Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multi-Layer Security Platforms

Posted by ryuzaki0 on from the lock-it-down dept.

An anonymous reader writes "ITO has published a comprehensive article on the new meaning of unified security management: 'In the not too distant past, the information security needs for most organizations were fairly straightforward. From a technology perspective, core defenses included a handful of perimeter-based firewalls to policing traffic originating from the Internet, along with software at desktops, and perhaps email gateways, to counter the emerging threat from viruses.'"

3 of 60 comments (clear)

  1. Sorry; I wasn't that impressed... by tlambert · · Score: 5, Insightful

    Sorry; I wasn't that impressed... the entire article read like a hard-sell pitch for all-in-one security appliances. And it turns out one of the authors is the V.P. of marketing for a company selling a range of all-in-one security appliances.

    I'd actually think that everyone going the recommended route would end up in the same boat as the current monoculture of point product that they complain about. Now, instead of being compromised because we're all running the same code, we get compromised because we're all running the same security appliance, with the same flaws.

    I'd actually rather see a diverse and heterogeneous set of defenses to prevent large scale compromises working against everyone, and the economy of throwing everything into a box, rather than loading a bunch of diverse software strikes me as a false one.

    The same arguments that make me want to run a MacOS X box or a FreeBSD box or a Linux box instead of some other platform with well known vulnerabilities make me *not* want to run the same appliance box in front of my network that everyone else is running, too.

    Maybe I'm just jaded, and have heard "best of breed" one too many times. 8-(.

    -- Terry

  2. good lord, what marketing crap by Raleel · · Score: 5, Insightful

    4 pages to say defense in depth? Any person who's spent a little time reading about security on the internet could tell you that. Heck, with a touch of extrapolation, combined forces has been used for how long? A couple thousand years?

    I agree with the poster above who said like it sounded like an ad for an all in one appliance. It spends the first page putting down best of breed security means, then says we need to use best of breed ones, only under this new definition. It ignores that these all in one solutions generally have the cost of integration factored into the cost of the very expensive product. It talks about the changing security environment, trying to pump up your fear, but it totally ignores insider threat, which constitute the larger chunk of threat.

    Essentially, this is a document for security managers, not for anyone on the ground, so to speak. The language is unnecessarily obtuse and ornate.

    --
    -- Who is the bigger fool? The fool or the fool who follows him? --
  3. Re:Security by slashjunkie · · Score: 5, Insightful

    That install would come with a VMWare player image of the user's standard install with full admin rights to the user. The VMWare image would be for special dev tools or just for those times when a user "has to have admin".

    I can't see how making the user suffer the performance overhead of VMware is a security measure. If this is an attempt to provide a quick way to re-image a workstation after a user has bollocksed it up, why not just use a hard drive imaging tool?

    The desktop should include a firewall. Only 80 and 443 should be open for outgoing.

    So, no SMB/CIFS/NFS to allow them to actually work with their data on the SAN/NAS? No DNS so they can actually resolve the address of the SAN? No ICMP so that the host actually has a clue when it tries to connect to something that is unreachable?

    Incoming should have RDP or VNC open for admins to get in.

    Don't forget hackers...

    On the e-mail side. Attachments should not be allowed.

    That would destroy the reason most people use email these days. Can you imagine how effectively a salesperson or manager is going to be able to do their job, if they can't easily send markting material such as PDF's or PPT's to customers?

    HTML e-mail would be allowed, but images would be stripped.

    Why? What makes an image any more of a threat to security than a rich-text email (especially when read with certain well known mail clients... *cough* Outlook *cough*) ?

    Have good backups and at least try to keep a virus on the user's desktop from raping your SAN/NAS.

    That usually comes down to implementing sensible file/directory permissions, and the challenging task of educating users to actually save stuff in the right place.

    I could make the most secure airline in the world. But no one would ever want to fly completely naked and cuffed to their seats.

    I don't see how your sexual kinks play a role in this discussion.