) and getting blank stares in response.
Been there, done that, broke the Gauntlet. Authentication for HTTP didn't
The end-game looks like: operating systems environments that
execute only white-listed executables that have been authorized
by the system owner or enterprise administrator, combined with
a "tie connectivity to a live human" layer for originating network
traffic, unless the system is a server (in which case it will be
firewalled down to just authorized services).
Software Policy Restrictions in Active Directory do the first part, just
finishing a live implementation- it's been um... interesting.
In the meantime, we'll get more emphasis on patching and
anti-badness detectors. As we've seen, anti-badness detectors
(IPS, A/V, IDS, anti-spyware, URL filtering, anti-spam) don't
really work, unless you're an anti-badness vendor. And, we can
see how well patching is working...
Schneier has written interesting stuff about the difficulty of
accurately tying a real human to a keyboard; there are signs
that the bad guys are working on how to do man in the middle
attacks against "captchas" and 2-factor authentication. For the
time being, though, using something like a captcha to get a
user to "unlock" their web access for 15 minutes (or whatever)
would raise the bar, but that'll only be temporary. On the other
hand, in the current ultra-target-rich environment, putting almost
any check in the outgoing pipe would put you light years ahead
of the rest of the pack. And, remember: you don't have to outrun
the lion - you just have to outrun the slowest of the other people
who are running away from the lion.
Here's a prediction for you: as target-specific attacks begin to
rise, the anti-badness approach is going to finally fail utterly.
There are going to be a lot of very nervous IT professionals
that have systems and networks that are way to permissive,
and they'll all be looking around for "Plan B." The bad news
is that most of the "Plan B" approaches reduce convenience
and accessibility for the users. That collision will be met with
You'll notice that, except for the "target-specific attacks"
aspect, the future (denial) looks a lot like the present (denial).
Target of Choice is always worse.
Paul D. Robertson "My statements in this message are personal opinions
paul () compuwar net which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com