firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: SCADA (Brian Loe)
2. Re: Who stay focused? (was: [Fwd: Question]) (Anton Chuvakin)
3. Re: Who stay focused? (was: [Fwd: Question]) (ArkanoiD)
4. Re: SCADA (ArkanoiD)
5. Re: SCADA (Daniel E. Hassler)
6. Re: SCADA (Marcus J. Ranum)
7. Re: SCADA (Marcus J. Ranum)
8. Re: SCADA (Dotzero)
----------------------------------------------------------------------
Message: 1
Date: Tue, 14 Apr 2009 17:01:24 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<3c4611bc0904141501m12859b02ka644d55b642257e3@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Tue, Apr 14, 2009 at 2:05 PM, Jim Seymour <jseymour@linxnet.com> wrote:
and "Bertolett, Richard" <Richard.Bertolett@ci.austin.tx.us> wrote:
<will reply to both inline>
> Eh. ?My personal experience, over the years, is that AV software is
> relatively worthless as a preventive tool. ?As for MS' security
> patches: If you have the machines in question isolated from hostile
> networks, most of them aren't strictly necessary, IMO. ?Not that these
> are a bad thing, mind you. ?In any event: I suspect there's been a
> misunderstanding...
>
To some degree there may have been a misunderstanding. I consider MS
updates to SCADA side machines utterly worthless. For one, they're
likely to break whatever crap control software is installed on those
machines (because they're running on Windows 95 or NT 4). Second,
they're not talking to anything that could get them in trouble.
>>... it is
>> much more secure to retrieve patches and virus sigs from an internal
>> server, say little of the internet connection bandwidth usage.
I think that if my SCADA machine is talking to another machine that is
talking to the Internet, my SCADA machine is talking too much. I'd
prefer a manual update process IF I were concerned about updates -
which, as I've said, I'm not.
>
> I think there may've been some confusion induced by the way Mr. Loe
> phrased things. ?(Correct me if I'm wrong, Brian.) ?I *believe* their
> SCADA network is firewalled from the business network; the business
> network is firewalled from the Internet; and there are some *few*
> connections, of very specific types, allowed between specific machines
> on the SCADA network and specific machines on the business network.
>
More or less:
<SCADA> -- <FIREWALL> -- <datalogger> -- <FIREWALL> -- <corp.net> --
<FIREWALL> -- <INTERNET>
The "datalogger" is the database system for those SCADA machines to
push their data for reporting. Access to that datalogger is restricted
to specific ports from both the SCADA and corp networks. Only certain
machines on certain ports have that access.
> I *believe* what some people want is to allow the machines on the SCADA
> network access to the 'net, and to allow incoming (allegedly secure)
> connections from the 'net into the SCADA network.
I have gotten that request on several occassions. I don't usually say
"No." I usually say, "do you have the money in your budget to properly
implement your request in a properly secured manner?" It means and
accomplishes the same thing.
> I don't believe convenience should *ever* trump security. ?I believe
> that when convenience is allowed to trump security, you get what we
> have today: Wide-spread compromising of networks.
Not just "networks". INFRASTRUCTURE! Power grids! Fuel production!
Both at the power plant I worked at and my current job there were
"homeland security" issues involved. The idea of our SCADA network
getting a virus was disturbing to say the least. Imagine 50 windows 95
boxes all infected with a virus that wants to do nothing more than
flood your SCADA network with its own traffic looking for another
victim. Doesn't even have to be a targeted attack against a power
plant - it just doesn't allow the controller to know what the plant is
doing until its too late! BOOM. Why risk your job, let alone your
life, for the convenience of some data massager?
------------------------------
Message: 2
Date: Tue, 14 Apr 2009 15:55:29 -0700
From: Anton Chuvakin <anton@chuvakin.org>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<b2591e2e0904141555p3c649888t956bfcd5620cb855@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
>> > So, my question is: among all of you, old timer firewall wizards, how
>> > many stay focused to infosec (and had kept a global view [2] of infosys)
I am NOT an old-timer (heck, I use Twitter which bans me for life [of
twitter] from the ranks of old-timers...), but I want to answer it
too.
Many people get bitter and negative after doing security for a few
years - and then they BURN OUT and go do something else [1] However,
the trick is to do what [supposedly] spies [2] are trained to do when
tortured: you get to like it! Negative? Sure, I'll give you negative
:-) Cynical? Let's make Diogenes proud!
[1] ... what about long walks on the beach ? puppies ? CRM? :-)
[2] "Inside the Aquarium: The Making of a Top Soviet Spy" by Viktor Suvorov
--
Anton Chuvakin, Ph.D
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
------------------------------
Message: 3
Date: Wed, 15 Apr 2009 02:10:28 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090414221028.GA17200@eltex.net>
Content-Type: text/plain; charset=koi8-r
If the final technical decision is being made by non-technical and
obviously clueless person, you seem to just work in a wrong place.
I'd quit immediately.
On Tue, Apr 14, 2009 at 02:37:59PM -0500, Behm, Jeff wrote:
> On Tuesday, April 14, 2009 1:22 PM, Jean-Denis Gorin so spoke:
> > So, my question is: among all of you, old timer firewall wizards,
> > how many stay focused to infosec
>
> </quasi-lurker>
>
> Don't know that I'm really a true "old-timer[1]," but...I have lived
> through the waning days of Gauntlet, getting replaced by the *more*
> secure (yeah, whatever) Checkpoint, getting replaced by the more
> advanced (ok, cheaper) PIX/ASA. Trying to explain the benefits of App
> Proxy vs. Packet Filter proxy to layer 8 is obviously futile (at least
> it was in my case).
------------------------------
Message: 4
Date: Wed, 15 Apr 2009 02:13:35 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090414221335.GB17200@eltex.net>
Content-Type: text/plain; charset=koi8-r
They are not worthless: you need it to fix critical security vulnerabilities!
You cannot build defense in depth if you do not patch your systems.
It should not be done via automatic windows update, but it should be done somehow.
You just cannot be sure that there is nothing that could get them in trouble.
On Tue, Apr 14, 2009 at 05:01:24PM -0500, Brian Loe wrote:
>
> To some degree there may have been a misunderstanding. I consider MS
> updates to SCADA side machines utterly worthless. For one, they're
> likely to break whatever crap control software is installed on those
> machines (because they're running on Windows 95 or NT 4). Second,
> they're not talking to anything that could get them in trouble.
>
------------------------------
Message: 5
Date: Tue, 14 Apr 2009 22:26:38 -0700
From: "Daniel E. Hassler" <hassler@speakeasy.net>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: jmac448@aol.com
Message-ID: <49E5700E.30504@speakeasy.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Forgive my ignorance but why is SCADA even allowed to run on a Windows
host? IMHO - when industry insists (i.e. $$$ on the table) on secure
alternatives can and will become available.
Remote SCADA logging can be done securely over the Internet with
authentication, confidentiality, integrity, and non-repudiation. Delays
can happen but data will never be lost. It's a one way street from
device(s) to logger(s).
Real-time SCADA control should be confined to a LAN/intranet where
complete network/power redundancy and backup systems are also controlled
by the site. The Internet is not 100% reliable for real-time control
(e.g. San Jose area last week). I did not lose any log data. I lost
visibility of a couple of systems for a while. When the connection came
back the missed data points were filled in - as designed.
I'm not trolling - I'm actively solving these problems and welcome
comments from those who are also.
Sincerely,
Dan Hassler
------------------------------
Message: 6
Date: Tue, 14 Apr 2009 17:45:06 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49E511F2.5080604@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Chris Blask wrote:
> As security folks we need to accept (no matter how reluctantly)
>the possibility that on occasion the folks asking to make things easier
>could be right. What we should be doing is putting up an appropriate
>amount of back-pressure on the "just open it up" requests to result
>in a solution that balances the need for access with the management of
risk.
Here's the problem: that's good in theory, but in practice, it
fails. The reason is, simply enough, that you're trying to
judge an "appropriate" amount of back-pressure given an
unknown and unknowable risk. All that results in is a game of
"duelling wild-ass guesses" based on our _current_ understanding
of the risks. Management is incapable of accurately predicting
the risks (and isn't interested in doing so, anyway) and security
is not, either. Game theory says that under those circumstances
you always get the most optimistic prediction.
What's scary is that those optimistic predictions don't get
updated! That's how you get things like the several companies
I know which implmented websites in PHP (because their web guys
said it was OK) and have now gone deeply down that path only
to discover that they made a bad decision and now they either
need to throw good work after bad, or attempt to back up and
unwind a mistake. We've all seen this over and over again - once
the mistake is made, it's easier to hunker down and keep applying
new duct tape to it, eternally. That's why the current internet
security environment resembles nothing more than a mountain of
duct tape, bandages, tire-patches, spit, and baling wire, wrapped
around a core of pure solid crap.
But, because they remember that they were told "it's OK" and
they exercised a basic attempt at diligence, management is
going to remember that security signed off on it.
In other words, the back pressure is good, in principle, but
doesn't actually help. The current situation with the SCADA
stuff is another case in point. No doubt the managers who
green-lit those interconnections did it with reasonable
expectation of success and cost savings. But, obviously,
they did not have an adequately nuanced view of the risks.
Now they are perceiving security as having either failed,
lied to them, being an unexpected additional burdensome
headache, or - more likely - all of the above.
So, generally, "no" _is_ the right answer.
I've outlined the whole dynamic in a paper I wrote one
<strike>day</strike> year when I was <strike>in a bad mood</strike>
having a moment of clarity. If any of you are interested, it's
here:
http://www.ranum.com/security/computer_security/editorials/disasters/index.html
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
Message: 7
Date: Tue, 14 Apr 2009 17:49:03 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49E512DF.8050107@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Paul D. Robertson wrote:
> The other side of the coin is that adding layers adds complexity and code-
> and adding code adds bugs- so you don't *always* get a net security gain
> by adding "protecion."
You raise a problem that I've spent too much time pondering. In effect,
it refutes the "conventional wisdom" of computer security. Which goes
as follows:
Item #1 - Defense in depth is good
Item #2 - Complexity is the enemy of security
If #2 is true, #1 can't be, because defense in depth adds complexity.
Puzzled,
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
Message: 8
Date: Wed, 15 Apr 2009 09:49:05 -0400
From: Dotzero <dotzero@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: mjr@ranum.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7ae58c220904150649j69db45blb3e2b518b08b0178@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Tue, Apr 14, 2009 at 6:49 PM, Marcus J. Ranum <mjr@ranum.com> wrote:
> Paul D. Robertson wrote:
>>
>> The other side of the coin is that adding layers adds complexity and code-
>> and adding code adds bugs- so you don't *always* get a net security gain by
>> adding "protecion."
>
> You raise a problem that I've spent too much time pondering. In effect,
> it refutes the "conventional wisdom" of computer security. Which goes
> as follows:
> Item #1 - Defense in depth is good
> Item #2 - Complexity is the enemy of security
>
> If #2 is true, #1 can't be, because defense in depth adds complexity.
>
> Puzzled,
> mjr.
> --
Perhaps a more nuanced discussion on the nature of complexity is in
order. If I perform 5 simple but very beneficial (Securitywise) things
to achieve better defense in depth, how much complexity have I really
added compared to implementing 5 very intricate things?
There will always be a set of tradeoffs to consider. Where one ends up
depends very much on where one thinks one is going.
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 19
************************************************
No comments:
Post a Comment