The view from the other side of the fence
Jake Khuon
khuon at NEEBU.Net
Wed Mar 13 13:35:10 UTC 2002
### On Wed, 13 Mar 2002 08:00:41 -0500 (EST), Sean Donelan
### <sean at donelan.com> casually decided to expound upon Rajesh Talpade
### <rrt at research.telcordia.com> the following thoughts about "Re: The view
### from the other side of the fence":
SD> On Wed, 13 Mar 2002, Rajesh Talpade wrote:
SD> > A network is only as secure as its weakest link....
SD> >
SD> > sounds like a cliche, but am afraid this least-common-denominator rule
SD> > will hold as networks converge.
SD>
SD> Is there anything we can do to improve this? How can we make sure
SD> the people who "need-to-know" find out how to secure their weakest
SD> links instead of waiting for each company to stumble along their
SD> learning curve.
That's a good question. Unlike the system's world where there seems to be
quite a few free as well as commercial toolkits alongside stuff that gets
distributed OEM to run security audits (many OSes are preconfigured as part
of their installation process to generate periodic audits), there doesn't
seem to be many such toolkits for auditting networks as a whole. I think
this stems from several reasons (and I'm probably missing a few).
[1] Diversity in network designs force security folks to tailor their
auditing tools to a particular network.
[2] Exposure of homegrown auditting methods and procedures viewed as a
security breach so such things simply are kept in secrecy. I suspect
however that no one has really developed a comprehensive generic
auditting tool or toolkit but instead relies on a combination of
handcrafted scripts and security policies to run manual audits instead
of automated ones. Someone please prove me wrong.
[3] Networks are not really thought of hollistically like a server is in the
system's world. Security tools are targetted more towards auditting
devices in an individual manner because modelling the entire network is
too difficult.
I suppose some of the folks doing IDS and/or distributed firewall (Oh Mr.
Bellovin? |8^) development may be able to shed better light on the subject.
But IDS seems to be a reactive measure rather than a proactive one and
distributed firewalls may address some issues with device security but
doesn't seem to really touch on enforcing sane routing practises.
--
/*===================[ Jake Khuon <khuon at NEEBU.Net> ]======================+
| Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- |
| for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S |
+=========================================================================*/
More information about the NANOG
mailing list