RE: Fw: [ISN] Firewalls a dangerous distraction says expert
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 8 Jul 2005 10:45:14 -0500
The commentator might have been a US Customs official. Seems like they
have the same perspectives on perimeter security.
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Friday, July 08, 2005 10:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Fw: [ISN] Firewalls a dangerous distraction says
expert
http://www.ISAserver.org
Exactly. All points agreeed-- but it all depends on the environment.
But basing sweeping generalizations of concept and process based on
individual experience is not a responsible way to communicate security
policy.
It's great that the SDSC hasn't had a root bust in 4 years without a
firewall, but that doesn't mean "you don't need a firewall." Of
course, it
probably has alot to do with the wasy the article was written. For all
we
know, it could have been directly related to "supercomputer-only"
installations (I've experienced that sort of thing first hand.)
And the "60 percent come from the inside" comment is shallow-- At my
facilitiy, a whopping 100% of issues come from the inside. That's
because
no one can get in. Take that protection away, and 99.99% would be
sourced
externally.
t
----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, July 08, 2005 8:06 AM
Subject: [isalist] RE: Fw: [ISN] Firewalls a dangerous distraction says
expert
> http://www.ISAserver.org
>
> I hate to say so, but there is some truth to his statements.
> How many times have we heard the cry of "why can't ISA protect me from
> an internal virus attack?"
>
> Granted, we've brought this on ourselves by:
> 1. responding to every user who says "do it for me" with one weirdzard
> or another
> 2. marketing products as if they're the be-all, end-all of your
security
> technique
>
> The fact is (and I know most of you will agree) that what he should
have
> said is "ok - use a firewall if you want, but don't stop there!"
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Friday, July 08, 2005 07:44
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Fw: [ISN] Firewalls a dangerous distraction says
> expert
>
> http://www.ISAserver.org
>
> Great. Just what we needed-- a "security researcher" at the SDSC
> telling us
> that firewalls are a "dangerous distraction."
>
> Ra, Ra, Ra.
>
> t
>
>
> ----- Original Message -----
> From: "InfoSec News" <isn@xxxxxxx>
> To: <isn@xxxxxxxxxxxxx>
> Sent: Friday, July 08, 2005 1:21 AM
> Subject: [ISN] Firewalls a dangerous distraction says expert
>
>
>> http://www.techworld.com/security/news/index.cfm?NewsID=3992
>>
>> By Rodney Gedda
>> Computerworld Australia
>> 07 July 2005
>>
>> A preoccupation with firewalls is diverting attention and resources
>> away from the more important issue of locking systems down, according
>> to an expert.
>>
>> Computer security researcher at the San Diego Supercomputing Center
>> (SDSC), Abe Singer said companies can spend 90 percent of their
>> security efforts on firewalls and not much of anything else. "I'm not
>> saying firewalls are completely irrelevant, but how much effort do
you
>> spend on security?" Singer asked. "Do security at the host, not just
>> the perimeter. You should be worried about what users are doing,
>> because if an attacker is going through the perimeter [without secure
>> hosts] then it's game over."
>>
>> Speaking at the Australian Unix and open systems user group (AUUG),
>> Singer prides himself on the claim that the SDSC has gone four years
>> without a root-level intrusion to its systems - without using a
>> firewall. "At the SDSC we don't use a firewall, it's not feasible,"
he
>> said. "Since we have to secure hosts individually if we had a
firewall
>> it would be so open it would be useless."
>>
>> Singer said there is a perception that a firewall is a must-have. He
>> cited Visa's server requirements for online merchants which stated
>> they must have a firewall, but did not specify any configuration
>> details. "Too much of the security budget is being spent on firewalls
>> which also get too much attention [and] it's also 'cool' to have a
new
>> firewall to play with," he said, adding that other appliances like
>> intrusion detection and prevention systems are an extension of the
>> same idea.
>>
>> "People are attracted to the idea that security can be bought [and]
>> it's hard to differentiate between marketing hype and reality," he
>> said. "We have a known 'good' config and when we find something is
bad
>> it's consistently fixed."
>>
>> Singer is adamant that intrusion will not be stopped by a firewall
and
>> attackers have used Trojan SSH clients to steal user names and
>> passwords. Other practices Singer recommends include not running
>> services you don't need, for example, services that are only required
>> internally don't need to be external.
>>
>> "You really need to think through your processes [and] relying on a
>> firewall means you're probably doing security wrong," he said.
>> "Surveys have shown that 60 percent of security breaches are internal
>> but 70 percent of people are worried about hackers on the outside.
>> Internal breaches are worse, because someone has a level of access
and
>> knows where the assets are. If an attacker was really looking at
>> compromising a company's assets he or she would get a job in the mail
>> room."
>>
>>
>>
>> _________________________________________
>> Attend the Black Hat Briefings and
>> Training, Las Vegas July 23-28 -
>> 2,000+ international security experts,
>> 10 tracks, no vendor pitches.
>> www.blackhat.com
>>
>>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
