The commentator might have been a US Customs official. Seems like they have the same perspectives on perimeter security. -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Friday, July 08, 2005 10:36 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Fw: [ISN] Firewalls a dangerous distraction says expert http://www.ISAserver.org Exactly. All points agreeed-- but it all depends on the environment. But basing sweeping generalizations of concept and process based on individual experience is not a responsible way to communicate security policy. It's great that the SDSC hasn't had a root bust in 4 years without a firewall, but that doesn't mean "you don't need a firewall." Of course, it probably has alot to do with the wasy the article was written. For all we know, it could have been directly related to "supercomputer-only" installations (I've experienced that sort of thing first hand.) And the "60 percent come from the inside" comment is shallow-- At my facilitiy, a whopping 100% of issues come from the inside. That's because no one can get in. Take that protection away, and 99.99% would be sourced externally. t ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, July 08, 2005 8:06 AM Subject: [isalist] RE: Fw: [ISN] Firewalls a dangerous distraction says expert > http://www.ISAserver.org > > I hate to say so, but there is some truth to his statements. > How many times have we heard the cry of "why can't ISA protect me from > an internal virus attack?" > > Granted, we've brought this on ourselves by: > 1. responding to every user who says "do it for me" with one weirdzard > or another > 2. marketing products as if they're the be-all, end-all of your security > technique > > The fact is (and I know most of you will agree) that what he should have > said is "ok - use a firewall if you want, but don't stop there!" > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Friday, July 08, 2005 07:44 > To: [ISAserver.org Discussion List] > Subject: [isalist] Fw: [ISN] Firewalls a dangerous distraction says > expert > > http://www.ISAserver.org > > Great. Just what we needed-- a "security researcher" at the SDSC > telling us > that firewalls are a "dangerous distraction." > > Ra, Ra, Ra. > > t > > > ----- Original Message ----- > From: "InfoSec News" <isn@xxxxxxx> > To: <isn@xxxxxxxxxxxxx> > Sent: Friday, July 08, 2005 1:21 AM > Subject: [ISN] Firewalls a dangerous distraction says expert > > >> http://www.techworld.com/security/news/index.cfm?NewsID=3992 >> >> By Rodney Gedda >> Computerworld Australia >> 07 July 2005 >> >> A preoccupation with firewalls is diverting attention and resources >> away from the more important issue of locking systems down, according >> to an expert. >> >> Computer security researcher at the San Diego Supercomputing Center >> (SDSC), Abe Singer said companies can spend 90 percent of their >> security efforts on firewalls and not much of anything else. "I'm not >> saying firewalls are completely irrelevant, but how much effort do you >> spend on security?" Singer asked. "Do security at the host, not just >> the perimeter. You should be worried about what users are doing, >> because if an attacker is going through the perimeter [without secure >> hosts] then it's game over." >> >> Speaking at the Australian Unix and open systems user group (AUUG), >> Singer prides himself on the claim that the SDSC has gone four years >> without a root-level intrusion to its systems - without using a >> firewall. "At the SDSC we don't use a firewall, it's not feasible," he >> said. "Since we have to secure hosts individually if we had a firewall >> it would be so open it would be useless." >> >> Singer said there is a perception that a firewall is a must-have. He >> cited Visa's server requirements for online merchants which stated >> they must have a firewall, but did not specify any configuration >> details. "Too much of the security budget is being spent on firewalls >> which also get too much attention [and] it's also 'cool' to have a new >> firewall to play with," he said, adding that other appliances like >> intrusion detection and prevention systems are an extension of the >> same idea. >> >> "People are attracted to the idea that security can be bought [and] >> it's hard to differentiate between marketing hype and reality," he >> said. "We have a known 'good' config and when we find something is bad >> it's consistently fixed." >> >> Singer is adamant that intrusion will not be stopped by a firewall and >> attackers have used Trojan SSH clients to steal user names and >> passwords. Other practices Singer recommends include not running >> services you don't need, for example, services that are only required >> internally don't need to be external. >> >> "You really need to think through your processes [and] relying on a >> firewall means you're probably doing security wrong," he said. >> "Surveys have shown that 60 percent of security breaches are internal >> but 70 percent of people are worried about hackers on the outside. >> Internal breaches are worse, because someone has a level of access and >> knows where the assets are. If an attacker was really looking at >> compromising a company's assets he or she would get a job in the mail >> room." >> >> >> >> _________________________________________ >> Attend the Black Hat Briefings and >> Training, Las Vegas July 23-28 - >> 2,000+ international security experts, >> 10 tracks, no vendor pitches. >> www.blackhat.com >> >> > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx