CQ, maybe I am making a huge mistake for responding to your message, but let see. this is what I think about security in depth in a bit more detail. let say that we have a wireless network which is guarded by "security in depth" network administrators. the first thing they will do is to secure the actual network by some massive segmentation exercises... then the connection with enhanced privacy/encryption schemes (WPA2). They will put more layers on the top of that. For example, the users need to authenticate with client-side certificates. Now the network and the connection is secure (sort of), they enforce group policy for all laptops so that these laptops cannot connect to any other network (sending probe requests, rogue access points). Right! But now they also kill the ethernet since a laptop cannot be connected to the wireless and the wired network since it is also a risk (stepping stone attacks). Each client has a firewall on the top of that. The firewall blocks everything that comes in and lets only the browser to go out through a proxy which requires authentication (NTLM, Basic Auth, etc). The user of the laptop runs with the least possible privileges and they cannot install software. They cannot use the CD (Sonny Rootkits), they cannot use the USB (endpoint security). The laptop has a boot password as well so in case it is stolen the attackers cannot crack open the disk. My question is the following: does this sound sane to you? Do you really believe that someone will let you do all that, without causing chaos? Laptops are good because they are mobile. You are allowed to take them out and work from home. At home you have your own network which you would like to connect to. Even if you use a different account on that same laptop to connect to that network, the risk is still there. A system is as secure as the weakest link. Companies don't like to hear how you are going to solve all problems once and for all with some killer security in depth solution because it is not possible. in order to make things work you have to leave various doors open. At GNUCITIZEN we have one maxima.. "Be legitimate!" If the attacker try to be a legitimate user as much as possible they will stay unnoticed and they will get in. Now how do we handle security in 21st century the way I see it (btw, I am not interest in selling any services, in fact, GNUCITIZEN is not that type of organization)? First of all, careful planning - the system has to be as secure as flexible and usable even if this means that you need to have a shared key for all of your wireless networks. Second, you need a crisis management plan. Natwest got hacked by a MP3 player.. how many of you have heard of it and for how long this story was on the news? Third, you need to calculate the risk. Example? Credit card fraud! We know that cards are getting stolen but the calculated risk is %2 out of the whole, which can be easily compensated. Etc, etc, etc! As you can see it is not just technical when it comes to the real world. In the real world the management gives you instructions and you have to implement them in the best possible way. Projects stack up. People leave, new people join in and work on the networks that have been given. Chaos is the norm! How many of you have seen a network that is done right? Yeh, there are a few of you, but you are probably talking about your home network which does not exceed more then 20 machines. How come I have never seen a security in depth in practice. You guys are more experienced then me, that's for sure... but I've done quite a few tests in the past 4 years and I know what I've seen. It is bad, but it is OK, because then we can sit together and walk through the entire process. I expect more flames for which I am not planning to respond. If you think that security in depth works for you... do it! personally, I will offer something additional to my clients. something, that gives them that extra safe net, which has nothing to do with security in depth. cheers, pdp On 10/14/07, C Q <kyle.c.quest@xxxxxxxxx> wrote: > I guess there's some logic in spreading FUD about security in depth > not working. It might be a nice way to scare potential customers > who don't know much about security into whatever services > Gnucitizen team sells. However, these kind of tricks > simply won't work with any seasoned security professional. > It'll actually backfire if you are not careful... because you > won't be taken seriously in the industry. I'm pretty sure > Pdp's rating in the books of many security professionals > went down quite a few notches :-) It's a small world... > and most likely it'll affect your and your company's > future... because you'll need to do business with > people like Thor (who gave a great and very logical > description with proper supporting examples of what > security in depth is and what's mean to do). > The chances are that they'll simply choose to work > with someone else... who betters understands the big > picture in security :-) > > CQ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
