firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: [Fwd: Question] (ArkanoiD)
2. Re: PCI DSS & Firewalls (ArkanoiD)
3. Re: [Fwd: Question] (ArkanoiD)
4. Re: [Fwd: Question] (Anton Chuvakin)
5. Re: [Fwd: Question] (Chris Blask)
----------------------------------------------------------------------
Message: 1
Date: Fri, 10 Apr 2009 17:09:46 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] [Fwd: Question]
To: mjr@ranum.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090410130946.GA4752@eltex.net>
Content-Type: text/plain; charset=koi8-r
Finally something on the list not related to "how do i configure my PIX" ;-)
I wonder what happened? We used to have interesting discussions here
years ago, and now everything is reduced to PIX setup?
P.S. I hate PIX. (and ASA too). Cannot imagine a single case for it to
be optimal solution. But even that is not what i'd like to discuss ;-)
On Wed, Apr 08, 2009 at 04:14:44PM -0400, Marcus J. Ranum wrote:
> I just thought I'd send this along to the list, because it had
> me laughing into my coffee. My friend Olaf is not a security
> practitioner. He's not even an IT guy. He's an artist and a
> professional photographer.
>
> I just love the way that any person with a brain who
> encounters this internet security stuff can immediately
> cut to the core of the problem as Olaf does below:
>
> -------- Original Message --------
> Subject: Question
> Date: Wed, 8 Apr 2009 08:41:39 -0400
> From: Olaf S <lightdesigner@---->
> Reply-To: lightdesigner@----
> To: Ranum Marcus <mjr@ranum.com>
>
>
>
>
> So, I'm watching a piece on the news this morning that "hackers" from
> China, Russia, Korea and maybe others have got into the computers that
> control the electrical grid. My question is why the fuck are these
> computers connected to the internet?
>
> Olaf S
>
>
>
> --
> Marcus J. Ranum CSO, Tenable Network Security, Inc.
> http://www.tenablesecurity.com
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful -
> www.advascan.com
>
------------------------------
Message: 2
Date: Fri, 10 Apr 2009 17:25:44 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: mjr@ranum.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090410132544.GB4752@eltex.net>
Content-Type: text/plain; charset=koi8-r
I had strong attitude against pen testing until i observed the current
situation more closely. I found out a few things:
1.) there is (almost certain) windows-based office network
2.) it is totally screwed up because it is the way it works
3.) there (probably) and Oracle server accessible form there
4.) if it is, it is totally screwed up because it is the way it works
All of those are major security problems. Actually that is enough to
show things being really bad. And people need a graphic demonstration
of what a clusterf*ck are they tied in to start thinking about security
architecture, how does it affect business processes and so on.
Windows network pentesters have success rate close to 100%. And that's
why they are there. Though i hate pen-testing approach and fully agree
to everything you said about it.
On Thu, Apr 02, 2009 at 01:17:10PM -0500, Marcus J. Ranum wrote:
> Chris Blask wrote:
> >having more Pen Testing done in the world is itself a move in a positive
> >direction, so that's a good thing by any metric.
>
>
> I disagree.
>
> What does pen testing show?? Pen testing can show one of two things:
> - your security sucks
> - your security is better than your pen tester
>
> Neither of those two determinations are equal to "your security is
> good."
>
....
------------------------------
Message: 3
Date: Fri, 10 Apr 2009 17:39:52 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] [Fwd: Question]
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: mjr@ranum.com
Message-ID: <20090410133952.GC4752@eltex.net>
Content-Type: text/plain; charset=koi8-r
A friend of mine is head admin at Russian power grid (FSK, "Federal Grid Company"). He ensures me the SCADA
really *is* not connected to anything ;-)
On Wed, Apr 08, 2009 at 01:16:21PM -0700, Chris Blask wrote:
>
> It's not as simple as saying "they shouldn't be connected to anything". Beyond nuke generation (which is very much not connected to anything) you have hundreds of thousands of control system networks in the country and running each of these in air-gap isolation is not something that has been economically viable. The number of sites that can be completely isolated will always be a minority, the rest we will need to do better with.
>
------------------------------
Message: 4
Date: Fri, 10 Apr 2009 15:39:26 -0700
From: Anton Chuvakin <anton@chuvakin.org>
Subject: Re: [fw-wiz] [Fwd: Question]
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<b2591e2e0904101539h4516bcdckbde98c547a00e899@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
> A friend of mine is head admin at Russian power grid (FSK, "Federal Grid Company"). He ensures me the SCADA
> really *is* not connected to anything ;-)
Surely, you mean:
... *THEIR* SCADA is not connected *YET*.
>
> On Wed, Apr 08, 2009 at 01:16:21PM -0700, Chris Blask wrote:
>>
>> It's not as simple as saying "they shouldn't be connected to anything". ?Beyond nuke generation (which is very much not connected to anything) you have hundreds of thousands of control system networks in the country and running each of these in air-gap isolation is not something that has been economically viable. ? The number of sites that can be completely isolated will always be a minority, the rest we will need to do better with.
>>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
Anton Chuvakin, Ph.D
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
------------------------------
Message: 5
Date: Sat, 11 Apr 2009 04:51:52 -0700 (PDT)
From: Chris Blask <wobblingmoon@yahoo.com>
Subject: Re: [fw-wiz] [Fwd: Question]
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <465484.46145.qm@web33804.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Anton Chuvakin <anton@chuvakin.org> wrote:
> Surely, you mean:
> ... *THEIR* SCADA is not connected *YET*.
"...as far as they know..."
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 15
************************************************
No comments:
Post a Comment