Tuesday, May 29, 2007

About the Host?

Mr. Hoff had a piece yesterday that was thought provoking but I think he failed to mention a few concepts that further make the point he was trying to make.

I think a piece missing from his analysis is one related to threats and types of security you're trying to achieve.

The question of network-level security controls vs. host-based security controls can be made in the context of a corporate network, the Internet in general, but it can also be made in the case of someone like an ASP.

If we take the case of a large ASP of some sort - Google, Yahoo, etc. we find that firewalls are already just about useless. Except for PCI requiring them, I doubt most people would even bother having their webservers behind one. They'd probably prefer something lighter weight such as an ACL or whatnot. I'm allowing in only 2 ports (80 and 443) anyway and if I just don't run anything else on the systems in question I don't get a lot of benefit out of the firewall, etc.

When I start looking at my threats though I'm left with 2 primary threats.
  • My users
  • Their machines (and associated malware)

Network security controls don't help me much against either of these when I actually want the users to interact with my web application. And, for both my users and my sanity, we'd better hope they have good host security controls in place while they are accessing my site, their bank account, credit card accounts, etc. If they don't, network security controls aren't going to do a whole lot of good.

Sure, you might ask how they got infected with the malware in the first place, but I'm betting that a firewall or other network security device suitable for the end-user wouldn't have helped a lot in this situation either.

I'm not arguing that network security controls don't have a place, but the higher up the stack the attackers push, the less effective certain network security controls are going to be.

1 comment:

Christofer Hoff said...

Excellent points.

Thanks for the comments as I didn't tie back the threat vector elements as you describe...

/Hoff