North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The view from the other side of the fence

  • From: Jake Khuon
  • Date: Wed Mar 13 08:39:10 2002
  • Action:
  • Dcc:
  • Expires:

### On Wed, 13 Mar 2002 08:00:41 -0500 (EST), Sean Donelan
### <[email protected]> casually decided to expound upon Rajesh Talpade
### <[email protected]> the following thoughts about "Re: The view
### from the other side of the fence":

SD> On Wed, 13 Mar 2002, Rajesh Talpade wrote:
SD> > A network is only as secure as its weakest link....
SD> >
SD> > sounds like a cliche, but am afraid this least-common-denominator rule
SD> > will hold as networks converge.
SD> Is there anything we can do to improve this?  How can we make sure
SD> the people who "need-to-know" find out how to secure their weakest
SD> links instead of waiting for each company to stumble along their
SD> learning curve.

That's a good question.  Unlike the system's world where there seems to be
quite a few free as well as commercial toolkits alongside stuff that gets
distributed OEM to run security audits (many OSes are preconfigured as part
of their installation process to generate periodic audits), there doesn't
seem to be many such toolkits for auditting networks as a whole.  I think
this stems from several reasons (and I'm probably missing a few).

[1] Diversity in network designs force security folks to tailor their
    auditing tools to a particular network.

[2] Exposure of homegrown auditting methods and procedures viewed as a
    security breach so such things simply are kept in secrecy.  I suspect
    however that no one has really developed a comprehensive generic
    auditting tool or toolkit but instead relies on a combination of
    handcrafted scripts and security policies to run manual audits instead
    of automated ones.  Someone please prove me wrong.

[3] Networks are not really thought of hollistically like a server is in the
    system's world.  Security tools are targetted more towards auditting
    devices in an individual manner because modelling the entire network is
    too difficult.

I suppose some of the folks doing IDS and/or distributed firewall (Oh Mr.
Bellovin? |8^) development may be able to shed better light on the subject. 
But IDS seems to be a reactive measure rather than a proactive one and
distributed firewalls may address some issues with device security but
doesn't seem to really touch on enforcing sane routing practises.

/*===================[ Jake Khuon <[email protected]> ]======================+
 | Packet Plumber, Network Engineers     /| / [~ [~ |) | | --------------- |
 | for Effective Bandwidth Utilisation  / |/  [_ [_ |) |_| N E T W O R K S |