Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: The Outgoing Traffic Problem
From: "Fetch, Brandon" <BFetch () texpac com>
Date: Thu, 27 Jul 2006 09:45:37 -0500

Paul,
Can you perhaps share your "interesting" notes from said Software Policy
Restrictions in AD endeavor?  Publicly, I'd hope.

Thanks,
Brandon

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
Paul D. Robertson
Sent: Tuesday, July 18, 2006 5:13 PM
To: Marcus J. Ranum
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] The Outgoing Traffic Problem

On Tue, 18 Jul 2006, Marcus J. Ranum wrote:

Sigh. ANY authentication would be better than none at all.

So now we're back to a conversation that I recall having several
times in 1992/3: that outgoing connections should be authenticated
as "belonging" to a real human behind a keyboard before they are
allowed. I remember Fred and I floated that idea to a few customers
(including folks who were considered to be very sophisticated, in
terms of security) and getting blank stares in response.

Been there, done that, broke the Gauntlet.  Authentication for HTTP
didn't 
scale.

The end-game looks like: operating systems environments that
execute only white-listed executables that have been authorized
by the system owner or enterprise administrator, combined with
a "tie connectivity to a live human" layer for originating network
traffic, unless the system is a server (in which case it will be
firewalled down to just authorized services).

Software Policy Restrictions in Active Directory do the first part, just

finishing a live implementation- it's been um... interesting.

In the meantime, we'll get more emphasis on patching and
anti-badness detectors. As we've seen, anti-badness detectors
(IPS, A/V, IDS, anti-spyware, URL filtering, anti-spam) don't
really work, unless you're an anti-badness vendor. And, we can
see how well patching is working...
http://www.ranum.com/security/computer_security/calendar/june.jpg

Schneier has written interesting stuff about the difficulty of
accurately tying a real human to a keyboard; there are signs
that the bad guys are working on how to do man in the middle
attacks against "captchas" and 2-factor authentication. For the
time being, though, using something like a captcha to get a
user to "unlock" their web access for 15 minutes (or whatever)
would raise the bar, but that'll only be temporary. On the other
hand, in the current ultra-target-rich environment, putting almost
any check in the outgoing pipe would put you light years ahead
of the rest of the pack. And, remember: you don't have to outrun
the lion - you just have to outrun the slowest of the other people
who are running away from the lion.

Here's a prediction for you: as target-specific attacks begin to
rise, the anti-badness approach is going to finally fail utterly.
There are going to be a lot of very nervous IT professionals
that have systems and networks that are way to permissive,
and they'll all be looking around for "Plan B." The bad news
is that most of the "Plan B" approaches reduce convenience
and accessibility for the users. That collision will be met with
denial.

You'll notice that, except for the "target-specific attacks"
aspect, the future (denial) looks a lot like the present (denial).

Target of Choice is always worse.

Paul
------------------------------------------------------------------------
-----
Paul D. Robertson      "My statements in this message are personal
opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


This message is intended only for the person(s) to which it is addressed 
and may contain privileged, confidential and/or insider information. 
If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer. 
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other 
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]