Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Mon, 15 Apr 2013 20:57:56 -0700

Hash: SHA1

Dave Piscitello writes:

I think your premise - that we are comfortable with this architecture
- is wrong, at least for this choir.

Well, the recommendations are coming from the list.  If you're going to tell
me that sometimes we recommend things that we're none too happy about,
I understand.  But I still think it's a problem.  We would reduce the
number of real-world information security problems by -at least- a factor
of ten if we simply stopped doing things that we, collectively, know are
wrong.  I don't say that casually, and I think it's one of those things
that is a)  profoundly shocking, and b)  steadily getting worse rather than

And here, as before, I mean `we' in the collective sense, all
network/information security types out there working.  I'm not trying to
single out anyone on the mailing list, and I'm not trying to exclude
myself.  My argument is that the -structural- security of our networks
is, as a general rule, getting worse and worse and no matter how much
we tell ourselves it can't be helped and no matter how many spiffy
quote security unquote quote appliances unquote we allow vendors to
sell us this is still the fundamental reality.  

As far as virtualisation goes, I think it's a profound missed opportunity.
In principle things like AWS AMIs make doing minimal footprint, application-
specific OS installs with everything unnecessary turned off, central logging,
behaviour-based auditing based on a known-good baseline, and all those other
things that used to be comparatively expensive to do much MUCH more
straightforward.  But of course this isn't how, as a rule, virtualised
deployments are architected because doing things this way just isn't
even in most organisation's decision tree.

I reallise that I'm probably doing two stupid things here:  preaching to
the choir, and complaining about a problem instead of fixing it.  But
this is something that I feel like I've spent years and years throwing
effort at it (professionally, in contributing open source code to the
community at large, in mentoring other sysadmins/network admins, participating
in SAGE back when they were still a going concern, and so on) and things
just keep getting worse and worse.

- -spb

Version: GnuPG v1.4.10 (GNU/Linux)

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]