Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Quote cybersecurity unquote (David Lang)
----------------------------------------------------------------------
Message: 1
Date: Wed, 6 Nov 2013 20:52:21 -0800 (PST)
From: David Lang <david@lang.hm>
Subject: Re: [fw-wiz] Quote cybersecurity unquote
To: marcin@kajtek.org, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.02.1311062037130.19663@nftneq.ynat.uz>
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
On Wed, 6 Nov 2013, Marcin Antkiewicz wrote:
>> trying. If they can't do system administration or system operations,
>>> they're going to step away from the plate and let Amazon or Google or
>>> whoever do it. Overall, this is probably for the best.
>>>
>>
>> unfortunantly you are misinterpreting what they are leaving up to Amazon
>> and Google.
>>
>> They aren't outsourceing the system administration, all they are
>> outsourcing is the hardware administration.
>
> [..]
>
>> In many ways, much of what's going on in cloud computing is a step
>> backwards for security. While cloud computing can make doing upgrades
>> easier for good admins, it also makes it easier to keep running old
>> software without patching it. Look at how VMWare is pushing their products
>> for the desktop by advertizing that people will be able to keep running
>> Windows XP forever.
>
>
> Hold on. There are multiple trends in security here that you lump into the
> same bag:
> - "Cloud" describes little more than a billing model (subscription O&M),
> and a form of provisioning (the "elasticity"), and some business glue.
> Amazon sells you a slice of a hypervisor, Google used to sell managed
> python execution containers, SalesForce lets you build a CRM-related
> applications as plugins into their data and services. Save for the Amazon's
> case, who needs sysadmins? If you have 3k Amazon instances, but all of them
> run the same code, you need a deployment specialist that is more of a
> programmer than a sysadmin. No one will fix a node, there is no capacity
> planning, log rotation, account provisioning - those are fixed at much
> higher scale, or done via APIs. You sysadmin here is called an Architect,
> and knows Chef/Puppet/etc like you knew /etc.
the problem is that your 3K systems may all be running the same vulnerable code.
You need a sysadmin to create and maintain your template that you then run
everywhere.
And you do need these systems to log, and if you have logs, you need to worry
about rotation, retention, etc.
Far too many people make the exact same mistake in thinking that since it
"Cloud" you no longer need all the infrastructure tools to manage things. The
tools do change (you don't upgrade 3K boxes, you upgrade the image and do a
rolling shutdown/startup with new image of the 3K boxes), but you still need
tools and people who understand what's happening.
you even still need people with the ability to troubleshoot the lower level
systems and communications, just throwing things in the cloud doesn't solve all
scaleing issues (just look at healthcare.gov for a very public proof of that)
> - Why bother with Amazon? Same hardware in the corporate data center, and
> people you can actually talk to? Let's see - I have an app, we want to have
> a load balancer, 5 front caches and 2 backed DBs provisioned in 3 days. Oh,
> your lead on hardware is 2 weeks, and we did not do this architecture
> before? DNS issues? Ah, the cabling you guys did not do for 3 weeks... IT
> is either a commodity, and begins to see competition on price with other
> options, or it's a well run organization that is fiercely competent and
> pragmatic. I see much more of the first kind.
and if you change your management to be "Cloud like" you can get even more gains
by using bare metal systems that you netboot with a cloud-like management system
and avoid the hypervisor overhead.
> - I have 35 sites where upgrade from XP to Win7 costs $0.5 mil a pop.
> Those are not offices, there is no added functionality we will get from Win
> 7. No, I were unable to plan ahead. We saw the wall, and when we tried to
> pull brakes, it turned out that we run drum brakes from the 20's on bicycle
> width tires - no braking power :-) What now? Mitigation. I gave Bromium a
> call, they are more than happy to help, more work will happen. We will fix
> the issue in 2-3 years, when the money will be spent on an lifecycle
> replacement and, for the same money, we will get very important new
> features (the XPs are fronts to big machinery that comes integrated). Yeah,
> I know. I just work here... We will run XP, in VMs and on hardware, for a
> decade or more.
Given the historic vulnerabilities, it is a responsible thing to do to run a
closed source OS for a decade or more after the vendor stops patching it?
I know it's going to be done, and the businesses see it as the most cost
effective thing to do. But that's not a good **Security** thing to do. Now if
you can be sure that none of these systems are network accessable, you may have
more of an argument, but look at the industrial control systems and the security
mess around them before you state that you will be safe.
> - Security is maturing. Whether I like how it goes, the NIST standard work,
> and the adoption talk surrounding it begins to smell like a talk on best
> practices. Never mind all of the folks who will have to adopt it. I talk to
> lawyers and insurers, they slowly are taking notice, and the poor security
> volk will be hit with slow professionalization of the occupation. The
> network security of the late 90s is no longer in demand. Openflow demands
> serious networking skills and some programming skills. DevOps can run
> immensely secure infrastructures, because their service model requires very
> tight change control, minimalist capabilities on production nodes and all
> admin actions are scripted. There is very little chance for a non-standard
> configuration errors, or unnoticed config errors. Yes, mono-cultures are
> bad. Yes, mistakes still happen. It's a much better model than state of an
> average old school (10 years ago :-) Unix DMZ. Sorry, good security people
> are in huge demand, expensive, and they will not work and behave as they
> did 10 years ago.
We are talking apples and oranges here. you are talking DevOps, which works when
your developers are half programmers, half sysadmins, and half security (and
yes, needing 3/2 does mean that there are very, very few people who are really
good at it)
Marcus was talking about how Cloud allowed people to outsource the sysadmin
work to the hosting providers.
turning everyone into partial sysadmins is the exact opposite of outsourcing it
to a few companies.
> - Marcus is right. Cloud raises the bar or, more likely, allows cluefull
> folks to run faster than the pack. Drop code on a VM (different spend
> structure), use providers host security offers, integrated Nessus scans,
> cheap 24/7 alerting, CloudFlare for WAF/DDoS/CDN, some DNS provider, and
> you have a formidable setup that can be administered part time. Is it
> better than the traditional way? No, but a lot of people can't afford the
> typical solution and finding good people who can build it on a budget is
> hard. The outcome is very different, but it took the market by a storm.
I absolutly agree that the current availability of rapid hosting options allows
cluefull people to outrun others (and I've got put my money and time where my
mouth is as well, making use of this infrastructure)
But what I am saying is that the ability for cluefull people to do things right
and outrun others doesn't translate into fixing the security of the non-clueful
David Lang
-------------- next part --------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 67, Issue 5
***********************************************
No comments:
Post a Comment