Friday, April 17, 2009

firewall-wizards Digest, Vol 36, Issue 27

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: SCADA (or: How I learned to love receiving FWW in digest
form) (Mike Barkett)
2. Re: SCADA (or: How I learned to love receiving FWW in digest
form) (Dotzero)
3. Re: Who stay focused? (Jean-Denis Gorin)
4. Re: Who stay focused? (was: [Fwd: Question]) (Jean-Denis Gorin)
5. Re: Is a full collapse possible? (was: Who stay focused?)
(Jean-Denis Gorin)
6. Is a full collapse possible? (was: Who stay focused?)
(Jean-Denis Gorin)
7. Re: Is a full collapse possible? (was: Who stay focused?)
(Behm, Jeff)
8. Re: Is a full collapse possible? (Marcus J. Ranum)


----------------------------------------------------------------------

Message: 1
Date: Fri, 17 Apr 2009 08:23:19 -0700
From: Mike Barkett <mbarkett@us.checkpoint.com>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
in digest form)
To: "firewall-wizards@listserv.cybertrust.com"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<9D0C0D67383B6749882079531C8AB16813762691D9@US-EX01.ad.checkpoint.com>
Content-Type: text/plain; charset="us-ascii"

Yeah, I know the subject line makes me sound like a fuddy-duddy. Anyway, because this is apparently a last-one-to-post-wins thread, I figured I'd chime in.

It seems that all of us subscribe to differing degrees of the same possibly incorrect notion... that all systems must be connected to something. If a system risks failure due to being connected to an infrastructure that will also fail along with it, then maybe the net value of such connectivity is greatly diminished. I believe Marcus' artist friend rather elegantly made a similar point.

We've already talked about solving the logging problem with physical air gaps and a connectionless logger. Save for physical access and possibly a dedicated leased line to an isolated emergency outpost (for example, to try to remediate things if physical access is too dangerous for humans, or to manually apply patches IF applicable), why introduce any additional risk?

-MAB

------------------------------

Message: 2
Date: Fri, 17 Apr 2009 13:03:44 -0400
From: Dotzero <dotzero@gmail.com>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
in digest form)
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: "firewall-wizards@listserv.cybertrust.com"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<7ae58c220904171003g46929156g8882541e4f310fa4@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Apr 17, 2009 at 11:23 AM, Mike Barkett
<mbarkett@us.checkpoint.com> wrote:
> Yeah, I know the subject line makes me sound like a fuddy-duddy. ?Anyway, because this is apparently a last-one-to-post-wins thread, I figured I'd chime in.
>
> It seems that all of us subscribe to differing degrees of the same possibly incorrect notion... that all systems must be connected to something. ?If a system risks failure due to being connected to an infrastructure that will also fail along with it, then maybe the net value of such connectivity is greatly diminished. ?I believe Marcus' artist friend rather elegantly made a similar point.
>

Systems do not have to be connected to anything..... as long as one
accepts the tradeoffs involved (just as there are tradeoffs to
deciding something should be connected).

All things being equal and there not being an incident in the news,
would Marcus' artist friend agree to a 10% or 20% increase in his
utility bills to have "proper security" (however one defines this)? I
seriously doubt the average person is willing to pay for that extra
security until after an incident (well, if I had known THAT was going
to happen.....). Remember the days when customer support was unlimited
and free when you bought software? And then it became free for 90
days.... and then it became free if you were willing to post to a
forum......

> We've already talked about solving the logging problem with physical air gaps and a connectionless logger. ?Save for physical access and possibly a dedicated leased line to an isolated emergency outpost (for example, to try to remediate things if physical access is too dangerous for humans, or to manually apply patches IF applicable), why introduce any additional risk?
>

One argument for the introduction of additional risk is that there is
added value to interconnected systems. Look at Electric production and
distribution. In the good old days one company produced and
distributed across a given area. Now it is a lot more complex. There
might be any number of producers transiting a distribution grid and
there might even be a choice of paths as to how those electrons get
from point A to point B. You have interties across networks, etc. This
means more people need access and/or provide more input.

I'm not saying this is right or wrong, simply that it is. Some of the
tradeoffs are made intentionallly. Some are made without the
decisionmakers thinking about it.

I like this hypothetical world that some are describing where security
is easy and all the tradeoffs work easily. Where exactly is this
place?


------------------------------

Message: 3
Date: Fri, 17 Apr 2009 20:20:23 +0200
From: Jean-Denis Gorin <jdgorin@computer.org>
Subject: Re: [fw-wiz] Who stay focused?
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <1239992423.49e8c867715df@imp.free.fr>
Content-Type: text/plain; charset="iso-8859-1"


> From: ArkanoiD, April 16 2009 6:09 PM
>
> Well, i am one of the old-timers (yes, if you started as
> security professional in mid-90s this counts as old-timer now)
> and i am still here.

That's also how I define old-timers ;)

> Have you noticed those? Those guys who started in early 2000s
> and who are *experienced professionals* now?
> They are not visionaries, nor scientists (not am i, though),
> they are not bright minds either. [SNIP] And they are always
> welcome in the corporate world.

They sound like a lot of "Senior Security Consultant" I know (sadly)...

> So i am just a loser

No. You are not: you have kept the right state of mind to perform
sucessfull security.

> I just tried to do something to make this crazy world a little
> bit sane. And i failed epically.

I was just like you. Like a lot of other old-timers I know...
Then, I decide to quit the field, trying another way: infosys
architecture seasoned with security (security from the start).
It's a slow process, but sometime it's worked. And then I'm
proud to deliver a system I know to be resilient.

> That's not because the world finally learned to leasten,
> that's just because everything other fails too obviously
> even for this insane world.

And that world will stay insane until the "big crash".
I confess, some days I pray for the coming of the "big crash" so
security practionners can be listen to. But, morons are still
too many! Look at what happened after 9/11: do they develop
counter-terrorism intelligence? Of course not! They just
put some regulations to forbidden any ways to harm a plane (the
liquid ban is one of the more stupid one)


JDG

"Reality is that which, when you stop believing in it, doesn't
go away." Philipp K. Dick"
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: unnamed
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090417/5b93a411/attachment-0001.ksh>

------------------------------

Message: 4
Date: Fri, 17 Apr 2009 20:21:30 +0200
From: Jean-Denis Gorin <jdgorin@computer.org>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <1239992490.49e8c8aa7b063@imp.free.fr>
Content-Type: text/plain; charset=ISO-8859-1


> Jeff, April 14 2009 9:38 PM

> Global view of infosys? How can one *not* have a global view.

Very easily: stuck to the graphical management interface for of
your firewalls and anti-virus solution.
That the "classical" view of infosys (sadly). If you got a
firewalls and an AV, then you are safe! (the "lucky stone"
syndrom).

> Maybe I take that for granted (but shouldn't), because if I
> had a nickel for every time a developer/implementer could have
> made things better if they would have had the "big picture"
> view...

You will be rich, and a lot of us too! :(

> [1] Definition of "old timer", please? (or perhaps maybe
> I shouldn't want to know that answer)

An "old timer" is someone who enter the field before the second
half of 90's
A "very old timer" is someone who, before mid-90's, know what
SEAL was ;)

JDG

"Reality is that which, when you stop believing in it, doesn't
go away." Philipp K. Dick.


------------------------------

Message: 5
Date: Fri, 17 Apr 2009 20:22:37 +0200
From: Jean-Denis Gorin <jdgorin@computer.org>
Subject: Re: [fw-wiz] Is a full collapse possible? (was: Who stay
focused?)
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <1239992557.49e8c8edd99db@imp.free.fr>
Content-Type: text/plain; charset=ISO-8859-1


> R. DuFresne, April 14 2009 9:31 PM

> I'm not sure it requires a security threat to being down vast
> areas of the Internet, and for vast periods of time. If either
> coast was hit with a tsunami, or huge quake, or even a large
> storm like that which devastated New Orleans, the affects of
> which will be technically devastating as well.

I agree!
And also some Cyber warfare people: the more effective way to
maximize damage to a network is to attack the physical
infrastructure. A logical attack is not enought and the spread
might me too difficult to control and contain...

> Main question is, if the Internet is devastated, to a point it
> can be 'rebuilt' would the mistakes of the past be redone in
> the new?

I fear that the answer will be a "Yes".
Because if this happen, the urgency will be to rebuild in the
quickest way, not in the more secure way.


JDG

"Reality is that which, when you stop believing in it, doesn't
go away." Philipp K. Dick"


------------------------------

Message: 6
Date: Fri, 17 Apr 2009 20:23:50 +0200
From: Jean-Denis Gorin <jdgorin@computer.org>
Subject: [fw-wiz] Is a full collapse possible? (was: Who stay
focused?)
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <1239992630.49e8c936320be@imp.free.fr>
Content-Type: text/plain; charset=ISO-8859-1


> Chris Blask, April 14 2009 11:15 PM

> Oh, I may be proven wrong in the end, but I don't see the IT
> world collapsing, ever. That may depend on the definition of
> "collapsing", I suppose - lots of regrettable/foolish/
> avoidable/nasty things happening at any given moment are
> always within the realm of possibility - but The Whole Thing
> Coming Down for any appreciable period of time is not
> something I expect to live to see.

Not the IT world, but the Internet world could.

IMHO, it's a matter of ROI: if the "bad guys" think that it's
worth to take down a part of the Internet, they will do it!

We all know that it is possible and we don't need more than
one day or two to think of some doable ways to achieve that
goal...


JDG

"Reality is that which, when you stop believing in it, doesn't
go away." Philipp K. Dick"


------------------------------

Message: 7
Date: Fri, 17 Apr 2009 15:43:16 -0500
From: "Behm, Jeff" <jbehm@burnsmcd.com>
Subject: Re: [fw-wiz] Is a full collapse possible? (was: Who stay
focused?)
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<1217D5F18AEF15499BF1047D8F407D56097CFA@kcm-exch-001.burnsmcd.com>
Content-Type: text/plain; charset="us-ascii"


On Friday, April 17, 2009 1:24 PM, Jean-Denis Gorin said:

> IMHO, it's a matter of ROI: if the "bad guys" think that it's
> worth to take down a part of the Internet, they will do it!

Agreed. If they are smart they wouldn't do that, as that would
be biting the proverbial hand that feeds them...I.E. Why would
they kill the very means they are able to use in much more
"cost effective" ways?

I.E. No Internet = ROI -> zero

I guess they could go back to the old fashioned ways of carrying
a big stick along with a 55 gallon drum of intimidation.


------------------------------

Message: 8
Date: Fri, 17 Apr 2009 17:46:45 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Is a full collapse possible?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49E8F8C5.7090602@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Behm, Jeff wrote:
> Agreed. If they are smart they wouldn't do that

Robots aren't smart.

We can worry about the motives of human agents, but
doesn't it seem much more likely that some piece
of self-replicating code will get into one of these
SCADA systems and crash it all to hell? The end
result is the same.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 36, Issue 27
************************************************

No comments:

Post a Comment