Urban75 Home About Offline BrixtonBuzz Contact

Vista Hardware Checklist

jæd said:
You build firewalls/servers that are underpowered for their jobs...? Doesn't sound a very good idea to me... :D
Click to expand...
TBH I'm curious about this one too :D

Security through obscurity, I've heard of..

Security through lack of welly is a new one on me :)

Kam, what's the thinking behind it ??
 
Radar said:
Security through obscurity, I've heard of..
Click to expand...

Aaaah, so that's the point of my predecessor buying these Netsafe boxes.

They do look quite secure, sealed they as they are in their packaging.

:D
 
We all know that Vista is just win 95,98,nt4,me,2000,xp with a lot of bolt on's - Same old crap just more bloat. Micosoft are in with Intel to make you go out and buy more hardware for their shitty software.
 
jæd said:
You build firewalls/servers that are underpowered for their jobs...? Doesn't sound a very good idea to me... :D
Click to expand...
Underpowered fro its job is an interesting question. Looking recently at the reasons for a dramatic rise in small value fraudulent transactions against a merchant after they redeployed their website on faster hardware (there are more complex issues at work with merchant auth mechanism as well) it was discovered that the site was being used by fraudsters with card generators or stolen cards who were not interested in buying the services offered by the company but wanted to test the whether the card worked. The hardware upgrade had meant that the card processing part of the site was quick and the charge back percentage jumped from ~.3% to 12 times that despite that fact that most of the charge back transactions were for small sums.

OK I grant you the site wasn't moved to slower hardware but the customer interactions were broken up onto more pages and that card auth response was delayed.

This is not untypical. Consider an auth server acting for may be a few 10's of thousands of users, it would be normal to lock accounts of users with multiple auth retries so attacks migrate to stepping through the user names so each is only tried once, while I now have protection against this sort of attack - particularly on Cisco VPN side of things - it wasn't common and still isn't in much legacy hardware, the best protection against third class attacks (as Rumsfeld would have it, the unknown unknowns) is not having hardware capable of carrying them out. Slower processors with less pipelines are less vulnerable to chip level race conditions which while we haven't seen them in the wild have been the subject of proof of concept research for a little while now.

Stateful Firewalls which may realistically be expected to have to handle a few thousand sessions and that is connected to a 8Mbps DSL will be more than thrilled to be running on a PIII & 256MB, if you stick a Northwood in it while I obviously don't think that anyone is going to kick you for being criminally negligent you might consider how an attacker against you could benefit from attacking a very fast machine compared to one spec'ed merely to do its job. Michal Zalewski has written some stuff that covers this area as well.
 
There's some truth in that, but practically speaking it's the wrong idea. For instance, UNIX salts passwords to make authentication slower. Basically this means adding extra stages to the calculation of checking an entered password, so you can get less throughput if trying a brute force/dictionary attack. That alone though, is clearly not the right idea. You need to find other more solid ways, like kicking off a user who attempts to login too many times.
 
Kameron said:
... you might consider how an attacker against you could benefit from attacking a very fast machine compared to one spec'ed merely to do its job.
Click to expand...

Well... Your security model should scale to the hardware provided. Saying "Well, you shouldn't run xyz system on fast hardware" is just a cop-out. Build in security and you won't come as unstuck...!
 
jæd said:
Well... Your security model should scale to the hardware provided. Saying "Well, you shouldn't run xyz system on fast hardware" is just a cop-out. Build in security and you won't come as unstuck...!
Click to expand...
Sure it should and when it doesn't, which security is renowned for not doing, we switch to enclave security models both in the physical world and the electronic. We have seen for instance a total failure of wireless security to stay ahead of the game which has lead to the almost universal pushing of the WPA protected wireless LANs outside the firewall or ideally into its own enclave, it is no longer atypical to see all LANs reduced to a series of VLANS where each client machines see only the reverse mail and file server proxies and the web proxy. The problem set here is fundamentally different from many areas of computing where twice the problem will be solved by twice the power, the reality is the twice the problem needs a different solution in the security world. Though partition models familiar to us from statistics and enclave models borrowed from the physical security world allow us to apply tried and tested solutions to larger environments and we hope to create a hive that can scale it still doesn't mean twice the power, six may be a better rule of thumb.
 
the theory is sound - in priciple.

by deploying a slower box you slow down response times to atatcks. this gives your IDS and other systems a fighting chance of spottng any floods before they actually have any real effect. it salso makes for a less attractive target.

its not however a theory I subscribe to. I prefer to look at throttling the resources given over to processing requests whilst allowing additional processing for monitoring processes. this can be expolited but tbh if someone is knoweldgble enough to be able to expolit this sort of weakness on a hardened platform they are not going to be put off by slower response times anyhow.


each method has its strengths and weaknesses. neither is right and neither is wrong

firewall wise i only ever really trust hardened, hardware based solutions anyhow.
 
Kameron said:
Sure it should and when it doesn't, which security is renowned for not doing, we switch to enclave security models both in the physical world and the electronic. We have seen for instance a total failure of wireless security to stay ahead of the game which has lead to the almost universal pushing of the WPA protected wireless LANs outside the firewall or ideally into its own enclave, it is no longer atypical to see all LANs reduced to a series of VLANS where each client machines see only the reverse mail and file server proxies and the web proxy. The problem set here is fundamentally different from many areas of computing where twice the problem will be solved by twice the power, the reality is the twice the problem needs a different solution in the security world. Though partition models familiar to us from statistics and enclave models borrowed from the physical security world allow us to apply tried and tested solutions to larger environments and we hope to create a hive that can scale it still doesn't mean twice the power, six may be a better rule of thumb.
Click to expand...

A shining example of security through obsufaction. Kameron could've but the Queens credit card number & PIN in there, but I didn't manage to get past the second three line sentence...! :D
 
translation

the computer security field draws on experiences in the physical security world. There are lots of parallels.. onion skin defense.. DMZs... treat untrusted sources as compromised ...yadda yadda yadda

wpa and wireless encryption is insecure so instances of it in a corporate environment tend to be treated as insecure so are placed in their own DMZ and mistrusted with access to the trusted network being via a controlled means. This limits the damage that can be caused if they do become compromised.

in IT if you have an issue that grows traditionally you just lob more computing power at it. This tends not to work in security. You need to devise new means to confront the threat. e.g. a new virus that is undetectable by any known antivirus solution would not be stopped by installin a more powerful network virus scanner. you would ned to develop a new approach to deal with the threat (block ports etc)

hes got me on enclave and partition models with statistics though. I assume he means having isolated vlans or zones that have their access to other vlans\zones controlled by various security devices. with each vlan\zone treating every other as potentially compromised. (Have seen banks do this but its not common as its bleeding expensive).

hive.. nope got me there too

sorry old boy but I dont understand your banter
 
Just wait awhile and someone will release a hack version with all the useless fluff left off and the size will be relativelely manageable.
 
pinkychukkles said:
Just wait awhile and someone will release a hack version with all the useless fluff left off and the size will be relativelely manageable.
Click to expand...

Why bother - just use Ubuntu Linux. A working secure OS without a) putting money in Bill Gate$ wallet and b) no bloat.

Frankly I'm an appliance operator and although I had some problems (mostly between keyboard and chair I might add) getting set up I would never ever go back to windows now even though at one point I was tempted.
 
Pingu said:
hes got me on enclave and partition models with statistics though. I assume he means having isolated vlans or zones that have their access to other vlans\zones controlled by various security devices. with each vlan\zone treating every other as potentially compromised.
Click to expand...

Enclaves and not pissing about, this paper is talking about enclaves and is dated 1999 so we aren't cutting edge here really, though the single/paired machine VLAN's are only just coming to be a reality.

Lots of networks with multiple Enclave are broken down into their subsections on the basis of physical network components. This means you end up having a router for each enclave along with a firewall.
While that is fine for many situations it does mean that they are physically fixed and dependent on your physical layout. I haven't seen it in the literature but people have been calling networks enclaved on the basis of routing rules, noramlly on switches (or firewalls), as partitioned networks. This is often done with standard VLAN options on modern routers.

The reference to statistics is just confusing in this context (without a thermal physics background) but partition models are used in statistical thermodynamics to create subsystems with negligible interaction - I'm sure I don't need to labour the point.

Hive is just the name applied to deeply enclaved networks and I think that they started getting called hives after the network diagrams started appearing.
 
KeyboardJockey said:
a) putting money in Bill Gate$ wallet
Click to expand...
That is a very modern position to take you know, last time I checked there were only a handful of us who thought that using a hacked version of windows in non-business environments was putting money in Bill Gatacus' pocket. Everyone else thought they were ripping him off.
 
Kameron said:
That is a very modern position to take you know, last time I checked there were only a handful of us who thought that using a hacked version of windows in non-business environments was putting money in Bill Gatacus' pocket. Everyone else thought they were ripping him off.
Click to expand...

Well... You could say that you're still endorsing Windows even if you're not paying for it...
 
jæd said:
And I continue to be amazed that no-one sues, or just demands their money back from Microsoft... :rolleyes:
Click to expand...

Microsoft - the delboys of the computer world

'......No money back no guarantee'

If you recall that line from the theme tune of Only Fools and Horses :D
 
jæd said:
Well... You could say that you're still endorsing Windows even if you're not paying for it...
Click to expand...
I believe that is what is called the mild economic feed back theory. The strong version says, if people turn up at their employer knowing how to use Windows then employers deploy Windows, having deployed it it becomes a requirement for new applicants there by forcing new applicants to learn how to use Windows etc, etc ... time becomes a loop.

On the other hand if users turn up knowing how to use something else or even better turn up with the ability to learn how to use anything then Windows looses market share and looses sales as the market becomes more flexible.

(Lets just assume for arguments sake that serious businesses don't pirate Windows generally and deploy in these terms means that businesses spend money on it with MS.)
 
jæd said:
Is this actual, real-world experience, or is someone just c+p'ing from badly written textbooks...? :confused:
Click to expand...

me or him?

the theory is pretty much real world.. a bit on the costly side for the vast majority of companies but the basic principles are ok.

its ben a whikle since i desinged a secure network but how we did it back then was to have access controls inbetween networks. These networks were isolated using vlans (at the time to mainly prevent sniffers functioning - there are other network benefits but this was the main reason why we vlaned) and by use of restrictive subnets. this meant that there could only physically be so many machines that would work on sat a /28 subnetted segment. this made it harder for someone to sneak a machine onto that network without it being noticed. In between untrusted segments the routing would go via a firewall with acls also being used on the routers to do port filtering etc. its expensive to do though
 
Pingu said:
me or him?
Click to expand...
I think the comment was pointed at my impenetrable single sentence per-post and what turned out to be jargon heavy pros style, then again I thought my audience (him since he asked the question) was pretty savvy regarding corporate networks.
 
You must log in or register to reply here.

Similar threads

X
Rebuilding a hardware raid array?
Replies
10
Views
300
xenon
X
editor
Help Software to let me select videos to be displayed on projector via HDMI
Replies
14
Views
668
elbows
elbows
editor
Classic Hi-Fi systems, LED displays, superfluous knobs, buttons and dials and more - Posy video channel
Replies
7
Views
380
teuchter
teuchter
a_chap
AI voice and face/video cloning
Replies
0
Views
82
a_chap
a_chap
neonwilderness
Easiest way to set up a live video stream?
Replies
8
Views
394
neonwilderness
neonwilderness
Back
Top Bottom