tag:blogger.com,1999:blog-8539880144347728238.post8287267830911467290..comments2009-03-24T05:10:09.733-04:00CGhttp://www.blogger.com/profile/11061967917509053185noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-8539880144347728238.post-41432826960663144772008-07-10T22:23:00.000-04:002008-07-10T22:23:00.000-04:00I love how people come out with this junk, firewalls are Dead, we should all have IDS...<BR/>NAT is dead, we are all going ipv6... Security in layers, one of those layers at the moment and for the foreseeable future is netsec (I can't see this changing unless there is a radical change in the way the internet works), DMZ's, Firewalls, IDS, IPS, Nat rules (even these are a form of security), VPN's and other tunnels.<BR/>Me I take everything I read with a pound of salt, but I agree with what you have said so far Andre.mehttp://www.blogger.com/profile/10406049887224934659noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-70576525362887883392008-06-24T16:50:00.000-04:002008-06-24T16:50:00.000-04:00"It's still kind of 2003 stuff though..."<BR/><BR/>isnt retro always in style?<BR/><BR/>don't worry I didnt include WAF for a reason, I know you TS/SCI boys got that stuff on lockdown.CGhttp://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-5289899731267217082008-06-24T14:35:00.000-04:002008-06-24T14:35:00.000-04:00I still do network security, but I try not to tell anyone about it. Keep it on the down-low, ok?<BR/><BR/>I really like how you brought the network security down to only the basics:<BR/><BR/>1) Domain segmentation. Hell yes. Having a separate AD forest for servers and workstations is very important (the only servers in the workstation forest should be the ones that service the workstations, not the ones that service other "services" that are needed by the domain). Using separate AD forests for totally separate networks that fall under the auspices of SOX or PCI is also very smart -- if only to reduce the scope of these network alone<BR/><BR/>2) Router ACLs. Yes, these are great wins, especially if they are reflexive and work like stateful firewall rules (then what do you need a firewall for?). I have worked in many environments where router ACLs were used instead of firewalls and loved it<BR/><BR/>3) IPSec. I'm iffy on this subject. IPSec, SSL VPN, and others all have different kinds of problems. I guess IPSec can be useful, but I'd rather use OpenVPN for my personal use, and even in small corporate environments. I guess confidentiality and authentication are important issues to address -- and IPSec and/or SSL VPN does meet them. But it's very smart to make sure you're using the right products with the right configurations. It can be very tricky to get one or the other right<BR/><BR/>4) VLANs. Wireless VLANs, pVLAN's, VACL's -- oh man, I love LAN security... especially Cisco DAI and all of the various little configuration knobs. This stuff is totally for geeks, but it would be so much better with PKI and proper SSL/TLS. Let me blow both #3 and #4 out of the water by saying that I would prefer that everything be wrapped in SSL/TLS and then we don't need this stuff. Of course, SSL/TLS can have issues, but I think it's easier and doesn't require an uber-geekgod-expert in VPN or LAN security to implement correctly<BR/><BR/>5) Firewalls, IPS, IDS, UTM, et al. This is where I start to say, "oh come on now, do you really need to spend $2M on this junk?". It's so 1999. Come on -- Palo Alto Networks, puh-lease. "Let's show the world how much firewalls suck -- buy our firewall!". I lost track of firewall technology before Netscreen came on the scene. This stuff was incredibly useful between 1996 and 2001, and then it stopped being as useful as anyone thought it was. SYN attacks, Smurf, TCP/UDP amplification attacks, Teardrop, Ping-of-death, etc -- all of these attacks were software problems just like web application software weaknesses today. However, all of the old DoS/DDoS attacks worked against weaknesses in network stacks (which is software, by the way), so it made sense to block them at the network layer. Around 1998, SQL injection came on the scene and started to change things, and by 2001 XSS popped around to make phishing scams twice-as-nice for adversaries. Once these techniques caught on, brute-force authentication and zero-day server-side exploits with IDS evasion became boring in comparison. Oh, by the way, never bring up WAF's around me if you can help it. The rants will be tens-times-as-long<BR/><BR/>Also, Bluecoat seems to be a waste of money in many scenarios, although I do like the idea of proxies being used for these purposes even if I know plenty of ways around them (SSH through SSL with SOCKS? UDP/TCP hole punching, pivot bouncing, etc). Maybe a better choice would be Squid.<BR/><BR/>Oh dood, and while IDS does have its uses even today (although maybe not quite as cool as it once was), I totally dig being able to drop some tcpdump or Ethereal action with either taps or mirror ports (i.e. {ER|R}SPAN). It's still kind of 2003 stuff though...Andre Girondahttp://www.blogger.com/profile/17414510788948258195noreply@blogger.com