Common operational misconceptions
Jimmy Hess
mysidia at gmail.com
Sat Feb 18 05:09:05 UTC 2012
On Wed, Feb 15, 2012 at 4:52 PM, Rich Kulawiec <rsk at gsp.org> wrote:
> ICMP is evil.
To that I would add under...
Security misconceptions
0. Security is just common sense.
a. More draconian/more complicated policies/practices
automatically result in a good
secure, usable environment.
i. For secure results, require users to set a
25-character complex password with 1-day
expire.
ii. For best results, get a checklist containing every
possible "security measure" that
can be implemented, and implement them in no particular order.
iii. For best results, ask a committee of accomplished
bureaucrats....
b. For best results, leave all settings at their default values.
i. A security focused analysis is not required to
design a secure system/network.
ii. If each device is secure, the overall system is
automatically secure.
c. Just install Product $X, Product $Y. Everything will be fine.
d. If that doesn't work, and we still get a security breach,
adding Product $Z will
definitely make it secure forever, without log checking
and security reviews.
e. A simple automated scan can detect all possible security issues.
1. Script kiddies don't want access to my router, because they
can't run malware
i. Routers always encrypt passwords in memory; the *s
displayed when you look at the password field in the webui prove it;
no worries throwing out old equipment.
ii. It's okay to re-use the admin password for a POP3 account,
no security risk there.
2. If your organization partitions its internal network from the
internet with a firewall....
a. The network will be invincible to attack. or
i. Private addressing ensures a LAN secure against
outside attack.
ii. SSL certificates don't matter, just click Continue.
b. Sources of possible abuse/intrusion will always be on
the outside. [or]
i. The perimeter firewall makes the LAN safe against
packet sniffers
ii. Use of Ethernet switches instead of hubs make the
LAN completely safe against packet sniffers.
iii. Managing local LAN devices (such as routers)
using telnet or plain HTTP
is safe and secure (because of i or ii).
iv. Plain e-mail is an excellent file transfer
protocol -- it's also a secure way to
transfer large files into or out of a
Firewall-secured LAN, since e-mail is private.
v. External USB drives are a safe, secure, convenient
way to bring data into
or out of the partitioned network. Antivirus
will thwart any attempt to
transfer malicious files of any type.
vi. FTP is a safe way to bring data into or out of a
secure network, and the data
is safe against interception because a password is
required to connect.
c. The one perimeter firewall will protect the network
against internal attacks,
and even outsiders gaining access to open wifi.
i. WEP or open access with MAC address filtering is
pretty secure.
ii. MAC address filtering on the core router will make
sure unauthorized devices
plugged in cannot possibly gain access to the LAN.
iii. MAC address filtering on the DHCP server will make
sure unauthorized devices
plugged in cannot possibly gain access to the LAN.
d. No need to worry about having a DMZ or separate network,
for hosting internet services behind a firewall.
i. If traffic is only allowed to port 80, shell
access cannot be obtained by exploit,
even if the PHP scripts have bugs, because port 23
is required for shell access.
ii. If traffic from the internet is alllowed to pass
to one host through a firewall,
any possible security risk is limited to
exclusively that one host.
> Firewalls will solve our security issues.
> Antivirus will solve our security issues.
...
$MAGIC_PRODUCT will solve our security issues.
For many different values of $MAGIC_PRODUCT
--
-JH
More information about the NANOG
mailing list