Re: [gnso-ff-pdp-may08] How are Internet users affected by fastflux hosting?

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Dave mentioned,

#It's safe to say that no single security measure offers relief from spam. 

Since spam has run as high as as 90% of all mail traffic, some pessimists 
just shorten that assertion to "Nothing offers relief from spam." :-)
In my case, though, I'm an eternal optimist, and I say, "Nothing offers 
relief from spam YET." :-)

But I digress...

#I've always believed that until you address the endpoint security problem, 
#including source/origin address validation as we have in the telephone 
#network, you are essentially applying bandaids to severed femeral arteries.

Showing the low level of my network security aspirations, I'd settle for 
ISPs deploying BCP38 (RFC2827) network ingress filtering. :-;

But like any scheme that requires leakless perimeter enforcement for 
success, it's a tough/slack world out there...

#If you read SSAC's fast flux advisory, I call particular attention to the 
#endpoint security issue, and injected my personal belief that network 
#admission control must be part of the solution set. I see no reason why 
#this group cannot take a queue from SSAC's advisory. There is ample 
#anecdotal evidence from enterprises and educational institutions that have 
#implemented Cisco NAC that "it helps, A LOT!"

Many schools certainly have adopted network access control solutions, and
NAC can can help under some circumstances at least for a while. But note 
that the security landscape is shifting. Speaking of which...

There was a great talk this year at the Educause Security Professionals
conference from a colleague of mine, Brian Smith-Sweeny of NYU, entitled
"The Shifting Landscape of IT Security," see
http://net.educause.edu/ir/library/powerpoint/SEC08076.pps

Key takeaway from that talk relavent to this conversation (although I'd
encourage you to see Brian's full set of slides and the notes attached
thereto) is from slide 16, describing their experience with agentless 
NAC on their residence hall network:

   "Initial ResNet vulnerability rate: 30%

   "By 2006, only 1.9% of registered systems were marked vulnerable."

As a result of that shift, they changed how they chose to spend their
limited security dollars. 

And of course, there's also the reality that (a) the better the end point 
security of one's users, and (b) the greater the diversity of devices they
use, the bigger the challenge that deploying network access control-centric 
strategies present.

For example, if you're agentless, end-user level hardware and software 
firewalls can quickless reduce the value of remote access-time scans 
(unless holes get punched, and I'm not a big fan of that).

If you're doing agent based NAC and living in a corporate 
every-laptop-is-running-Windows-and-is-a-member-of-a-domain world, agent
based NAC also feels a lot different than an "anything goes, if you've got 
it, bring it, hook it up to the network" environment where exceptions
processing can quickly become a pain ("As a matter of fact, no, we don't
have an agent for your network-based gaming console, so could you please 
enter it's MAC address on the form at...").

And then there are the fascinating lock conditions that can occur with
visitors: "You require that I install access control agent software on
my laptop so you can be sure that my system is secure, but my laptop is 
centrally managed for security reasons and I don't have the authorization 
or even the technical ability to install *anything* whatsoever on it under 
any circumstances."

Dogs, tails, chasing, tired. :-;

Regards,

Joe

Disclaimer: as always, all opinions strictly my own.