On Fri, 4 Oct 2002, manatworkyes moderator wrote: > This is a very good question. I'd like to extend that question to other > security solutions. IDS for examples: How many IDS systems can deal with the > slapper worm ? How many AV blocks bugbear (Before it was publicly available > ?) I'd bet that lots of AV products could deal with the e-mail vector well ahead of signature generation, but the AV industry has found (and the IDS industry is about to find) that false positives are the major issue. Nobody turns on hueristic AV scanning because of false positives, even though the engines catch more early attempts at seeding if it's done. > Do you (or anyone else) knwo if there is any *network based generic* > security device that deals with the latest Solaris bug ? Anything that deals well with the latest bug won't deal well with the latest application. There's a number of people who never saw the originating mail in this thread because it contained the name of a common executable that was exploited last year- those people would never have known if there was a new attack because of the false positive (some of them are the same as the last time someone mentioned that executable, so we know they're unaware of the false positive rate, or have chosen to accept it.) Some people have bounced messages with signatures- about the only type of attachment I'll let on the list. False positives stop you from getting real and useful information. In the network, that can be a disaster, and most places the discipline to weed out the false positives degrades significantly over time. > IMO, the SmartDefense stuff, is more then signature blocking. It looks for > the roots of the problem. So, if SSLv2 is vulenrable, use only SSLv3. Forcing protocol upgrades isn't always easy, and isn't common- most SSH installations still allow protocol version 1.5. At work, we've been introducing the concepts of essential configurations and historically broken. Both of those concepts though, need either a valid generic risk assessment (with alternatives,) or someone to make a specific organizational risk assessment (i.e. 52% of my customers have a browser that won't speak SSLv3, therefore I can't *afford* to lock them out...) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 07:23:35 PDT