Can you perhaps share your "interesting" notes from said Software Policy
Restrictions in AD endeavor? Publicly, I'd hope.


-----Original Message-----
[] On Behalf Of
Paul D. Robertson
Sent: Tuesday, July 18, 2006 5:13 PM
To: Marcus J. Ranum
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] The Outgoing Traffic Problem

On Tue, 18 Jul 2006, Marcus J. Ranum wrote:

> >Sigh. ANY authentication would be better than none at all.

> So now we're back to a conversation that I recall having several
> times in 1992/3: that outgoing connections should be authenticated
> as "belonging" to a real human behind a keyboard before they are
> allowed. I remember Fred and I floated that idea to a few customers
> (including folks who were considered to be very sophisticated, in
> terms of security) and getting blank stares in response.

Been there, done that, broke the Gauntlet. Authentication for HTTP

> The end-game looks like: operating systems environments that
> execute only white-listed executables that have been authorized
> by the system owner or enterprise administrator, combined with
> a "tie connectivity to a live human" layer for originating network
> traffic, unless the system is a server (in which case it will be
> firewalled down to just authorized services).

Software Policy Restrictions in Active Directory do the first part, just

finishing a live implementation- it's been um... interesting.

> In the meantime, we'll get more emphasis on patching and
> anti-badness detectors. As we've seen, anti-badness detectors
> (IPS, A/V, IDS, anti-spyware, URL filtering, anti-spam) don't
> really work, unless you're an anti-badness vendor. And, we can
> see how well patching is working...
> Schneier has written interesting stuff about the difficulty of
> accurately tying a real human to a keyboard; there are signs
> that the bad guys are working on how to do man in the middle
> attacks against "captchas" and 2-factor authentication. For the
> time being, though, using something like a captcha to get a
> user to "unlock" their web access for 15 minutes (or whatever)
> would raise the bar, but that'll only be temporary. On the other
> hand, in the current ultra-target-rich environment, putting almost
> any check in the outgoing pipe would put you light years ahead
> of the rest of the pack. And, remember: you don't have to outrun
> the lion - you just have to outrun the slowest of the other people
> who are running away from the lion.
> Here's a prediction for you: as target-specific attacks begin to
> rise, the anti-badness approach is going to finally fail utterly.
> There are going to be a lot of very nervous IT professionals
> that have systems and networks that are way to permissive,
> and they'll all be looking around for "Plan B." The bad news
> is that most of the "Plan B" approaches reduce convenience
> and accessibility for the users. That collision will be met with
> denial.
> You'll notice that, except for the "target-specific attacks"
> aspect, the future (denial) looks a lot like the present (denial).

Target of Choice is always worse.

Paul D. Robertson "My statements in this message are personal
opinions which may have no basis whatsoever in fact." Infosec discussion boards

firewall-wizards mailing list

This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

firewall-wizards mailing list