Slashdot Mirror
Multi-Layer Security Platforms
An anonymous reader writes "ITO has published a comprehensive article on the new meaning of unified security management: 'In the not too distant past, the information security needs for most organizations were fairly straightforward. From a technology perspective, core defenses included a handful of perimeter-based firewalls to policing traffic originating from the Internet, along with software at desktops, and perhaps email gateways, to counter the emerging threat from viruses.'"
One well know place to start
http://www.sans.org/
-- Brought to you by Carl's JR
Sorry; I wasn't that impressed... the entire article read like a hard-sell pitch for all-in-one security appliances. And it turns out one of the authors is the V.P. of marketing for a company selling a range of all-in-one security appliances.
I'd actually think that everyone going the recommended route would end up in the same boat as the current monoculture of point product that they complain about. Now, instead of being compromised because we're all running the same code, we get compromised because we're all running the same security appliance, with the same flaws.
I'd actually rather see a diverse and heterogeneous set of defenses to prevent large scale compromises working against everyone, and the economy of throwing everything into a box, rather than loading a bunch of diverse software strikes me as a false one.
The same arguments that make me want to run a MacOS X box or a FreeBSD box or a Linux box instead of some other platform with well known vulnerabilities make me *not* want to run the same appliance box in front of my network that everyone else is running, too.
Maybe I'm just jaded, and have heard "best of breed" one too many times. 8-(.
-- Terry
... is still there, as it was in the good ol' times: Unplug the damn thing
--
2 cores, 2 monitors, 2 hands!
When are those duble-dick body upgrades coming out?
We've been testing a BUNCH of 'all in one' security appliances, and most are clearly running Linux, and at least one of the VERY LARGE, WELL KNOWN appliances is even missing stability updates (yes, that's right, off the shelf bugtraq code can DoS it).
There's a time and place for security appliances, but they're not a cure-all. Some of the brands (I'm actually a fan of Watchguard for small businesses) do great work blocking malicious web and email traffic, but the stability and security are still far from perfect.
Mooniacs for iOS and Android
4 pages to say defense in depth? Any person who's spent a little time reading about security on the internet could tell you that. Heck, with a touch of extrapolation, combined forces has been used for how long? A couple thousand years?
I agree with the poster above who said like it sounded like an ad for an all in one appliance. It spends the first page putting down best of breed security means, then says we need to use best of breed ones, only under this new definition. It ignores that these all in one solutions generally have the cost of integration factored into the cost of the very expensive product. It talks about the changing security environment, trying to pump up your fear, but it totally ignores insider threat, which constitute the larger chunk of threat.
Essentially, this is a document for security managers, not for anyone on the ground, so to speak. The language is unnecessarily obtuse and ornate.
-- Who is the bigger fool? The fool or the fool who follows him? --
When you install software, it tells you its installing, and goes into the installed directory so you can browse every piece of software installed on your computer... Instead of letting software designers put their software everywhere they feel like hiding it on your harddrive and registry. Yes I'm looking in your direction windows. Power to the user, less abusive power to the developer.
God spoke to me.
That install would come with a VMWare player image of the user's standard install with full admin rights to the user. The VMWare image would be for special dev tools or just for those times when a user "has to have admin".
I can't see how making the user suffer the performance overhead of VMware is a security measure. If this is an attempt to provide a quick way to re-image a workstation after a user has bollocksed it up, why not just use a hard drive imaging tool?
The desktop should include a firewall. Only 80 and 443 should be open for outgoing.
So, no SMB/CIFS/NFS to allow them to actually work with their data on the SAN/NAS? No DNS so they can actually resolve the address of the SAN? No ICMP so that the host actually has a clue when it tries to connect to something that is unreachable?
Incoming should have RDP or VNC open for admins to get in.
Don't forget hackers...
On the e-mail side. Attachments should not be allowed.
That would destroy the reason most people use email these days. Can you imagine how effectively a salesperson or manager is going to be able to do their job, if they can't easily send markting material such as PDF's or PPT's to customers?
HTML e-mail would be allowed, but images would be stripped.
Why? What makes an image any more of a threat to security than a rich-text email (especially when read with certain well known mail clients... *cough* Outlook *cough*) ?
Have good backups and at least try to keep a virus on the user's desktop from raping your SAN/NAS.
That usually comes down to implementing sensible file/directory permissions, and the challenging task of educating users to actually save stuff in the right place.
I could make the most secure airline in the world. But no one would ever want to fly completely naked and cuffed to their seats.
I don't see how your sexual kinks play a role in this discussion.
The trade-off is what kills most real admins.
I work for an advertising agency. They live and die on "easy" communication with every client possible, and most would be surprised just what kind of crap marketting firms will send in professional emails.
Strip an image? They just lost contact info for a potential client. Kill a zipfile because it's password protected? Oops, that was a 7 figure proposal. It just gets worse and worse.
Start by having 2 NAS systems. One for real users, one for idiots who must be attached to the network. Then, separate them so there's no communication between them. Create multiple login systems, and protect your real work (financials, C-levels, etc) from the sales staff and receptionists who open everything, every time.
It's extra work up front, but eventually, those super-complex ACLs preventing the receptionist from deleting any file she doesn't own will save your ass.
Video for Online Dating Profiles
This article is terrible and contains no real facts. It is full of buzz words for management.
Go read Schneier. It may seem that most of what he writes is not security related, but it usually it. All forms of security are related. It is important to look at the big security picture and not concentrate on the individual technology pieces.
Hi, I'm Tom.
Then go on BBC's Mastermind. Or be the world's leading expert on IT security. Or both. The problem is that security is one of those fields where there needs to be only one weakness and ALL of the strengths will count for nothing. As such, comprehending one tiny segment in isolation is not a valuable exercise - it WILL be bypassed. Security specialists are the worst specialists to be, you need to be a security generalist if you are to be able to stop anything much beyond the most trivial of attackers. Particularly in a day and age where tools are so easily exchanged that attackers do NOT need to be generalists. The Internet is a gestalt of everyone who uses it and is ergo the ultimate generalist. THAT is who you would be defending against.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
But ICMP? Users don't usually need to ping.
ICMP entails quite a bit more than just ping. If the PC is unable to receive "network/host/protocol/port unreachable", they'll just sit there stupidly until the connection times out. "TTL expired" and "needs fragment" are also fairly important.
I think that if you run the protocols on nonstandard ports and close those on your external firewall, you should be OK. Admins need a remote desktop app to troubleshoot. Nothing is more useless than having a user describe a problem. If they can show you the prob, it can be cleared quickly.
If you run services on nonstandard ports, you're only going to stop the dumbest of hackers. Anyone with a clue will portscan your box, to see what's open. From there, it's relatively easy to identify the protocol bound to a particular port. Security through obscurity is not really security. As for blocking ports on a firewall, of course, that is standard practice. But often the threat these days is within an organisation. Most LAN's have very little network security, once inside the perimeter. Crunchy on the outside, soft and chewy on the inside.
I agree however, it's useful to be able to take remote control of a user's desktop. Citrix has such a feature built in, called "shadowing a session". Of course, that's in a Citrix environment, not an XP desktop environment.
And no one should be getting ZIPs, RARs, EXEs, and the like. The smart ones begin renaming the extension.
Even open source mail scanning gateways such as Amavisd-new support banned filename extensions. Couple that with ClamAV, and scan all attachments not yet banned, including recursive scanning of compressed archives, and you get quite a bit of security for very little cost. I've seen this solution fare better than commercial ones, which failed because the virus was a ZIP inside a ZIP.
Images can link to external servers and be used to verify good IP and e-mail addresses.
True... which is why most email clients these days do not display images (and thus invoke the HTTP connection to retrieve that invisible 1px image) by default. This kind of thing can also be prevented by having a web proxy that only allows access to whitelisted sites.
Still, you have to give users read/write to their group folders.
Yes you do, there is no way around that. All you can do is give people access to the minimum amount possible. Beyond that, backups are really your only safety net.
My security solution that handles 95% of what I need is OpenBSD (plus a couple of ports) The documenation is awesome as is the community, and it is built to be proactively secure. Give it a try: http://www.openbsd.org/
Live Free
This article is nothing but crap marketing words designed to confuse the ignorant.
Translation with missinformation: Hackers are now attacking vulnerabilities in applications.
The trueth: Script Kiddies are learning how to attack vulnerabilities in applications thanks to frontend applications like Metasploit.
What they don't know: Hackers designed layers 1-7.
Having to work for a living is the root of all evil.