Search This Blog

Saturday, April 25, 2009

firewall-wizards Digest, Vol 36, Issue 35

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: SCADA (Daniel E. Hassler)
2. Re: Who stay focused? (was: [Fwd: Question]) (hermit)


----------------------------------------------------------------------

Message: 1
Date: Fri, 24 Apr 2009 18:10:59 -0700
From: "Daniel E. Hassler" <hassler@speakeasy.net>
Subject: Re: [fw-wiz] SCADA
To: "R. DuFresne" <dufresne@sysinfo.com>
Cc: mjr@ranum.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <49F26323.9050308@speakeasy.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

OK - I may have misrepresented what I'm doing. I am not doing true
SCADA. I have a system which is required to report electric meter
readings securely over the internet from remote sites. Traffic is
allowed to pass (only encrypted) from the Modbus network (which has no
control devices) to the public internet. The gateway is sufficiently
secure given the value of the data. It's low value residential/small
business stuff but it is not supposed to be visible to outside parties
so it must travel encrypted. Authentication is also important as we need
to know the data is from the meter is says it's from. If you've ever
purchased anything over the internet you obviously felt the level of
protection offered was sufficient. I would say these systems are as
secure as OpenBSD which is actually not good enough to allow true SCADA
access to the internet. No remote holes - ever or keep it away from the
internet is a good mantra. Since I don't believe anyone has sufficiently
proved they have a system with zero remote holes ever possible other
than a system with zero remote connections I too would recommend
strongly the latter for true SCADA where perhaps a power grid or nuclear
plant are involved. Common sense.

Dan Hassler

R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 15 Apr 2009, Daniel E. Hassler wrote:
>
>> OK - I expected this. As I stated I was/am not trolling. Heck - check
>> the email headers - This noise is coming from Thunderbird on a WinXP
>> Pro system. I don't expect this system is secure even with two
>> different firewalls and an AV software product installed. Marcus -
>> I've really enjoy your works/writings/postings and sincerely did not
>> mean any offense. I've read over and over about SCADA security
>> issues but find practically nothing on the market to effectively
>> address them. We can write a lot on the Firewall Wizards list about
>> the woes of mixing today's connected business needs with yesterdays
>> isolation is a form of security. My basic question is why aren't
>> those who have a clue creating solutions to meet the business needs?
>> This is where I think our time is better spent (and the.the $$$ are).
>> If I can rephrase my original question it would be more like: "I
>> think we can do better, If we build it will they come?"
>>
>
>
> As I have read this thread, and a variety of otherrs over the years, I
> keep coming to the conclusion that many seem to miss the point that
> "those who have a clue" are ignored, or their chants/rants about how
> to secure systems like SCADA are missed or ignored. the point being
> made early on and at various times in this version of the thread,
> leave then off the corporate network and far far away from any
> internet capable connection. Or have I misinterpreted the advice given
> over the years on this topic specifically?
>
> Similair point to broader corporate network security, do not let
> insecure protocols pass the perimiter. Seems to me that these threads
> keep popping up from time to time because folks just do not like the
> answers they are getting from the clued. Or, am I again misreading
> and interpreting?
>
>
> Thanks,
>
>
> Ron DuFresne
> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
>
> These things happened. They were glorious and they changed the world...,
> and then we fucked up the endgame. --Charlie Wilson
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFJ8Ns4st+vzJSwZikRAjUDAJ4+Ba8Idt7d3AwT7N1NSRXsI81BKwCdE2YB
> gmlB6WGPQ8c022hR5tji+/s=
> =SXn2
> -----END PGP SIGNATURE-----
>
>


------------------------------

Message: 2
Date: Fri, 24 Apr 2009 08:19:01 -0700 (PDT)
From: hermit <hermit921@yahoo.com>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <518373.3997.qm@web32706.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1


> From: R. DuFresne <dufresne@sysinfo.com>
> Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
> To: "Brian Loe" <knobdy@gmail.com>
> Cc: "Firewall Wizards Security Mailing List" <firewall-wizards@listserv.cybertrust.com>
> Date: Thursday, April 23, 2009, 1:52 PM
>
> On Wed, 15 Apr 2009, Brian Loe wrote:
>
> >
> > Instead use your change management policy to request
> the changes you
> > want to make or the access a user wants. Then if bad
> decisions are
> > made by other people they are documented as to who is
> responsible for
> > the resulting evil!
> >
> > I could care less what my employer wants to do, so
> long as I have
> > informed them of my opinion and accountability for
> their stupidity has
> > been assigned to someone else.
>
>
> This assumes two poiots though, that the BIG guys up there
> have integrity and have taken responsiblity for their
> decisions.? I seldom find either f those to be the case
> and have seen cases whence the "stupidity" still rests on
> the techies shoulders as "they failed to properly inform me
> of the error of my ways".
>
> Thanks,
> Ron DuFresne

I really have to agree with Ron on this. I see this all too often:
Tech: "If you do that, this important functionality will break."
Manager does that. Functionality breaks.
Manager: "It is all your fault."
Tech: "I warned you that would happen."
Manager: "You didn't persuade me to not do it, so it is your fault."
Manager spreads his version of fault around the company.

hermit921



------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 36, Issue 35
************************************************

No comments: