On Jan 6, 2011, at 1:51 PM, Joe Greco wrote:
There are numerous parallels between physical and electronic security. Let's just concede that for a moment.
I can't, and here's why:
1. In the physical world, attackers run a substantial risk of being caught,= and of tangible, severe penalties if that eventuality comes to pass; in th= e online world, the risk of being caught is nil.
That's not true, and we see examples of it happening periodically.
2. In the physical world, attackers have a limited number and variety of re= sources they can bring to bear; in the online world, the attackers have nea= r-infinite resources, for all practical purposes.
No, they don't. They have a different set of resources. They may be able to fill your transit connections, but they probably cannot cause your line cards to start on fire, or your switches to come unscrewed from the rack, things that real-world attackers can do. In the physical world, attackers have a near-infinite selection of attacks. If I really want into your house, for example, I can get there. It might be by breaking through a door, or by smashing a window, or (my favorite) by taking my Sawzall and a demolition bit and putting a hole through your wall. I can convince your kids that I'm a policeman and there's a bad man in the house. I can sleep with your wife and gain access that way. We see parallels in the online world, different, but vulnerable as well.
3. In the physical world, the attackers generally don't posses the ability = nor the desire to bring the whole neighborhood crashing down around the ear= s of the defenders; in the online world, they almost always have the abilit= y, and often the desire, to do just that.
So? That's a matter of what the goal of the attack is. In the physical world, we do indeed have some attackers who possess the ability and desire to bring whole neighborhoods crashing down; we lost some great real estate about ten years ago in lower Manhattan due to such nutjobs, and suicide bombers are a fact of life in some areas of the world. Electronic attacks are more likely to result in electronic "crashing down" for a variety of reasons, one of which is that overwhelming things electronically is fairly easy and effective, but the flip side to that is that the resulting damage is often just a short-term outage (PayPal, Mastercard, etc., all seem to be back online after recent attacks). The fact that there are some differences between physical and electronic security doesn't mean that there aren't also many parallels. It's probably hard to permanently destroy electronic infrastructure. Certain attacks, such as on the facility (kill the cooling, rapidly toggle the power, etc) might be effective in that sense. It's easier to destroy stuff during a physical attack. So that's different, fine. However, the point of security is still to try to convince a bad guy to go elsewhere, to find an easier target. When he has it out for you, though, it's basically a matter of whether or not he's willing to do what is necessary. That concept works for both the real world and for the online world.
Making it harder to scan a network *can* and *does* deter certain classes= of attacks.=20
But as I've tried to make clear, a) I don't believe that sparse addressing = does in fact make it harder to scan the network, due to hinted scanning via= DNS/routing/whois/ND/multicast,
You don't have to believe it. It certainly doesn't make it harder in all cases, either. No amount of randomization will make "www.foobar.com" less readily identifiable with an AAAA pointing at it. But there are other use cases. Consider, for example, /56 allocations to end users on a service provider's network. There'll be no DNS/routing/whois vectors there; there might be ND/multicast vectors of some sort. The point is, though, that the guy with a /56 at the end of a cablemodem will be effectively unscannable if he's using randomly-selected 4941 IP addresses. And getting all righteous about firewall configurations and how he should have a transparent proxying firewall is fine, I agree, but the *real* world is that when his buddy tells him that he's having problems running WoW because of the firewall and he can do ${FOO} to turn it off, he's going to do that, because users are results- oriented in a way that makes all of us groan. So what I am looking for now is for you to explain to me how an end-user with a /56 (or even a /64!) on a cablemodem is not "harder to scan".
b) I believe that pushing the attackers to= wards hinted scanning will have severe second-order deleterious effects on = DNS/network infrastructure/whois, resulting in an overall loss in terms of = security posture,
I don't buy that. I believe that things like DNS and whois are natural candidates for additional layers of application level protection, and that application level protection scales more readily than things done closer to the wire. We're already seeing whois services protected by query-rate limits, and there's no reason DNS cannot be protected similarly.
and c) I don't believe that attackers will cease pseudo-r= andomized scanning, and d) I believe that in fact they will throw vastly mo= re resources at both hinted and pseudo-randomized scanning, that they have = near-infinite resources at their disposal (with an ever-expanding pool of p= otential resources to harness), and that the resultant increase in scanning= activity will also have severely deleterious second-order effects on the s= ecurity posture of the Internet as a whole.
Fair enough. I see where you're coming from and why you believe that, and it might even become true. On the flip side, however, I would point out that attackers have had vastly more resources made available to them in part *because* IPv4 has been so easily scanned and abused. To be sure, a lot of viruses have spread via e-mail spam and drive-by downloads, and sparse addressing will not prevent script kiddies from banging away on ssh brute force attacks against www.yoursite.com. But there's been a lot of spread through stupidity as well. Further, the sheer magnitude of the task of random scanning means that any actual random scanning of /64 networks will be ineffective; this leaves us to discuss ways to minimize the "pseudo" in pseudo-random scanning, and to see what can be done about hinted scanning. I think there's room for some constructive discussion there.
In short, I'm starting from a substantially different, far more pessimistic= set of base premises, and therefore draw a far more negative set of result= ing inferences.
I hope you'll understand that I'm trying to get a feel for all of that.
I don't believe the sky is falling; I believe it's already fallen, and that= we're just now starting to come to grips with some of the ramifications of= its fall. =20
In my view, an IPv6 Internet is considerably less secure, and inherently le= ss securable, than the present horribly insecure and barely securable IPv4 = Internet; furthermore, I believe that many of the supposed 'security' measu= res being touted for IPv6 are at best placebos, and at worst are iatrogenic= in nature.
I don't see that. I see potential issues with ND, for example, but I don't see the potential for things like 4941 as "considerably less secure." Unless you're one of the people who are in favor of running everything through NAT as a form of "firewall", or things like that. I understand the desire there, too, though I think it's horribly broken... ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.