bloomberg on supermicro: sky is falling

Naslund, Steve SNaslund at
Wed Oct 10 15:25:02 UTC 2018

You are free to disagree all you want with the default deny-all policy but it is a DoD 5200.28-STD requirement and NSA Orange Book TCSEC requirement.  It is baked into all approved secure operating systems including SELINUX so it is really not open for debate if you have meet these requirements.  Remember we were talking about Intel agency systems here, not the general public.  It is SUPPOSED to be painful to open things to the Internet in those environments.  It needs to take an affirmative act to do so.  It is a simple matter of knowing what each and every connection outside the network is there for.  It also reveals application vulnerabilities and compromises as well as making it easy to identify apps that are compromised.  

In several of the corporate networks I have worked on, they had differing policies for different network zones.  For example, you might allow your users out to anywhere on the Internet (at least for common public protocols like HTTP/HTTPS) but not allow any servers out to the Internet except where they are in a DMZ offering public services or destination required for support (like patching and remote updates).  Seemed like good workable policy.

Steven Naslund
Chicago IL

>Hi Steve,
>I respectfully disagree.
>Deny-all-permit-by-exception incurs a substantial manpower cost both
>in terms of increasing the number of people needed to do the job and
>in terms of the reducing quality of the people willing to do the job:
>deny-all is a more painful environment to work in and most of us have
>other options. As with all security choices, that cost has to be
>balanced against the risk-cost of an incident which would otherwise
>have been contained by the deny-all rule.
>Indeed, the most commonplace security error is spending more resources
>securing something than the risk-cost of an incident.  By voluntarily
>spending the money you've basically done the attacker's damage for
>Except with the most sensitive of data, an IDS which alerts security
>when an internal server generates unexpected traffic can establish
>risk-costs much lower than the direct and indirect costs of a deny-all
>Thus rejecting the deny-all approach as part of a balanced and well
>conceived security plan is not inherently an error and does not
>necessarily recommend firing anyone.
>Bill Herrin

More information about the NANOG mailing list