On Fri, 19 Apr 2002, Noonan, Wesley wrote: > > > > And yet you'll caution your own clients with advise against them as you > > stated earlier, on what do you base that advise then if not on historical > > facts of switches not being security devices as well as past evidence of > > their exploitation as well as issues many here have mentioned on VLANs? > > I'm sure you have to backup your advise with documented reasoning? > > Simplicity of management first. I subscribe to the KISS principle. > Unfortunately, as I have noted, much of the security issues are questionable > IMHO. I still present the issues to the customer, but I don't spin them as > something that is just horribly wrong. For example, as noted by others, I > would be much more open to separating DMZs with VLANs, while I would be much > less open to separating protected nets and DMZs with them. The king part for > me though is simplicity. The simpler things are, bluntly, the stupider the > people that have to manage them can be. Ultimately, it comes down to the > specifics of the scenario for me to be comfortable with any recommendation > of substance.
But, if your cleint asks specifically, what issues have there been with VLANs and switches in the sec arena, you have nothing to come back with then? Same goes for issues relating to passing particular protocols, without a knowledge base on issues, you can look poorly informed if someone asks what are the issues related to passing ftp/rpc/dcom.... > > > > > If your warehouse is unlocked and I drive in and steal all your product, > > how much business can you do? > > If your warehouse is locked, and you can't get in, how much business can you > do? Remember what I said about extreme views Ron? They are not good views to > have when designing secure networks IMHO. > Neither does poking holes into the perimiter defenses to pass things for the CEO like IM <smile>...not all toys are really required to get the job done. And it's a fact, security, having to unlock that warehouse door to gain access, is part of the cost. Sometimes the ease folks play at home on their insecure desktops needs to be changed in the practises they are going to use at work. > > Likewaise, if your warehouse software, the > > stuff that tracks what's in stock and where it can be found and produces > > order for more stock and for client purchases is unsecured and I can get > > into it and mess up the whoe database, or worserer, just rm -rf *, how > > much business can you do? If your network becomes so congested with code > > red/nimda traffic it can't send proper traffic about, how much work can be > > done? > > And if your network is so secure that your line of business apps can't run, > how much work can be done? Remember what I said about extreme views Ron? > They are not good views to have when designing secure networks IMHO. > I counter the security design begins with those coding the applications. It seems to be the same view now *finally* being adopted in redomnd. > > Even companies with no securit guard at the front desk, and merely a > > receptionist are in fact using her in a semi-security role, she filters > > traffic as it arrives. Business has had to maintain and deal with > > security since it;s inception, we just do not always equate what the full > > spectrum of security is in place. > > Ah, but see they mitigated risk vs. need vs. money. Risk, slight apparently. > Need, something to filter the traffic just in case. Solution, use > receptionist thereby saving money (or one could say, making money). *That* > is *good* security. It meets the need (one hopes) while doing so in a > fashion that brings the most profit (one hopes). Until like happened at honeywell years back someone gets killed in your unmonitored parking garage at night, or someone just takes out your whole customer database with a few clicks of the keys. Then folks tend to wakeup and demand their systems and assets get priority protection. I'm sorry to say, I thik America as a whole is still due a few wakeup calls, oklahoma and 9/11 not being quite enough yet for folks to really demand better protections across the various travel vectors, but, that's a different topic alltogether... > > > > > We tend to be paranoid, it's part of our jobs, it's perhaps not part of > > your job, but, it is for us that work in a security role as the prime > > focus of our positions. > > Hehehehe. Here we go again. "You don't know what you are doing". When > paranoia interferes with rational decision making, those paranoid people are > no longer doing a *good* job IMHO. A healthy degree of paranoia is a good > thing. I don't know that what I see on this list often is a healthy > degree... Interesting, then you've had to retore a set of servers from disaster before? And this does not have to be external disater, afterall, I've seen more systems wiped clean from a poorly yested script set loose by an underskilled admin, but, this is part of disaster recovery and part of the security model. Had to cleanup a whole network infrastructure from one of the latest worms that amde it through to the desktops cause signatures had not caught up to this new 'toy' some fewl released on the masses? Part of the costs incurred for a business are related to these kind of events. they add up quickly and shift the focus of those from the top down, whence security should be driven. Having a server or two offline can often result in nothing getting done at many desktops if not for the total organization. And want to see management toss a hissyfit, it happens when they look out at empty cubicles when folks were sent home until todays retore will not complete until tomorrow... But, more seriously, what applications being blocked have you had issues with in particular? > > > > Wow, I think this is as close as you have come to actually acknowledging > > > that I might well be able to differentiate between my ass and a hole in > > the > > > ground without need of a map... <g> > > > > > > > <smile> I still recall the offline arguements a few months back we had > > when I tried to inform you that this is a text based list and your > > insistence it was time to move into the html mail world... > > It is. Dinosaurs die. Adapt or die. Don't spend all your time looking back, > spend more time looking forward. Newsflash, *lots* of folks use software > from this vendor in Redmond, and they have no problems with HTML, or any > other form of RTF mail. Besides, I also remember trying to correct some of > your (at least I think it was your) very bad misconceptions about how > exchange did/did not work. > Damned kids always trying to buck tradition. Your time will come, afterall, it took a longtime before mgt didn't just look down on me as a matter of fact dues to my lack of a crewcut, you don't have to thank us oldtimers for mitigating those changes socially for you <smile>. > > It's a big industry, there's much to track and maintain data on. I've > > tended over the last few years to build up files of data from various > > lists, to go back and review when need arrives, and even that gets to be a > > mess. And this is sometimes why information supplied is 'qualified' as > > Paul himself tried to point out to you a number of times in this thread. > > > > Afterall, you had nothing to base your arguements rejecting his on, no > > experience to offer on using VLANs in a secure nature, nor no experience > > with ISA, only the marketing stuff off their site, and mis-stated it's > > Just where are you getting the "no experience" from? Because it's not the > same as your experience, or because it's not as antiquated... uh, I mean far > reaching? I like how pretentious you are. It's like you are afraid some > young buck is going to take your spot on skill and talent, so you have to > degrade constantly to try to improve your stock. > One of my -=pet peeves=- has been on how dramatically skills and knowledgebases and decrimented over the years in the sysadmin arena. How many whine about how much there is to do and so little time to do it in. How can they be expected to keep up with the issues and changes that occur in the IT and security realms daily/weekly/monthly. The motto work smarter not harder sinks not in. Sure IT tends to be understaffed and underfunded, anyone with a little bit of a clue knew this coming in. But, one of the asspects they often whine about is in fact one of the aspects that first attracted them to the industry, change, and it's being constant, a learning environment whence nothing gets too old too fast and ruts are hard to get stuck in if one wishes to avoid them. It means we get new toys and tools to play with all the time. And it also means we have to keep up, and that means also keep up with historcal reference, else we repeat mistakes of the past...like buffer overflows over tens years after the morris worm <your going to next ask what this was, yes?>, but, then I already published that document here and the wizards list months ago; http://sysinfo.com/iworms.html > > eposure/exploit issues already on record. > > And, unlike you (and Paul it seems), when I make a mistake, I acknowledge it > and move on. > > > Caution, your pet-peeve on generalisations was voilated a few times on > > your end when infering that I'm clueless to opertating and maintaining > > windows systems. > > I have only the (mis)information that you present with which to base my > statements. > > > I've played with widowns systems a far back as when it > > was still a run-time system under DOS <required pagemaker and lacked a > > MAC>. > > Here, let me flatter you. What's DOS? Denial of Service. I really don't > know. > Naw, that's more often represented as DDoS or DDOS. If you've never played in DOS and tried to get it to do network speak, or anything else productive beyond 640k mem, then you don;t know pain, course, there are others that have played with more limitations on far older equiement then the 8088's I have... > > I remember when word could be run on two 5.25 inch floppoes and the > > What's a floppoe? You know, with word as your email editor, you can catch > spelling errors. Just wanted to point that out. (see, I can tell that the > previous sentence is a fragment that I should consider revising). > Yes, and if you'd ever played with unices, you'd know I seldom take the time to deal with ispell, especially when crossing two slow networks to reach back here to this account in MN, afterall, I'm no longer in MN anymore, hinted at that some previously. I just don't oten have the time to wait for a network to catchup with my fingers to push each and every post through ispell, and is it proper for me if I do to correct the previous posters spelling errors also? What I find interesting is how much time I have to invest in walking many windows posters her pushing html via their mailers to a text list, in how to disable it, step by *clickity* step. It scares me that these are often folks charged with administering and maintaining networks full of systems, let alone their own desktops, and often wearing a security hat as well. Course they tend to waste time on pin pointing out a few typos in a long posting.... > > whole office package in use now was split into seperate packages and > > marketed and sold as such, prior to access even. I remember when win.ini > > and sys.ini where the major controls, no registry to deal with. I've > > What's an ini? > daned mud-puppies.... > > seen little improvement between NT 3.5 and 4.0 nor w2k, just alot more > > bulk and tying the browser into the OS was a major catrastrophy <so much > > for kiss and seperation of potential exposure>. While at Honeywell our NT > > systems required reboots daily to deal with the > > And therein lies the problem. You seem lack the ability to move forward. You > knowledge is stuck pre '92. It's like the folks that go "Microsoft DNS > crashes too often and DHCP isn't reliable enough". Yeah, about those > problems from Windows NT 3.51... I actually went into a place that was like > that. Refused to use MS DNS. They ran over 365 days without a reboot, and > then rebooted only for service pack application. > Even today, I can take a system <intel box> that most would discard, and toss a unic on it and make it dance in ways it never could before, under and windows flavor due to all that GUI overhead. The system would have not danced as fast since they last wiped DOS <not DDOS mind you, keep up here> 5.0 or 6.22 off it...And if I needs, I can boot that OS and it's tools and toys for a firewall off a mere floppy, dang I forget the particualr dist... > > flow <3.5>, at 3M our NT 4.0 DNS/domain servers had to be rebooted every > > two days at best to prevent seeing blue, and the bad history on those over > > laoded/blaoted systems goes on from there <1991-1995>. I could put in > > Then 3M should have hired people who knew how to build and maintain their NT > systems, instead of relying on folks who had "history" with other OSes. > Windows NT circa 1995 ( which is pre NT 4.0) was the early days of a very > immature OS. It's 7 years later now. Lot's has changed. > Yes, as mentioned the browser was integrated into the OS and so each and every broswer issue affects the whole OS, all sorts of sweet tools and bloated toys have been developed with no real sense of security in mind. Many of which can't be stripped from the system to make it secure or faster without bbreaking the whole OS. And everytime a new toy is added, we get asked why it is not allowed to pass or play on our networks, like folks really need to scarf copywrited songs/sound files from alll their pals to fuction in their jobs... But, this is not and never was intended to be a religious OS war. It's an issue of how the code is shelled out to the masses and what focus is placed in marketing it. The historical fact is that the boys in redmond placed no priority security in the tools and toys they developed, and have suffered greatly in the hacking area due to that. and it has worked it's way into the homes now sitting with highbandwidth always on connections, the same systems often knocking at the doors of the networks many maintain here the owners of which are not even aware of how trojaned/hacked they are, often from trikets installed by default they'll never use to surf the web or IRC. Not that redmond is the only one producing bad code, yet their history of denial and passing the buck remains. But, perhaps we're seeing this change... --15 April 2002 Buyers Shifting Security Liability To Software Vendors IT managers and CIOs are including clauses in contracts that hold software vendors liable for security breaches and cyber attacks connected to their products. It is hoped that the trend will encourage more secure software development. http://www.eweek.com/article/0,3658,s=1884&a=25494,00.asp > > much smaller intel boxes with much less RAM and disk space and do much > > more with them, with avareage reboot times *required* at about 365 > > days+...I just don't think windows in any of it's flavors even now is > > ready for primetime as anything but a desktop system, course, I'm perhaps > > the only person in Durham NC that feels the same about redhat...YMMV... > > > > Of course in some eyes this might well still mark me as an OS bigot... > > Sure, or it may mark you as someone who needs to learn more about NT/W2K so > that you could manage them better. Since apparently, you don't have to do > NT/W2K management though, you can always be cut some slack on this point. > Then I'd have to upgrade the majority of my systems to have those hugh IDE drives and all that RAM required to run the more current versions! So, you'll of course lend me that cash? <smile> Hell, I have a couple of boxes here still running 95...and under 256M RAM... > > Cool. At least it appears we all here in these threads have at least the > > skills to debate, as well as subscribe and unsubscribe without letting the > > total readerbase of the list know how lacking in clues we really might be > > <smirk>. > > No doubt. It also indicates that we all have a passion for what we do. > > Hey, can you unsubscribe me? I think my feelings have been hurt... ;-) > > Wes (who is really going to work now, I'm not letting Ron side track me any > more...) <g> > <chuckle>... Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
