Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Quote cybersecurity unquote
From: David Lang <david () lang hm>
Date: Wed, 6 Nov 2013 20:52:21 -0800 (PST)

On Wed, 6 Nov 2013, Marcin Antkiewicz wrote:

trying. If they can't do system administration or system operations,
they're going to step away from the plate and let Amazon or Google or
whoever do it. Overall, this is probably for the best.

unfortunantly you are misinterpreting what they are leaving up to Amazon
and Google.

They aren't outsourceing the system administration, all they are
outsourcing is the hardware administration.


In many ways, much of what's going on in cloud computing is a step
backwards for security. While cloud computing can make doing upgrades
easier for good admins, it also makes it easier to keep running old
software without patching it. Look at how VMWare is pushing their products
for the desktop by advertizing that people will be able to keep running
Windows XP forever.

Hold on. There are multiple trends in security here that you lump into the
same bag:
- "Cloud" describes little more than a billing model (subscription O&M),
and a form of provisioning (the "elasticity"), and some business glue.
Amazon sells you a slice of a hypervisor, Google used to sell managed
python execution containers, SalesForce lets you build a CRM-related
applications as plugins into their data and services. Save for the Amazon's
case, who needs sysadmins? If you have 3k Amazon instances, but all of them
run the same code, you need a deployment specialist that is more of a
programmer than a sysadmin. No one will fix a node, there is no capacity
planning, log rotation, account provisioning - those are fixed at much
higher scale, or done via APIs. You sysadmin here is called an Architect,
and knows Chef/Puppet/etc like you knew /etc.

the problem is that your 3K systems may all be running the same vulnerable code. You need a sysadmin to create and maintain your template that you then run everywhere.

And you do need these systems to log, and if you have logs, you need to worry about rotation, retention, etc.

Far too many people make the exact same mistake in thinking that since it "Cloud" you no longer need all the infrastructure tools to manage things. The tools do change (you don't upgrade 3K boxes, you upgrade the image and do a rolling shutdown/startup with new image of the 3K boxes), but you still need tools and people who understand what's happening.

you even still need people with the ability to troubleshoot the lower level systems and communications, just throwing things in the cloud doesn't solve all scaleing issues (just look at healthcare.gov for a very public proof of that)

- Why bother with Amazon? Same hardware in the corporate data center, and
people you can actually talk to? Let's see - I have an app, we want to have
a load balancer, 5 front caches and 2 backed DBs provisioned in 3 days. Oh,
your lead on hardware is 2 weeks, and we did not do this architecture
before? DNS issues? Ah, the cabling you guys did not do for 3 weeks... IT
is either a commodity, and begins to see competition on price with other
options, or it's a well run organization that is fiercely competent and
pragmatic. I see much more of the first kind.

and if you change your management to be "Cloud like" you can get even more gains by using bare metal systems that you netboot with a cloud-like management system and avoid the hypervisor overhead.

-  I have 35 sites where upgrade from XP to Win7 costs $0.5 mil a pop.
Those are not offices, there is no added functionality we will get from Win
7. No, I were unable to plan ahead. We saw the wall, and when we tried to
pull brakes, it turned out that we run drum brakes from the 20's on bicycle
width tires - no braking power :-) What now? Mitigation. I gave Bromium a
call, they are more than happy to help, more work will happen. We will fix
the issue in 2-3 years, when the money will be spent on an lifecycle
replacement and, for the same money, we will get very important new
features (the XPs are fronts to big machinery that comes integrated). Yeah,
I know. I just work here... We will run XP, in VMs and on hardware, for a
decade or more.

Given the historic vulnerabilities, it is a responsible thing to do to run a closed source OS for a decade or more after the vendor stops patching it?

I know it's going to be done, and the businesses see it as the most cost effective thing to do. But that's not a good **Security** thing to do. Now if you can be sure that none of these systems are network accessable, you may have more of an argument, but look at the industrial control systems and the security mess around them before you state that you will be safe.

- Security is maturing. Whether I like how it goes, the NIST standard work,
and the adoption talk surrounding it begins to smell like a talk on best
practices. Never mind all of the folks who will have to adopt it. I talk to
lawyers and insurers, they slowly are taking notice, and the poor security
volk will be hit with slow professionalization of the occupation. The
network security of the late 90s is no longer in demand. Openflow demands
serious networking skills and some programming skills. DevOps can run
immensely secure infrastructures, because their service model requires very
tight change control, minimalist capabilities on production nodes and all
admin actions are scripted. There is very little chance for a non-standard
configuration errors, or unnoticed config errors. Yes, mono-cultures are
bad. Yes, mistakes still happen. It's a much better model than state of an
average old school (10 years ago :-) Unix DMZ. Sorry, good security people
are in huge demand, expensive, and they will not work and behave as they
did 10 years ago.

We are talking apples and oranges here. you are talking DevOps, which works when your developers are half programmers, half sysadmins, and half security (and yes, needing 3/2 does mean that there are very, very few people who are really good at it)

Marcus was talking about how Cloud allowed people to outsource the sysadmin work to the hosting providers.

turning everyone into partial sysadmins is the exact opposite of outsourcing it to a few companies.

- Marcus is right. Cloud raises the bar or, more likely, allows cluefull
folks to run faster than the pack. Drop code on a VM (different spend
structure), use providers host security offers, integrated Nessus scans,
cheap 24/7 alerting, CloudFlare for WAF/DDoS/CDN, some DNS provider, and
you have a formidable setup that can be administered part time. Is it
better than the traditional way? No, but a lot of people can't afford the
typical solution and finding good people who can build it on a budget is
hard. The outcome is very different, but it took the market by a storm.

I absolutly agree that the current availability of rapid hosting options allows cluefull people to outrun others (and I've got put my money and time where my mouth is as well, making use of this infrastructure)

But what I am saying is that the ability for cluefull people to do things right and outrun others doesn't translate into fixing the security of the non-clueful

David Lang
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]