Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Quote cybersecurity unquote (David Lang)
2. Re: Quote cybersecurity unquote (Marcin Antkiewicz)
----------------------------------------------------------------------
Message: 1
Date: Tue, 5 Nov 2013 17:38:39 -0800 (PST)
From: David Lang <david@lang.hm>
Subject: Re: [fw-wiz] Quote cybersecurity unquote
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.02.1311051724310.10217@nftneq.ynat.uz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Tue, 5 Nov 2013, mjr wrote:
> Paul D. Robertson wrote:
>> I think dedicated security companies testing and remediating is probably
>> the most likely new model.
>
> Add to that, The Cloud. I finally realized that The Cloud is a good thing.
> What it means is that those who cannot do IT are going to stop trying. If they
> can't do system administration or system operations, they're going to step
> away from the plate and let Amazon or Google or whoever do it. Overall, this
> is probably for the best.
unfortunantly you are misinterpreting what they are leaving up to Amazon and
Google.
They aren't outsourceing the system administration, all they are outsourcing is
the hardware administration.
In the process they are deciding that system administrators aren't needed and
just get in the way. The developers can take over doing everything because it is
easy enough that any developer can get a cloud system online.
This is the same mistake that businesses made about Windows Administration (it
looks easy, we don't need any specialists)
to solve the security problem two additional steps need to take place.
1. Instead of people getting bare VMs to configure, they need to not have access
to the systems, only the applications. There are a few hints of this today
(openstack and similar)
2. the 'application definition' needs to not only include what software to
install, but also what the allowed communications between pieces (and between
the application and the outside world) look like. Then the management tools need
to implement the network security transparently to the application developers.
In many ways, much of what's going on in cloud computing is a step backwards for
security. While cloud computing can make doing upgrades easier for good admins,
it also makes it easier to keep running old software without patching it. Look
at how VMWare is pushing their products for the desktop by advertizing that
people will be able to keep running Windows XP forever.
David Lang
------------------------------
Message: 2
Date: Wed, 6 Nov 2013 22:27:52 -0600
From: Marcin Antkiewicz <firewallwizards@kajtek.org>
Subject: Re: [fw-wiz] Quote cybersecurity unquote
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CAAZ0CmKhpfCmGNpBON+nOKMc60JpYax3piKpE17G+dsMyiTeQQ@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
> trying. If they can't do system administration or system operations,
>> they're going to step away from the plate and let Amazon or Google or
>> whoever do it. Overall, this is probably for the best.
>>
>
> unfortunantly you are misinterpreting what they are leaving up to Amazon
> and Google.
>
> They aren't outsourceing the system administration, all they are
> outsourcing is the hardware administration.
[..]
> In many ways, much of what's going on in cloud computing is a step
> backwards for security. While cloud computing can make doing upgrades
> easier for good admins, it also makes it easier to keep running old
> software without patching it. Look at how VMWare is pushing their products
> for the desktop by advertizing that people will be able to keep running
> Windows XP forever.
Hold on. There are multiple trends in security here that you lump into the
same bag:
- "Cloud" describes little more than a billing model (subscription O&M),
and a form of provisioning (the "elasticity"), and some business glue.
Amazon sells you a slice of a hypervisor, Google used to sell managed
python execution containers, SalesForce lets you build a CRM-related
applications as plugins into their data and services. Save for the Amazon's
case, who needs sysadmins? If you have 3k Amazon instances, but all of them
run the same code, you need a deployment specialist that is more of a
programmer than a sysadmin. No one will fix a node, there is no capacity
planning, log rotation, account provisioning - those are fixed at much
higher scale, or done via APIs. You sysadmin here is called an Architect,
and knows Chef/Puppet/etc like you knew /etc.
- Why bother with Amazon? Same hardware in the corporate data center, and
people you can actually talk to? Let's see - I have an app, we want to have
a load balancer, 5 front caches and 2 backed DBs provisioned in 3 days. Oh,
your lead on hardware is 2 weeks, and we did not do this architecture
before? DNS issues? Ah, the cabling you guys did not do for 3 weeks... IT
is either a commodity, and begins to see competition on price with other
options, or it's a well run organization that is fiercely competent and
pragmatic. I see much more of the first kind.
- I have 35 sites where upgrade from XP to Win7 costs $0.5 mil a pop.
Those are not offices, there is no added functionality we will get from Win
7. No, I were unable to plan ahead. We saw the wall, and when we tried to
pull brakes, it turned out that we run drum brakes from the 20's on bicycle
width tires - no braking power :-) What now? Mitigation. I gave Bromium a
call, they are more than happy to help, more work will happen. We will fix
the issue in 2-3 years, when the money will be spent on an lifecycle
replacement and, for the same money, we will get very important new
features (the XPs are fronts to big machinery that comes integrated). Yeah,
I know. I just work here... We will run XP, in VMs and on hardware, for a
decade or more.
- Security is maturing. Whether I like how it goes, the NIST standard work,
and the adoption talk surrounding it begins to smell like a talk on best
practices. Never mind all of the folks who will have to adopt it. I talk to
lawyers and insurers, they slowly are taking notice, and the poor security
volk will be hit with slow professionalization of the occupation. The
network security of the late 90s is no longer in demand. Openflow demands
serious networking skills and some programming skills. DevOps can run
immensely secure infrastructures, because their service model requires very
tight change control, minimalist capabilities on production nodes and all
admin actions are scripted. There is very little chance for a non-standard
configuration errors, or unnoticed config errors. Yes, mono-cultures are
bad. Yes, mistakes still happen. It's a much better model than state of an
average old school (10 years ago :-) Unix DMZ. Sorry, good security people
are in huge demand, expensive, and they will not work and behave as they
did 10 years ago.
- Marcus is right. Cloud raises the bar or, more likely, allows cluefull
folks to run faster than the pack. Drop code on a VM (different spend
structure), use providers host security offers, integrated Nessus scans,
cheap 24/7 alerting, CloudFlare for WAF/DDoS/CDN, some DNS provider, and
you have a formidable setup that can be administered part time. Is it
better than the traditional way? No, but a lot of people can't afford the
typical solution and finding good people who can build it on a budget is
hard. The outcome is very different, but it took the market by a storm.
Marcin Antkiewicz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20131106/1b274233/attachment-0001.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 67, Issue 4
***********************************************
No comments:
Post a Comment