Re: The view from the other side of the fence

### On Wed, 13 Mar 2002 08:00:41 -0500 (EST), Sean Donelan ### <sean@donelan.com> casually decided to expound upon Rajesh Talpade ### <rrt@research.telcordia.com> the following thoughts about "Re: The view ### from the other side of the fence": SD> On Wed, 13 Mar 2002, Rajesh Talpade wrote: SD> > A network is only as secure as its weakest link.... SD> > SD> > sounds like a cliche, but am afraid this least-common-denominator rule SD> > will hold as networks converge. SD> SD> Is there anything we can do to improve this? How can we make sure SD> the people who "need-to-know" find out how to secure their weakest SD> links instead of waiting for each company to stumble along their SD> learning curve. That's a good question. Unlike the system's world where there seems to be quite a few free as well as commercial toolkits alongside stuff that gets distributed OEM to run security audits (many OSes are preconfigured as part of their installation process to generate periodic audits), there doesn't seem to be many such toolkits for auditting networks as a whole. I think this stems from several reasons (and I'm probably missing a few). [1] Diversity in network designs force security folks to tailor their auditing tools to a particular network. [2] Exposure of homegrown auditting methods and procedures viewed as a security breach so such things simply are kept in secrecy. I suspect however that no one has really developed a comprehensive generic auditting tool or toolkit but instead relies on a combination of handcrafted scripts and security policies to run manual audits instead of automated ones. Someone please prove me wrong. [3] Networks are not really thought of hollistically like a server is in the system's world. Security tools are targetted more towards auditting devices in an individual manner because modelling the entire network is too difficult. I suppose some of the folks doing IDS and/or distributed firewall (Oh Mr. Bellovin? |8^) development may be able to shed better light on the subject. But IDS seems to be a reactive measure rather than a proactive one and distributed firewalls may address some issues with device security but doesn't seem to really touch on enforcing sane routing practises. -- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=========================================================================*/