firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: State of security technology for the enterprise (kowsik)
2. Re: State of security technology for the enterprise (Chris Hughes)
3. Re: Email Scams, Telemarketing, and Identity Theft
(Paul D. Robertson)
----------------------------------------------------------------------
Message: 1
Date: Thu, 30 Apr 2009 23:33:07 -0700
From: kowsik <kowsik@gmail.com>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7db9abd30904302333i73e06efdkfe7aac07a13a59ad@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Stateful is typically about 5-tuple flow tracking and maybe some
handful of protocols that need alternate ports (FTP is usually the
qualifier for someone to be stateful) and DPI is typically about the x
odd protocols that are decoded "enough" to claim deep.
And it makes a nice story,
K.
On Thu, Apr 30, 2009 at 6:19 PM, Paul D. Robertson <paul@compuwar.net> wrote:
> On Thu, 30 Apr 2009, Marcus J. Ranum wrote:
>
>> ...And nobody has ever done an adequate job of explaining what is
>> stateful about SPI or particularly "deep" about DPI. ? As one of those
>
> Oh, the stateful part was explained pretty well- as were the state tables,
> it was the "inspection" part that was all over the map in SPI just like
> in DPI...
>
>> obnoxious guys who always did everything at Layer 7, it seems more
>> like an argument about who's the tallest kid in the shallow end of
>> the pool.
>
> I get to have a proxy conversation with a bank tomorrow, because *all*
> their literature for their ACH service requires "unrestricted Internet
> access" with (at least according to the manuals, no place to even put a
> proxy for the HTTS or FTP methods.) ?*sigh*
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson ? ? ?"My statements in this message are personal opinions
> paul@compuwar.net ? ? ? which may have no basis whatsoever in fact."
> ? ? ? ? ? Moderator: Firewall-Wizards mailing list
> ? ? ? ? ? Art: http://PaulDRobertson.imagekind.com/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 2
Date: Fri, 1 May 2009 09:02:11 -0400
From: "Chris Hughes" <chughes@l8c.com>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <931CBD0F4242450582A1B5268304AE68@Acer>
Content-Type: text/plain; charset="us-ascii"
The environment is a product development environment that is under constant
threat from the outside and a history of inside threats/attacks. I am
protecting mostly Microsoft systems with some *nix. The data at highest
risk is source code and product development documentation. I need to be at
least FIPS 140-2 compliant. As far as budget goes, I was hoping to spread
the purchase between this years and next years and keep the total spent less
than 70K. Staff?? I'm it. Experience dealing with IT security risks is
about an 8 on a scale of 1 to 10. I've caught a few, been attacked
internally a few times and externally on a continuous basis. Corporate
espionage is a reality for me.
While all this is important to consider when choosing a solution, I'm not
that far along yet. My intent is to investigate the state of security
technology so that when I am ready to choose a solution or set of solutions,
I can go with product(s) that are forward thinking and least likely to
require a forklift upgrade in the next 3 years.
You make a good point that the pieces of the overall solution must work
closely with each other. This is something the vendors of security
solutions are fighting. They want me to think that they are so good that
they can handle it all. My current solution is hybrid and on more than one
occasion I've seen one vendor miss something and another catch it.
True security cannot be bought, but with the growth of new technologies
comes new threats that are not as easily dealt with by using a six shooter.
As an example, VMWare tells me not to run endpoint protection in my virtual
environment and that there are products out there that sit at the hypervisor
layer to protect VM's from attacking each other. ( I left that out of the
environment section. We are 70% VM and will be 90% by end of year. This is
a big consideration)
From: Marcin Antkiewicz <firewallwizards@kajtek.org>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: miedaner@twcny.rr.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7ed5f2120904292213r55acf650n92cc1a34a3f7cea6@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
> The underlying architecture is very important to providing control.
I doubt that the original poster's question can be answered without rest of
the relevant information. What is the environment? What systems/data will be
protected? Under what regulation? What budget?
How big is the staff? What's the infrastructure? What's the organization's
experience dealing with IT Sec risks?
A laundry list of technology is meaningless - each of the pieces must work
with the others, and satisfy some business need. If the later part is
neglected funding tends to dry up in 2-3 years. Justification to the
business does not have to be extravagant, but it must be well done, and in
language and context that the business understands.
ArkanoiD is correct, biggest Sidewinder is worthless, if the application
folks decide to include passwords in Javascript. I know of a few places that
try to correct such creativity with iRules on F5s, but that's just a race
that the org is going to loose. Sidewinders and F5s are not needed, secure
SDLC will fix that problem. Add decent development process to sidewinders
and the F5s and the org will be doing quire well, but that's very expensive
- requres cooperation of IT Sec and App Delivery, which cannot be purchased.
I think I am trying to say that Seurity is a process, and cannot be bought
(in a sustainable manner), But that we all know already.
--
Marcin Antkiewicz
------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090501/431090a7/attachment-0001.html>
------------------------------
Message: 3
Date: Fri, 1 May 2009 10:23:27 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Email Scams, Telemarketing, and Identity Theft
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0905011015270.5994-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 30 Apr 2009, Marcus J. Ranum wrote:
> fall under the same laws. So, with spam and telemarketing
> we're dealing with a social failure; the police won't
> protect us and we are not given the tools to protect
> ourselves. (And the phone companies will cheerfully
> sell us caller-ID but then sell telemarketers the ability
> to block it) Ultimately, this kind of imbalance will
> continue as long as it's profitable.
>
My phone switch (Asterisk/FreePBX on an 8yr old FreeBSD box) offers me the
ability to route calls by calling number, ask for identity to be replayed
to me prior to accepting the call, allows me to reject anonymous callers
and gives me the ability to run an IVR from hell on anyone I can't/don't
want to ID. I can also forward to my mobile or not based on all of the
prior conditions, and new DIDs cost me ~$5/month for ones in a specific
area code (VoIPStreet,) or can be free in a couple of area codes (IPKall,)
and set my own outbound callerid to any DID I want (VoicePulse.)
'Course I live somewhere that actual broadband is available ;)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 37, Issue 2
***********************************************
No comments:
Post a Comment