+1000
*ASB *(My Bio via About.Me <http://about.me/Andrew.S.Baker/bio>) *Exploiting Technology for Business Advantage...* * * On Fri, Jan 7, 2011 at 1:51 AM, Ken Schaefer <[email protected]> wrote: > Additionally, the concept of a “soft chewy centre” and a hardened edge is > mostly a theoretical exercise in most non-trivial organisations. Everything > is just shades of “chewy” now. Which is why end-to-end encryption, at rest > encryption, message integrity/validation technologies are becoming so much > more important. Your data can be anywhere, and accessible from many > locations, but still un-usable by non-trusted parties (well, within the time > period that makes it valuable). > > > > Cheers > > Ken > > > > *From:* Don Ely [mailto:[email protected]] > *Sent:* Friday, 7 January 2011 5:19 PM > > *To:* NT System Admin Issues > *Subject:* Re: AD and firewall ports > > > > Garbage Kurt. That solution could be implemented securely using a variety > of security options. You or I don't even know the role of this member > server thus we cannot make the assumption that it is in your words a "stupid > decision". Far more information is needed to make a blanket statement like > that... > > On Thu, Jan 6, 2011 at 10:11 PM, Kurt Buff <[email protected]> wrote: > > We disagree, and with your vast weight of experience, you carry the day. > > Or perhaps I'm just tired of battling. > > Whichever, I'm done. > > I'll stand by my statement that opening up the firewall in the > proposed fashion is a very stupid decision, because it doesn't solve > the proposed problem - you might as well not have a firewall at all. > > Either the machine is trusted, and can sit inside the soft chewy > center alongside the DC(s) and other machines, or it isn't trusted, > and you need to firewall it, and not allow it to reach inside the > network in the proposed fashion. > > Kurt > > > On Thu, Jan 6, 2011 at 21:33, Ken Schaefer <[email protected]> wrote: > > > > > > -----Original Message----- > > From: Kurt Buff [mailto:[email protected]] > > > Sent: Friday, 7 January 2011 3:41 PM > > To: NT System Admin Issues > > Subject: Re: AD and firewall ports > > > > > On Thu, Jan 6, 2011 at 18:11, Ken Schaefer <[email protected]> wrote: > >> Hi, > >> > >>> Then you should turn of all your computers, encase them in concrete, > >>> and launch them into outer space - and into the Sun. That is the best > >>> way of stopping anyone compromising one of your machines. > >> > >>Got to love the straw man argument. > > > > > How is this a straw man? Putting your data into the sun is going to make > it more secure. > > Far less usable, but far harder to steal. > > Since considerations of usability and convenience are not on your list, > you better start launching your servers. > > > > That is the logical conclusion that can be drawn from your argument. > > > > > > >>> Hint: go and read some books on security first. *All* security is risk > mitigation. > >>> For example: that's why we still have passwords that are only "x" > >>> characters long, rather than "x + 1" (where x is any number less than > infinity). > >> > > >> And you exaggerate again. We have passwords that are 'x' characters long > (I tend to use 20+ character > >> passphrases myself) because the effort to crack them is, so far, > infeasible, due to the lack of rainbow > >> tables of the size necessary to do so, and the lack of time to brute > force them before I change them. > >> If firms (such as my own work, I'll admit) are so foolish as to ignore > this limit, then they will likely suffer for it, > >> and deserve to do so. > > > > > But they are NOT uncrackable. > > They are not unguessable > > They are able to by bypassed by beating them out of someone physically > > Etc. > > Etc. > > The 20 character password is "good enough", but it is not as secure as > the 21 character password, which in turn is not as secure as the 22 > character password, and so on ad infinitum > > > > At some point you have to decide that the *risk* of password compromise > is *not worth* the cost (inconvenience) of having more complex passwords or > 2FA > > > > You *mitigate risk* (password compromise) by picking an acceptable level > of risk. That level of acceptable risk varies from place to place. The local > coffee shop might have lower security requirements than the local bank. > > > > > > >>> Everything in security is about: > >>> a) analysing what risks you face, > >>> b) working out what the likelihood of it eventuating > >>> c) working out the cost of the likelihood eventuating > >>> d) working out the cost of making the risk go away > >>> e) working out whether it's cost effective to implement (d) given > >>> (a)(b)(c) > >> > >> It's a b) that the risk mitigation wizards fail. Spectacularly. IMHO, > "risk mitigation" is a mantra > >> that has gone way too far, in the relentless pursuit of cost and effort > savings. The above > >> recommendation to turn a firewall into a safe passage for intruders is a > prime example. > > > > > What on earth are you talking about? Risk mitigation is saying "is > someone breaks into our DMZ, we can't have them break into our main network, > so there is no trust relationship" > > Alternatively, the entire business might have all their data in the DMZ > anyway (or in a hosted data centre), in which case, once someone "0wns" the > DMZ, then they own everything anyway, so what's point of cumbersome barriers > and sneakernet? > > > > >>> That is why a national government has a far more secure, cumbersome > >>> network than your average business. Because the risks are different. > >> > >> Oh, yeah - that's worked out well, hasn't it? I believe you have that > problem > >> by the wrong end of the stick. National government networks are more > cumbersome, > >> and not more secure, in the main. That's because they're, wait for it, > run by bureaucrats. > >> They danced the risk mitigation dance, and we got wikileaks, infected > thumb drives, > >> virus infestations on supposedly secure networks, and all manner of > silliness. > > > > > See, I work as an architect for one of those big vendors (two letters > long), for a national government, managing their base platform > infrastructure (you can go google SOEasy). I /know/ that the risks that > governments face are different to other customers I have worked for, which > is why security is different. > > > > Not every customer needs 5 years of log retention of every event of every > device. Not every customer needs multiple levels of encryption (at rest, at > the file level, end-to-end on the wire). Not every customer needs physically > separate networks. And not every customer needs to keep their DMZ machines > off the domain. > > > > >>> That why we don't all blithely implement the same way of doing things. > >>> Because doing things *costs* money (whether that be products, > >>> convenience, productivity etc) > >> > >> And doing them intelligently costs less money than doing them stupidly. > > > > > That's not the point. Implementing something as simple as file encryption > incurs *costs*, because you have to start to worry about recovery, about DoS > attacks and so on. > > > > Do *you* encrypt every single file you have on your network? Why not? > Surely it's more secure than not doing it? My guess is that it costs too > much for the benefit you will receive. > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
