firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Who stay focused? (was: [Fwd: Question]) (Paul D. Robertson)
2. Re: SCADA (Victor Williams)
3. Re: Who stay focused? (was: [Fwd: Question]) (Chris Blask)
4. Re: SCADA (Chris Blask)
5. Re: Who stay focused? (was: [Fwd: Question]) (R. DuFresne)
6. Re: Who stay focused? (was: [Fwd: Question]) (Behm, Jeff)
7. Re: SCADA (Jim Seymour)
8. Re: SCADA (Paul D. Robertson)
9. Re: Who stay focused? (was: [Fwd: Question]) (Skip Carter)
----------------------------------------------------------------------
Message: 1
Date: Tue, 14 Apr 2009 15:01:36 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904141458320.21272-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 14 Apr 2009, Jean-Denis Gorin wrote:
> So, my question is: among all of you, old timer firewall wizards, how
> many stay focused to infosec (and had kept a global view [2] of infosys)
> ?
I still do a great deal of infosec work. I think my focus has been as
broad as ever, as I'm doing computer forensics, incident response, general
secrity, general IT, VoIP switches, RFID, IR training, Web hosting, a
small amount of development, CRM, networking and nature photography.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 2
Date: Tue, 14 Apr 2009 15:16:56 -0500
From: Victor Williams <bwilliam13@windstream.net>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: "Kaas, David D" <David_D_Kaas@RL.gov>
Message-ID: <20090414151656.HGVU6.769212.root@ispmxfep10-z02>
Content-Type: text/plain; charset=utf-8
Why do you need to answer at all?
In my experience, the easiest way to make (good) policies moot and unenforceable is to make exceptions for reasons that don't really make (good) sense.
I could see windows/microsoft updates, as those can be compartmentalized pretty well with proxy server(s) and internal WSUS server(s). But allowing them to be managed from home? How are you going to manage the connection/equipment/software sitting outside your jurisdiction (the person's home)?
---- "Kaas wrote:
>
> We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet. Or policy has been to lock these down to a few specific IP addresses and secure ports and only to/from our corporate network. We have some owners of these networks that would like the firewalls to be more open. Their initial requests are to be able to manage these networks from the Internet (from home), to be able to retrieve Microsoft patches and virus signatures and to do MS file sharing to our corporate network. We currently have these services (patching and virus signatures) available on the corporate network but they believe it would be easier and simpler to retrieve them separately.
>
> How do you answer this without just saying NO?
>
> Thank you,
>
> Dave
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 3
Date: Tue, 14 Apr 2009 14:15:23 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <815805.87667.qm@web33805.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Jean-Denis Gorin <jdgorin@computer.org>
> So, my question is: among all of you, old timer firewall wizards, how many stay
> focused to infosec (and had kept a global view [2] of infosys) ?
Infosec is my only focus (as much as I have any) for creeping up on twenty years. As for keeping a global view, I like to think that is the core of my view of the field. If it isn't about how we make things more secure *in the context of the uses that the overall systems are put to* then I'd rather spend my time talking about really weird cheeses or landscaping.
> For them willing to know why I'm still lurking FW-wiz as I have quit the field,
> I'm just trying to assess how fast the IT world will collapse in case of a major
> security threat... (I already know who will survive this, and how ;) ).
Oh, I may be proven wrong in the end, but I don't see the IT world collapsing, ever. That may depend on the definition of "collapsing", I suppose - lots of regrettable/foolish/avoidable/nasty things happening at any given moment are always within the realm of possibility - but The Whole Thing Coming Down for any appreciable period of time is not something I expect to live to see.
> "Reality is that which, when you stop believing in it, doesn't go away.
> Philipp K. Dick"
Classic quote! :~)
-chris
------------------------------
Message: 4
Date: Tue, 14 Apr 2009 14:30:27 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <980695.16110.qm@web33802.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
"Bertolett, Richard" <Richard.Bertolett@ci.austin.tx.us> wrote:
> While I agree that the level of access the original poster was...a bit too open, I cannot really agree with Mr. Loe's position either.
> Security, particularly cyber-security, is best implemented in layers. So yes, you do need an anti-virus system, and yes, you do need to apply MS security patches, and you do need firewalls, a DMZ, and ways to keep the users from doing things on SCADA computers that they should not be doing. But easy should never be a driver in security decisions, it is much more secure to retrieve patches and virus sigs from an internal server, say little of the internet connection bandwidth usage.
> That said, the reality is that as reporting becomes just as mission critical as electricity or water or oil or gas delivery, unfortunately, you can't just 'sneakernet' all the reporting data. SCADA historical data in raw form is like drinking from a fire hose. So you have to distill it some way, and push it into a DMZ and then out to a database server on the business network some way, so it can be combined with other data, sliced and diced, and mushed into reports. Why couldn't the connections allowed thru the firewall be outgoing only? Then you need to make sure the destination server on the business network is secure of course, but you're already doing that, yes?
> There are other ways to support a SCADA network remotely other than through the internet, maybe they are as fast, maybe not. But that is a cost of basic security.
Now that right there is a good answer.
There is no simple one-liner answer, it depends what you are protecting and what you are risking. You aren't eliminating risk in any case, the question is really "how much effort are you willing to expend to lower your risk?" As security folks we need to accept (no matter how reluctantly) the possibility that on occasion the folks asking to make things easier could be right. What we should be doing is putting up an appropriate amount of back-pressure on the "just open it up" requests to result in a solution that balances the need for access with the management of risk. That may in fact be sneaker-net or it may be a well-thought-out connected solution as has been described: whatever solution you put in place can be compromised by someone willing to expend enough resources on it.
-chris
------------------------------
Message: 5
Date: Tue, 14 Apr 2009 15:31:14 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Jean-Denis Gorin <jdgorin@computer.org>
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID: <Pine.LNX.4.64.0904141523560.30929@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 14 Apr 2009, Jean-Denis Gorin wrote:
[SNIP]
>
> For them willing to know why I'm still lurking FW-wiz as I have quit the field,
> I'm just trying to assess how fast the IT world will collapse in case of a major
> security threat... (I already know who will survive this, and how ;) ).
>
I'm not sure it requires a security threat to being down vast areas of
the Internet, and for vast periods of time. If either coast was hit with
a tsunami, or huge quake, or even a large storm like that which
devastated New Orleans <which still has not recovered how many years
after?>, the affects of which will be technically devastating as well.
Main question is, if the Internet is devastated, to a point it can be
'rebuilt' would the mistakes of the past be redone in the new?
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFJ5OSFst+vzJSwZikRAmPqAKCf9+MuXiA4zWTt3Y5DA+b4X8I89QCfQLHO
mG67d348bTLs3Tm+iCUolPA=
=2dqt
-----END PGP SIGNATURE-----
------------------------------
Message: 6
Date: Tue, 14 Apr 2009 14:37:59 -0500
From: "Behm, Jeff" <jbehm@burnsmcd.com>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<1217D5F18AEF15499BF1047D8F407D56097B40@kcm-exch-001.burnsmcd.com>
Content-Type: text/plain; charset="us-ascii"
On Tuesday, April 14, 2009 1:22 PM, Jean-Denis Gorin so spoke:
> So, my question is: among all of you, old timer firewall wizards,
> how many stay focused to infosec
</quasi-lurker>
Don't know that I'm really a true "old-timer[1]," but...I have lived
through the waning days of Gauntlet, getting replaced by the *more*
secure (yeah, whatever) Checkpoint, getting replaced by the more
advanced (ok, cheaper) PIX/ASA. Trying to explain the benefits of App
Proxy vs. Packet Filter proxy to layer 8 is obviously futile (at least
it was in my case).
In this economy, it seems to me that unless one is in a large-to-huge
enterprise, I'd bet not many are able to focus *strictly* on only
infosec. While that's still my primary function (and has been for over a
decade), I'm not able to focus solely on that. Now, along with "infosec"
there's Windows server implementation (on VMWare, on standalone
hardware, etc.), Unix admin, infrastructure architecture, and managing a
variety of security "appliances" that, while not necessarily perfect,
are much better than before we had them.
And yes, there's always the "do the best you can with what you have to
work with" mantra, that, like it or not, does exist blah, blah, blah[2].
> and had kept a global view of infosys) ?
Global view of infosys? How can one *not* have a global view. Maybe I
take that for granted (but shouldn't), because if I had a nickel for
every time a developer/implementer could have made things better if they
would have had the "big picture" view...
Jeff
[1] Definition of "old timer", please? (or perhaps maybe I shouldn't
want to know that answer)
[2] Not trying to resurrect a previous thread of "you're either secure
or your not vs. how much security do you want to buy?"
<quasi-lurker>
------------------------------
Message: 7
Date: Tue, 14 Apr 2009 15:05:07 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] SCADA
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20090414190507.5644FE129@jimsun.linxnet.com>
"Bertolett, Richard" <Richard.Bertolett@ci.austin.tx.us> wrote:
>
[snip]
>
> Security, particularly cyber-security, is best implemented in layers.
I think of it more as "defense in depth."
> So yes, you do need an anti-virus system, and yes, you do need to apply
> MS security patches,
[snip]
Eh. My personal experience, over the years, is that AV software is
relatively worthless as a preventive tool. As for MS' security
patches: If you have the machines in question isolated from hostile
networks, most of them aren't strictly necessary, IMO. Not that these
are a bad thing, mind you. In any event: I suspect there's been a
misunderstanding...
>... it is
> much more secure to retrieve patches and virus sigs from an internal
> server, say little of the internet connection bandwidth usage.
I think there may've been some confusion induced by the way Mr. Loe
phrased things. (Correct me if I'm wrong, Brian.) I *believe* their
SCADA network is firewalled from the business network; the business
network is firewalled from the Internet; and there are some *few*
connections, of very specific types, allowed between specific machines
on the SCADA network and specific machines on the business network.
I *believe* what some people want is to allow the machines on the SCADA
network access to the 'net, and to allow incoming (allegedly secure)
connections from the 'net into the SCADA network.
Hmph.
I don't believe convenience should *ever* trump security. I believe
that when convenience is allowed to trump security, you get what we
have today: Wide-spread compromising of networks.
[remainder snipped]
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
------------------------------
Message: 8
Date: Tue, 14 Apr 2009 17:39:55 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904141734470.21272-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 14 Apr 2009, Bertolett, Richard wrote:
> Security, particularly cyber-security, is best implemented in layers.
> So yes, you do need an anti-virus system, and yes, you do need to apply
> MS security patches, and you do need firewalls, a DMZ, and ways to keep
> the users from doing things on SCADA computers that they should not be
> doing. But easy should never be a driver in security decisions, it is
> much more secure to retrieve patches and virus sigs from an internal
> server, say little of the internet connection bandwidth usage.
>
The other side of the coin is that adding layers adds complexity and code-
and adding code adds bugs- so you don't *always* get a net security gain
by adding "protecion." That's not even factoring in having to update the
update infrastructure, configuration complexity, or a bunch of other
things.
Adding layers should be done on a risk-based basis, with the probability
of failure of a particular control or the elevation of a particular attack
vector taken into account.
Also, the "obvious" choices aren't always the best ones. I can stop more
Windows malware with permissions and group policies than I can with
anti-virus software for instance.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 9
Date: Tue, 14 Apr 2009 14:53:51 -0700
From: Skip Carter <skip@taygeta.com>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090414145351.072d2774.skip@taygeta.com>
Content-Type: text/plain; charset=US-ASCII
On Tue, 14 Apr 2009 15:01:36 -0400 (EDT)
"Paul D. Robertson" <paul@compuwar.net> wrote:
> On Tue, 14 Apr 2009, Jean-Denis Gorin wrote:
>
> > So, my question is: among all of you, old timer firewall wizards, how
> > many stay focused to infosec (and had kept a global view [2] of infosys)
> > ?
>
> I still do a great deal of infosec work. I think my focus has been as
> broad as ever, as I'm doing computer forensics, incident response, general
> secrity, general IT, VoIP switches, RFID, IR training, Web hosting, a
> small amount of development, CRM, networking and nature photography.
.... what about long walks on the beach ? puppies ?
--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skip@taygeta.com
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 18
************************************************
No comments:
Post a Comment