Comments on: The problems with Internet security and the “Default Deny” stance http://michaeldundas.com/2010/01/27/the-problems-with-internet-security-and-the-default-deny-stance/ Precision, Integrity, Communication Wed, 25 Jan 2012 16:50:00 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Clear2Go http://michaeldundas.com/2010/01/27/the-problems-with-internet-security-and-the-default-deny-stance/comment-page-1/#comment-6320 Clear2Go Fri, 19 Feb 2010 20:57:50 +0000 http://michaeldundas.com/?p=1455#comment-6320 <a href="#comment-6315" rel="nofollow">@JaymeSnyder </a> Minimalistic approach is the right idea I think. What bothered me about the articles I was reading were: a) the general attitude of "stupid users" and we in security "know best". I see that a lot and I hate it. I feel it is one of the main reasons the I.T. and security industries are viewed the way they are as 'separate' from the real business. b) Some of the articles are not very realistic. Like I said, try walking into a major financial institution, deploying a security service under tight time-lines where you had to Q/A the big things and hope for the best and telling the client that their major financial services that make them money might experience some issues till the security is figured out and they will just have to deal with it. Doesn't work. Security is a risk assessment, like crossing the street or buying stocks. If opening port xxx/udp allows a major service to function, there are no known serious vulnerabilities, do you just block it because someone might attack it in someway? Try and sell that to the executives. I have never seen it work successfully and it only damages your reputation as a consultant. @JaymeSnyder
Minimalistic approach is the right idea I think. What bothered me about the articles I was reading were:
a) the general attitude of “stupid users” and we in security “know best”. I see that a lot and I hate it. I feel it is one of the main reasons the I.T. and security industries are viewed the way they are as ‘separate’ from the real business.

b) Some of the articles are not very realistic. Like I said, try walking into a major financial institution, deploying a security service under tight time-lines where you had to Q/A the big things and hope for the best and telling the client that their major financial services that make them money might experience some issues till the security is figured out and they will just have to deal with it. Doesn’t work. Security is a risk assessment, like crossing the street or buying stocks. If opening port xxx/udp allows a major service to function, there are no known serious vulnerabilities, do you just block it because someone might attack it in someway? Try and sell that to the executives. I have never seen it work successfully and it only damages your reputation as a consultant.

]]> By: JaymeSnyder http://michaeldundas.com/2010/01/27/the-problems-with-internet-security-and-the-default-deny-stance/comment-page-1/#comment-6315 JaymeSnyder Fri, 19 Feb 2010 19:01:54 +0000 http://michaeldundas.com/?p=1455#comment-6315 I have always taken a minimalistic approach - ask what and why something is what it is and how can it be misused... if it is not needed and can be misused, eliminate it or work to minimalize the vector of "attack", log un-expected, and follow up. When I was in highschool... we had a print ballance system. The printers were shared on a Novel server which enforced how many printouts it issued. All the printers / servers were fully routeable and I discovered you could print directly to the printers print server and bypass the queues. Effort was spent on preventing the mis-use of the printers when used as expected, but no effort was given to the un-expected use. In order to work and be in school, I had to be able to administer machines remotely from the school network. What I did was run an SSH server on port 443 on my home network. I would use the mindterm java ssh applet to allow me to tunnel VNC and RDP to whatever I needed access to. Once I even used a reverse tunnel to connect the a local socket on my SSH server to the school printers queue so that I could print my homework from my home machine to the local printer. What the school needed was a tough writen security policy, a log of all un-expected events and an administrator who looked at the logs and was able to give me hell when he caught me doing things I was not supposed to. They may not have been able to catch my tunneling but they could have tracked my printer misuse and found out the other. I never did anything disruptive... but the only thing that stopped me was my character. I have always taken a minimalistic approach – ask what and why something is what it is and how can it be misused… if it is not needed and can be misused, eliminate it or work to minimalize the vector of “attack”, log un-expected, and follow up.

When I was in highschool… we had a print ballance system. The printers were shared on a Novel server which enforced how many printouts it issued. All the printers / servers were fully routeable and I discovered you could print directly to the printers print server and bypass the queues. Effort was spent on preventing the mis-use of the printers when used as expected, but no effort was given to the un-expected use.

In order to work and be in school, I had to be able to administer machines remotely from the school network. What I did was run an SSH server on port 443 on my home network. I would use the mindterm java ssh applet to allow me to tunnel VNC and RDP to whatever I needed access to. Once I even used a reverse tunnel to connect the a local socket on my SSH server to the school printers queue so that I could print my homework from my home machine to the local printer.

What the school needed was a tough writen security policy, a log of all un-expected events and an administrator who looked at the logs and was able to give me hell when he caught me doing things I was not supposed to. They may not have been able to catch my tunneling but they could have tracked my printer misuse and found out the other. I never did anything disruptive… but the only thing that stopped me was my character.

]]>