---------- > From: Scott Seidler <sseidlerat_private> > To: BUGTRAQat_private Subject: re: No Security is Bad Security Date: Wednesday, February 03, 1999 10:23 AM Forwarding this FYI to Bugtraq users ---------- This is Re: John "E.R." Jasen "No security is Bad Security I saw John's dilemma on bugtraq. This issue is a constant battle with all of My customers who want access to the internet. It seems that the lack of adequate security policies and, as in most cases, lack of the forsight to see that any amount of money spent on security would be well spent. Most people feel that their being a "small" company, or not being "well known", somehow leaves them in a position where they are "not" or "less" vunerable to intrusion. John, obviously, knows from first hand knowledge that this type of thinking can be, and usually in time is, dangerous. It seems that the more you can spend on a firewall and other security measures, the better you are at protection. While no firewall will claim 100% protection, we have learned that some are better than others for simple reasons. Software based firewalls, while they usually have more options to integrate directly, might require a more technical suport base internally than most smaller companies or agencies may have. Additionally, the daily upkeep and constant vigil to find out about software patches and vunerabilities tend to be secondary (or third, or fourth, etc) to the daily jobs of most systems people. Thus old bugs and often blatant overlooks become the doorway with the "open for business" sign hanging above them. Unfortunately, basing a firewall on a multpile use operating system (NT, UNIX, etc) can leave unexpected doorways open and allows for opportunity for "pilot error" mistakes. Just the time to keep up with them all is too great for most system managers. So far we have implemented successfully many hardware based firewalls. The positives on this type of platform far outweigh the marginal extra cost for the purchase price. These are single function - Firewall only - types of devices. Some hardware based platforms have no user accessable operating system to have potential open ended problems with, and right out of the box they seem to set up with limited commands when acting as a one way only firewall. Of course there are many more programming options in these units that go way beyond the scope of this posting and are, as Aleph has pointed out to me on the first issue of this email (appreciated by the way Aleph - thanks), too vendor specific to really elaborate on. Suffice to say that Network Address Translation (NAT) and Protocol Address Translation (PAT) are not the only things to base a Firewall purchase on. There are many other options and hooks that make a really good firewall, such as interaction with other devices (routers, high end authentication, encryption, etc.). Addtionally, Two types of products that allow for on-line monitoring/reporting/ detection and also allow for security audits and even testing of vunerablities are a must for any budget that can afford them. You can try Cisco (http://www.cisco.com) or Network Associates (http://www.nai.com/default_ngc.asp) for examples of these products. Some of these fit really well into the big router manufacturer operating system schemes by even allowing an automatic rewrite to the ACL (access control list) to block a detected party. And dont forget the ever possible "page me when you find something wierd" option too. Both of these systems are not inexpensive with price tags of around 10k for the systems I have seen. I have had great feedback on these types of products from my customers - especially the firewalls and felt i could dissiminate the info to my fellow Bugtraq-ers. email: sseidlerat_private http://home.att.net/~annie.seidler/ (netscape is always best)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:31 PDT