This is a discussion on Re: [fw-wiz] How automate firewall tests - Firewalls ; At 09:38 AM 21/08/2006, Marcus J. Ranum wrote: >On the other hand, the customers of the "computer security >industry" are spending about $1 billion annually on all the >computer security "solutions" yet the sitation is getting worse. >What does that ...
At 09:38 AM 21/08/2006, Marcus J. Ranum wrote:
>On the other hand, the customers of the "computer security
>industry" are spending about $1 billion annually on all the
>computer security "solutions" yet the sitation is getting worse.
>What does that tell you? It tells me the "conventional
Answering the question that started this thread is like answering the question: "How can I know what I don't know?". The answer, of course, is both:
o "You can certainly verify that things around you are doing what you were led to believe they would do", and;
o "You don't know what you don't know."
The first part is an answer encompasing all sorts of known tools and techniques to verify functionality. Verifying that some "thing" (like a fw, ids, etc) is doing what it is supposed to is a worthy activity in building a secure network.
The second part is what those looking to compromise security are straining to exploit. As long as some Thing or set of Things on your network are the axle around which the security of your network revolves, you will be as secure as your last application of grease or the latest evolution among wood-worms. A single bearing-failure, bird's nest, really humid day or sudden insight into an existing lack of foresight brings the whole works to a crashing halt.
There is no simple answer to knowing what you don't know (that's what makes security fascinating). Bad People really do want to harm you and, taken as a whole, Bad People Inc. is a well-staffed 7x24 operation with their own R&D division always searching for ways to do you no good.
My advice is to focus efforts on tactical command and control (which should look to you like "Visibility"). Mitigating SIMs like MARS, good "distributed" IPS solutions (while I have issues with these) like Lancope, passive vulnerability scanning implemented like Tenable does it: these sorts of things will give you visibility into what is going on in your imperfect world. You cannot make even any *one* Thing in security "perfect", but you can do your best in regards to your Things and then manage the whole mess into an acceptable risk state.
The man who never alters his opinion is like standing water, and breeds reptiles of the mind.
Lofty Perch Inc.
firewall-wizards mailing list