Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)

Patrick Darden darden at armc.org
Tue Oct 7 19:18:05 UTC 2008

J. Oquendo wrote:
> Too many companies and individuals rely far
> too heavily on a false and outdated concept of the definition of
> "minimum requirements" when it comes to security. They tend to
> think they need to implement the minimum requirements and all will
> be fine. This is evident in almost all security management material
> I read where the goal is to offer a "mininum" set of requirements
> to meet guidelines and regulatory controls.
> What about exceeding the minimum requirements for a change. 

What about an entirely different concept?  I see a lot of network 
router/firewall admins make the mistake of closing certain known bad 
ports off.  This mostly happens in a University-type situation, where it 
is necessary--or at least traditional--to have an open network.  A 
network able to handle myriad new and changing protocols and services.  
This is the black-list approach.  It is a fundamental approach to 
security that ends up with "minimum requirements" either met or 
exceeded, without any real effectiveness no matter what certain experts 
may claim.

The acknowledged better path is using a white-list instead.  Turn 
everything off by default.  Turn off all ports on the router/firewall.  
Turn the ones back on that can be trusted, with as much control as you 
can throw in there--specifying endpoints and ports, using content 
inspection and ensuring protocols using higher layer proxy-type 
protocols.  Modern firewalls can do all of this.

This would lead to "maximum possible" security, regulated only by 
realities.  Layer 9 and 10 being the biggies, although layer 1 and 2 are 
also important (money and politics).

This would not work in an open environment with 30,000 new laptops 
coming in at the start of every summer, each running a different brand 
of Doom (pun intended).  But if we are talking about a smaller number of 
stable networks that are meant primarily to interface with one-another 
and only network outside of themselves... (wait for it, not secondarily, 
not tertially, not even quartnearilly but instead) perhaps as the least 
important function, then we have something we can work with.  These 
networks would be of Working machines.  Primary purpose: work.  
Stability, functionality, security of data and communications....

Here you go, my incredibly naive take on it:

0.  white list as the fundamental principle.  maximum security.
1.  you are starting with a mess.  turn off all internetworking on a 
network, until it is compliant with the below.
2.  separate the networks into discrete logical units (via function 
would be best, if realities such as location/bandwidth permit).
3.  separate the workstations.
4.  harden the workstations.  turn off extra services.  only install 
certain programs.  make an image.  shoot that image down every now and 
then to ensure compliance.
5.  harden the networks.  allow communication between networks only for 
certain services.  specify endpoints and ports, use content inspection 
ensure protocol regulation.  check logs for unregulated attempts to 
communicate between networks.
6.  make sure you have adequate pc/networking/security admins to do 
this--and maintain it.  Keeping it all up to date will be a big part of 
making sure it stays functional.
7.  probably this should be #1 instead of #7--start with clear 
documentation for each of the above points, including assignation of 
responsibilities with job titles.

--Patrick Darden

More information about the NANOG mailing list