Re: Security followup

[Andrew Plato <gilliankitty -at- yahoo -dot- com>]

"Decker Wong-Godfrey" wrote ...
> 
> More likely the number of "secure your system" applications for Windows 
> points toward an inherent lack of security on the Windows platform. 
> There's money to be made because Windows is deficient in security.

No - its because Windows machines outnumber Linux machines about 20 to 1 in
most businesses so there is more money to be made. And many companies that sell
Linux software go under. ISS used to sell Linux agents of their software. They
abandoned them because nobody bought them. Hence, it wasn't economically
feasible to sell and support the Linux platform. 

Moreover, I know the chief architect at ISS. I remember asking him why they
abandoned those agents. In addition to the economic reasons he also said
supporting Linux as a platform is extremely hard unless you hand out source
code. There are so many different variations that you can't reliably test
distribution packages. What works wonderfully on one system explodes on
another. And customers will call in screaming about how the program was
"hobbled on Linux" as part of some Bill Gates conspiracy, when in reality its
because the user had some strange application on the box that he hand built
that conflicts with their software. 

> Isn't "Automated Intrusion Protection" just an Internet Security 
> Systems buzzword for dynamic firewall configuration?

No. Not at all. Intrusion Prevention Technologies (IPS) are a growing area of
security. IPS are in-line IDS and firewall combinations. There are also
host-based versions. These systems have their own firewall and as such can
respond to events. If somebody tries to send a buffer overflow attack, like
Code Red, these systems can block the intruder and drop the offending packets. 

What you're thinking of is session sniping (RST packets) or OPSEC config. Both
of which are very unreliable methods of blocking intruders mainly because of
the tremendous latency involved. 

> > In order to provide dynamic firewall rule configuration, Snort doesn't 
> need to be modified at all. One of Snort's strengths is the 
> plugin-style preprocessor. You can add all kinds of functionality to 
> Snort without ever having to touch the Snort code. In fact, someone has 
> already done it for you. There is a Snort preprocessor that will 
> dynamically write firewall rulesets based upon attacks. The 
> preprocessor is public, so I'd say, in fact, it is pretty easy to 
> implement.

Have you ever actually supported a Snort system in a real environment?  I mean
an enterprise environment, seeing millions of TCP sessions along with gigabytes
of UDP traffic? I have. Its not easy. It takes a lot of custom configuration
work and documentation. 

And when I say I have - I mean my company has. I sent out contractors who are
skilled Linux people.  

> But you should probably read the following to find out why "Automated 
> Intrusion Detection" isn't something you necessarily want to begin with:
> 
> http://online.securityfocus.com/infocus/1540

Doesn't even mention IPS technologies. It mentions session sniping and OPSEC
firewall configuration. That is a different kind of intrusion prevention. 

Furthermore, a lot of people are arguing about IPS. In fact, I have debated
this technology on the Security Focus forums before. I also was interviewed in
Network Security magazine about this. 

I am convinced that IPS its a very capable technology. I have first hand
experience using and implementing IPS systems. I had one of the first ISS Guard
systems in the world running in a live environment in 2000. I've watched as
thousands of intrusions have been terminated thanks to the IPS systems I've
implemented. 

> > ISS actually used to have a Linux agent that did this, and they 
> > cancelled it
> > because nobody bought it.
> 
> The fact that Snort already does this, is open source, and is well 
> supported means that there's no real need for a proprietary competitor.

No, its economics. There is no money to be made in open source. Open source
people think everything should be free. Well, you try running a business where
you give your main products away for free and see how long that business
survives. Just this week another Linux distributor, Mandrake, collapsed and
filed for bankruptcy. I have heard rumors that RedHat is also suffering. 

Some day, somebody is going to explain to you that giving stuff away for free
is not a viable business model. You cannot feed a family and pay a mortgage
with the good karma you get from distributing software for free. 

This is even evidenced in the very program you speak of: the inventor of snort
founded a business to sell commercial versions of Snort called Sourcefiire
(which my firm sells). Sourcefire sensors overcome a lot of management and
administration headaches of Snort. Proving that there was clearly an issue with
Snort that prompted the need for a commercial version. 

Andrew Plato

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Help Authoring Seminar 2003, coming soon to a city near you! Attend this
educational and affordable one-day seminar covering existing and emerging
trends in Help authoring technology. See http://www.ehelp.com/techwr-l2.

A new book on Single Sourcing has been released by William Andrew
Publishing: _Single Sourcing: Building Modular Documentation_
is now available at: http://www.williamandrew.com/titles/1491.html.

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot-  Visit
http://www.raycomm.com/techwhirl/ for more resources and info.