Multi-Layer Security Platforms 60
An anonymous reader writes "ITO has published a comprehensive article on the new meaning of unified security management: 'In the not too distant past, the information security needs for most organizations were fairly straightforward. From a technology perspective, core defenses included a handful of perimeter-based firewalls to policing traffic originating from the Internet, along with software at desktops, and perhaps email gateways, to counter the emerging threat from viruses.'"
An interesting read (Score:1)
Re:An interesting read (Score:2, Informative)
http://www.sans.org/
Re:An interesting read (Score:5, Insightful)
Go read Schneier [schneier.com]. It may seem that most of what he writes is not security related, but it usually it. All forms of security are related. It is important to look at the big security picture and not concentrate on the individual technology pieces.
Re:An interesting read (Score:2)
Re:An interesting read (Score:1)
Second endorsement (Score:2)
Re:An interesting read...signifying nothing (Score:1)
I was rather amused at how the writer(s) sort of lost it, style wise. I found the fact that threat-scape was unquoted the first time it was used (at the end of a paragraph) while it was q
Re:An interesting read (Score:4, Insightful)
Then go on BBC's Mastermind. Or be the world's leading expert on IT security. Or both. The problem is that security is one of those fields where there needs to be only one weakness and ALL of the strengths will count for nothing. As such, comprehending one tiny segment in isolation is not a valuable exercise - it WILL be bypassed. Security specialists are the worst specialists to be, you need to be a security generalist if you are to be able to stop anything much beyond the most trivial of attackers. Particularly in a day and age where tools are so easily exchanged that attackers do NOT need to be generalists. The Internet is a gestalt of everyone who uses it and is ergo the ultimate generalist. THAT is who you would be defending against.
Meta-yes (Score:2)
After you've studied every facet of security, remember that some attacks come from backhoes and hurricanes. Learn about business continuity. Then instead of getting frustrated when security measures don't work, learn systems safety engineering to understand why. Study finance and risk management so you can have common ground for discussion with C-level managers. Maybe insurance is better than prevention in some cases.
You're right, however... (Score:2)
Re:You're right, however... (Score:2)
Actually, I think this is the wrong approach. I think that a security expert only needs to read 3 or 4 volumes in their specific field. The idea that a single person can be a master of all areas of secu
Sorry; I wasn't that impressed... (Score:5, Insightful)
I'd actually think that everyone going the recommended route would end up in the same boat as the current monoculture of point product that they complain about. Now, instead of being compromised because we're all running the same code, we get compromised because we're all running the same security appliance, with the same flaws.
I'd actually rather see a diverse and heterogeneous set of defenses to prevent large scale compromises working against everyone, and the economy of throwing everything into a box, rather than loading a bunch of diverse software strikes me as a false one.
The same arguments that make me want to run a MacOS X box or a FreeBSD box or a Linux box instead of some other platform with well known vulnerabilities make me *not* want to run the same appliance box in front of my network that everyone else is running, too.
Maybe I'm just jaded, and have heard "best of breed" one too many times. 8-(.
-- Terry
And on top of that... (Score:5, Interesting)
There's a time and place for security appliances, but they're not a cure-all. Some of the brands (I'm actually a fan of Watchguard for small businesses) do great work blocking malicious web and email traffic, but the stability and security are still far from perfect.
Re:Sorry; I wasn't that impressed... (Score:1, Flamebait)
Secretaries should be running bootable knoppix with an automagic mapping to the SAN/NAS. No worry about them downloading crap. Of course, they'd still call 15 times a day wanting to know how to send an Outlook appointment that some people can decline while others cannot. And they'd still accidentaly overwrite or delete the C*Os' proposals.
Devs should be able to run whatever they li
Re:Sorry; I wasn't that impressed... (Score:1)
Thanks for that... (Score:2)
Re:Sorry; I wasn't that impressed... (Score:3, Interesting)
Last year we were testing one of the smaller Fortinet "firewalls." It was easy to crash the Fortinet box and the protocol/data scanners with a boring network fuzzer. (i.e. we sent bad data at the box) Given time I am sure that we could have exploited the crashes. But, as that was not our job, we moved on to testing better products.
These all in one (adaptive filtering with super duper special proxies) traffic scanning firewal
Re:Sorry; I wasn't that impressed... (Score:2)
I've said it before that the best security feature is to unplug your computer and bury it in concrete
ah well, there are Good security practices, and pointless ones
I won't say this appliance is b
Re:Sorry; I wasn't that impressed... (Score:2)
The best securuty measure... (Score:4, Funny)
--
2 cores, 2 monitors, 2 hands!
When are those duble-dick body upgrades coming out?
Re:The best securuty measure... (Score:2)
Forms-based security (Score:1)
Re:Security (Score:5, Insightful)
I can't see how making the user suffer the performance overhead of VMware is a security measure. If this is an attempt to provide a quick way to re-image a workstation after a user has bollocksed it up, why not just use a hard drive imaging tool?
The desktop should include a firewall. Only 80 and 443 should be open for outgoing.
So, no SMB/CIFS/NFS to allow them to actually work with their data on the SAN/NAS? No DNS so they can actually resolve the address of the SAN? No ICMP so that the host actually has a clue when it tries to connect to something that is unreachable?
Incoming should have RDP or VNC open for admins to get in.
Don't forget hackers...
On the e-mail side. Attachments should not be allowed.
That would destroy the reason most people use email these days. Can you imagine how effectively a salesperson or manager is going to be able to do their job, if they can't easily send markting material such as PDF's or PPT's to customers?
HTML e-mail would be allowed, but images would be stripped.
Why? What makes an image any more of a threat to security than a rich-text email (especially when read with certain well known mail clients... *cough* Outlook *cough*) ?
Have good backups and at least try to keep a virus on the user's desktop from raping your SAN/NAS.
That usually comes down to implementing sensible file/directory permissions, and the challenging task of educating users to actually save stuff in the right place.
I could make the most secure airline in the world. But no one would ever want to fly completely naked and cuffed to their seats.
I don't see how your sexual kinks play a role in this discussion.
Re:Security (Score:2)
Sorry, I wasn't layout out the whole plan. Sure, some of that'd be open. But ICMP? Users don't usually need to ping. If they do, an admin can RDP in and do it for him.
>>Don't forget hackers...
I think that if you run the protocols on nonstandard por
Re:Security (Score:2, Informative)
ICMP entails quite a bit more than just ping. If the PC is unable to receive "network/host/protocol/port unreachable", they'll just sit there stupidly until the connection times out. "TTL expired" and "needs fragment" are also fairly important.
I think that if you run the protocols on nonstandard ports and close those on your external firewall, you should be OK. Admins need a remote desktop app to troubleshoot. Nothing is more useless than having a user describe a p
Re:Security (Score:2)
So true. Hence the need for good control of the software they run. Good network baselines and port-level switch security are a must also. If you notice something is up, you can investigate. We get PMs when SNMP reports high utilization on a switch. From there, we open the switch's graphs and determine who is doing what. If a user's port is screaming, we disconnect them and go over to see what's up.
>>I agree however, it's useful to be a
Re:Security (Score:1)
In a graphic design house, or anywhere that routinely works on large files, that's going to inconvenience and maybe even infuriate a lot of people. A large file copy is going to make a port "scream", that is, up until you disconnect it. Do you strap on a bulletproof vest and riot helmet before confro
Re:Security (Score:2)
I assume you are also stating to not allow any removable media. If you don't allow attachments then users will find some other way to get some file that they need (or "think" they need) and there is no better method than floppy/USB Key/CD for that.
Re:Security (Score:3, Interesting)
I work for an advertising agency. They live and die on "easy" communication with every client possible, and most would be surprised just what kind of crap marketting firms will send in professional emails.
Strip an image? They just lost contact info for a potential client. Kill a zipfile because it's password protected? Oops, that was a 7 figure proposal. It just gets worse and worse.
Start by having 2 NAS systems. One for real users, one for idiots who must be att
Re:Security (Score:2)
Re:Security (Score:3, Funny)
Hi, I'm Tom.
Re:Security (Score:2)
Re:Security (Score:1)
um. you've just described a useless system (Score:2)
What email side? You've blocked everything but http and https. POP, IMAP, SMB, NFS etc etc etc etc etc are all blocked.
good lord, what marketing crap (Score:5, Insightful)
I agree with the poster above who said like it sounded like an ad for an all in one appliance. It spends the first page putting down best of breed security means, then says we need to use best of breed ones, only under this new definition. It ignores that these all in one solutions generally have the cost of integration factored into the cost of the very expensive product. It talks about the changing security environment, trying to pump up your fear, but it totally ignores insider threat, which constitute the larger chunk of threat.
Essentially, this is a document for security managers, not for anyone on the ground, so to speak. The language is unnecessarily obtuse and ornate.
What about making a secure OS? (Score:3, Insightful)
Silly (Score:2)
So is this a commercial? (Score:1)
This is lame. Sure it may be running some kind of magical software that knows in advance all of the 0 day stuff better than tipping point. Really though, layered multi-vendor approaches are best. I've had a virus make it through the
Puffy! (Score:2, Informative)
Use tag "markitechture" (Score:2)
What is this network supposed to enable ? (Score:2)
BS (Score:1)
Platitudes, platitudes (Score:1)
Trite, insipid and banal. I agree that a holistic approach is needed and because of that a 'platform' is only part of the remedy. Apart from stating the obvious, the approach advocated here actually amounts to a view of information security which is curiously not holistic. As is usual, there is no mention of any process involved in information security simply a thinly veiled entreat to buy the snake oil and all will be well. Reader beware if devices are all that is mentioned then question the writers mot
Re:Platitudes, platitudes (Score:2)
I've written a paper on how to approach this, available here (PDF.) [lanifex.com]
I was disappointed by the title, since it hints at security convergence -- but completely fails to explore the space where my company is active, which is integrating physical security monitoring (alarm systems, environmental controls, UPS monitoring) with data security controls (IDS, ne
This almost looks like... (Score:1)
Except in fake papers and speeches by our college president have I heard something simple ( and trivial ) said in so many words.
Marketing Speak Alert (Score:3, Insightful)
Translation with missinformation: Hackers are now attacking vulnerabilities in applications.
The trueth: Script Kiddies are learning how to attack vulnerabilities in applications thanks to frontend applications like Metasploit.
What they don't know: Hackers designed layers 1-7.
Nothing.. (Score:1)