I think that this is probably due to be taken off list if we want to continue...
> -----Original Message----- > From: Ron DuFresne [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 19, 2002 12:22 > To: Noonan, Wesley > Cc: [EMAIL PROTECTED] > Subject: RE: VLANs and security... was RE: Cisco IDS > > But, if your cleint asks specifically, what issues have there been with > VLANs and switches in the sec arena, you have nothing to come back with > then? Nothing handy? Yes. Nothing at all? No. I would put together the list of websites, articles and exploits that I know exist. If they were to ask "can this switch right now, with the code it is running right now be exploited", my answer would probably be a simple "I don't know. But me not knowing doesn't mean it can't happen. If you are worried about this, and you don't want to, the answer is to not do it. Use hubs". > Same goes for issues relating to passing particular protocols, > without a knowledge base on issues, you can look poorly informed if > someone asks what are the issues related to passing ftp/rpc/dcom.... I like to think I have a pretty informed knowledge base. I will say again, just because I have decided to take some point in a discussion by no means is indicative of my actual belief or disbelief in that point. My purpose is to learn. That frequently happens when I take positions I do not agree with. > Neither does poking holes into the perimiter defenses to pass things for > the CEO like IM <smile>...not all toys are really required to get the job > done. But not everything you think is a "toy" is. I know of numerous companies that do indeed have a good business need for IM. Do they need it housed on public domain servers, no I don't think so? However, the alternatives right now are limited unless a shop is running something like Exchange 2000. > And it's a fact, security, having to unlock that warehouse door to > gain access, is part of the cost. Ah, but that's not what I said. I said "and you can't get in". > Sometimes the ease folks play at home > on their insecure desktops needs to be changed in the practises they are > going to use at work. I would even venture most of the time. I constantly teach my students this practice. > > And if your network is so secure that your line of business apps can't > run, > > how much work can be done? Remember what I said about extreme views Ron? > > They are not good views to have when designing secure networks IMHO. > > > > I counter the security design begins with those coding the applications. > It seems to be the same view now *finally* being adopted in redomnd. Absolutely (I don't see it as a counter though, I see it as "in addition"). It is finally being adopted all over the place, and that's not a bad thing, that's a good thing (DDP). > Until like happened at honeywell years back someone gets killed in your > unmonitored parking garage at night, or someone just takes out your whole > customer database with a few clicks of the keys. Then folks tend to > wakeup and demand their systems and assets get priority protection. Sure, but that's the nature of the beast. Everyone wants security, total security, till they see what it costs. Then they have to make the most informed, calculated decision of what they can afford. > I'm sorry to say, I thik America as a whole is still due a few wakeup > calls, oklahoma and 9/11 not being quite enough yet for folks to really > demand better protections across the various travel vectors, but, that's a > different topic alltogether... Indeed. > Interesting, then you've had to retore a set of servers from disaster > before? And this does not have to be external disater, afterall, I've > seen more systems wiped clean from a poorly yested script set loose by an > underskilled admin, but, this is part of disaster recovery and part of the > security model. Had to cleanup a whole network infrastructure from one of > the latest worms that amde it through to the desktops cause signatures had > not caught up to this new 'toy' some fewl released on the masses? Uh, yes. I've made a career of this. > Part of the costs incurred for a business are related to these kind of > events. they add up quickly and shift the focus of those from the top > down, whence security should be driven. Having a server or two offline > can often result in nothing getting done at many desktops if not for the > total organization. And want to see management toss a hissyfit, it > happens when they look out at empty cubicles when folks were sent home > until todays retore will not complete until tomorrow... Really? > But, more seriously, what applications being blocked have you had issues > with in particular? Depends on the company, depends on the application. RAS is always a tricky subject. How to provide remote access yet maintain security? Database issues are always tricky. How to provide the channel between the web front end of the ecommerce app and the secure database on the back end. Another frequent piece of stickiness is how to put MS boxes out on the net. Just got done listening to some guy whine about how web services in IIS shouldn't need the server and workstation services, that he should be able to turn them off... > One of my -=pet peeves=- has been on how dramatically skills and > knowledgebases and decrimented over the years in the sysadmin arena. How > many whine about how much there is to do and so little time to do it in. Mine too. You should be privilege to how hard I nail a bunch of people in the MS training arena. > How can they be expected to keep up with the issues and changes that occur > in the IT and security realms daily/weekly/monthly. The motto work > smarter not harder sinks not in. Nope, it doesn't. I'll add to that though. How about the people who think they can be *great* at this job, yet maintain a hard and fast "8-5" schedule. On one hand they say "I want to learn how you upgrade systems", but then they say "I don't want to come in over the weekend or <gasp> a holiday, because that's my family time". > Sure IT tends to be understaffed and > underfunded, anyone with a little bit of a clue knew this coming in. But, > one of the asspects they often whine about is in fact one of the aspects > that first attracted them to the industry, change, and it's being > constant, a learning environment whence nothing gets too old too fast and > ruts are hard to get stuck in if one wishes to avoid them. It means we > get new toys and tools to play with all the time. And it also means we > have to keep up, and that means also keep up with historcal reference, > else we repeat mistakes of the past...like buffer overflows over tens > years after the morris worm <your going to next ask what this was, yes?>, Actually, no. > but, then I already published that document here and the wizards list > months ago; http://sysinfo.com/iworms.html > > > Here, let me flatter you. What's DOS? Denial of Service. I really don't > > know. > > > > Naw, that's more often represented as DDoS or DDOS. Actually, wouldn't that be Distributed Denial of Service, as in "many systems overloading one" as opposed to DoS, Denial of Service, which is simply to cease the ability of a device to service requests? Who knows, maybe I'm wrong, what with my lack of pre-windows experience (yeah, there were computers in the 80's, sure there were...) > If you've never > played in DOS and tried to get it to do network speak, or anything else > productive beyond 640k mem, then you don;t know pain, course, there are > others that have played with more limitations on far older equiement then > the 8088's I have... Yeah, I have never done any of that. No really. Seriously. Never. Just started this whole think yesterday, shortly after my trip on the old turnip truck. > Yes, and if you'd ever played with unices, you'd know I seldom take the > time to deal with ispell, especially when crossing two slow networks to > reach back here to this account in MN, afterall, I'm no longer in MN > anymore, hinted at that some previously. I just don't oten have the time > to wait for a network to catchup with my fingers to push each and every > post through ispell, and is it proper for me if I do to correct the > previous posters spelling errors also? Sounds like you need a better network and a more robust remote office methodology. You ever consider using Windows 2000 with Terminal Services, or even Citrix? > What I find interesting is how much time I have to invest in walking many > windows posters her pushing html via their mailers to a text list, in how > to disable it, step by *clickity* step. It scares me that these are often > folks charged with administering and maintaining networks full of systems, > let alone their own desktops, and often wearing a security hat as well. > Course they tend to waste time on pin pointing out a few typos in a long > posting.... Well, that could have something to do with the fact that you are walking them through antiquating their system, which is something most folks don't really spend much time learning how to do. Most folks I know spend time learning how to make things better, as opposed to keeping things mediocre. > > Even today, I can take a system <intel box> that most would discard, and > toss a unic on it and make it dance in ways it never could before, under > and windows flavor due to all that GUI overhead. The system would have > not danced as fast since they last wiped DOS <not DDOS mind you, keep up > here> 5.0 or 6.22 off it...And if I needs, I can boot that OS and it's > tools and toys for a firewall off a mere floppy, dang I forget the > particualr dist... Sure, but then you have that nasty TCO thing to deal with, training and skillset disparities, etc. Besides, you couldn't use HTML based email on it either... > Yes, as mentioned the browser was integrated into the OS and so each and > every broswer issue affects the whole OS, all sorts of sweet tools and > bloated toys have been developed with no real sense of security in mind. > Many of which can't be stripped from the system to make it secure or > faster without bbreaking the whole OS. And everytime a new toy is added, > we get asked why it is not allowed to pass or play on our networks, like > folks really need to scarf copywrited songs/sound files from alll their > pals to fuction in their jobs... Right, so we are back to baseless statements and FUD. Guess what? If I put an incompetent person in front of Unix, it won't work either. > --15 April 2002 Buyers Shifting Security Liability To Software Vendors > IT managers and CIOs are including clauses in contracts that hold > software vendors liable for security breaches and cyber attacks > connected to their products. It is hoped that the trend will encourage > more secure software development. > http://www.eweek.com/article/0,3658,s=1884&a=25494,00.asp Know what? This is old news. Vendors have been talking about and planning for this (at least good ones) for well over two years. > Then I'd have to upgrade the majority of my systems to have those hugh IDE > drives and all that RAM required to run the more current versions! So, > you'll of course lend me that cash? <smile> RedHat 7.2 full install requires more disk space than Windows NT, 2000 and even XP does (Took me 1.7GB of space vs. XP needing 1.5GB, we won't even compare NT - about 500MB or W2K - less than 1GB). Besides, I think your statement above, if said in seriousness, really underscores your need for training on those products if you truly believe what you just wrote. > Hell, I have a couple of boxes here still running 95...and under 256M > RAM... W2K Pro runs great on less than 256MB RAM. Heck, XP does as well. Shoot, NT (all versions) does too. Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
