Question: Fewer choices means less security?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Question: Fewer choices means less security?

  1. #1
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Question: Fewer choices means less security?

    Reading the recent threads surrounding Microsofts acquistion of Sybari (and Giant), and having piped up myself about it being no wonder Microsoft is actively getting into the security business, it got me to thinking.

    With a 90%+ market share for end users, and showing no signs of slowing down, Microsoft could well start to dominate the 'end user security industry'. Do we as Information Security evangelists really feel comfortable getting all of ours eggs from the same basket? For a business manager, it could be tempting. I'd bet that enterprise licensing for Server/Desktop Operating Systems, Application Servers, Email/PIM servers, Personal Productivity clients, Server/Desktop/Email-Filter antivirus, Server/Client anti-spyware packages is a helluva lot cheaper from 1 vendor than from 10.

    But is that really a good idea? I'm not saying 'no' definitively, I'd like to see some conversation from several view points to expand my position on this subject.

    My initial reaction is a bit negative. The term defense-in-depth comes to mind, and here's what I mean. You don't secure your network with simply 1 firewall and assume everything will be fine. You buy the firewall, but you also configure a DMZ, host based firewalls, IDS, maybe throw in an IPS, type your fingers to the nub configuring and testing everything, and then spend countless hours testing, vallidating, monitoring, and patching. Your intention is the firewall stops 100% of the bad traffic...but if even 1 attack comes through, you have other lines of defense. The DMZ will hopefully contain the outbreak. It it doesn't, the workstations all have their own defenses. The IDS will alert you sooner, and the IPS (if it actually works) could shut down or at least bottleneck the attack vector.

    So seeing how all these things will sort of work in harmony, I can imagine how attractive an offer to acquire all of these pieces from the same vendor at a discounted price would look (since you are buying several items 'in bulk'.) But is that wise? Do we really want to trust one company to make all of our software (firewall, av, as, monitoring, etc.) and also validate that if the right combination of attack packets comes along, the whole house of cards won't come tumbling down?

    There are obvious advantages from getting all of your solutions from one point; interoperability, consistent interface, easier to support and troubleshoot, licensing and cost benefits.

    But what about the value of 'defense in depth'? We see the idea mentioned here almost everyday! How many of us rely SOLELY on Ad Aware, and don't bother with Spybot-SD, MS Anti-Spyware, PestPatrol, etc. as well? I think its safe to safe you are foolishly deluded if you think a single product will protect you from all the various forms of malware out there.

    So why would we think that Microsoft (or Symantec...or McAffee) has all the answers we seek? Anyone have a different position?

    I'll be back in a bit...discuss amongst yourselves.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  2. #2
    There are obvious advantages from getting all of your solutions from one point; interoperability, consistent interface, easier to support and troubleshoot, licensing and cost benefits.
    Centralization is the keyword here... when things need to get done, you have one number to call, one representative from one vendor to get the wheels movin.

    and also validate that if the right combination of attack packets comes along, the whole house of cards won't come tumbling down?
    I can't really see a situation where a one vendor network can be crippled from the same vector, perhaps you had one in mind? Let's think of this though, if 20 devices fail, and you need to get back up and running, do you want spend time with 20 different vendor reps, or would you rather start limiting your risk with one phone call? Response time is a benefit with one vendor, they pay attention to you when you're a valued custy


    edit:

    This is kind of related. I had a conversation with someone who felt that it would be a better idea to have unique firewalls everywhere there should be one. The reasoning was that the same exploit couldn't be used on all the firewalls, limiting your risk.

    However, this is a bad idea because it increases risk, you now have a new potential vector for every new firewall you put up. If an attacker wants in, they have a wide array of choices and just need to wait for a new vuln for any of those firewalls to pop up.

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    317
    I am not immune to the idea that centralization is good. However, I also see that we are a society built around specialization. We have specific people who handle specific tasks. Integration of all those specifics can be brutal (to say the least).

    With our network I am not so inclined to put my faith entirely in one vendor. I like the convenience of having one vendor, but knowing that there is possibly someone better out there, I will pay the extra and spend the extra time on a seperate phone line if needed. The specialization of specific vendors is a good thing. Most work diligently to master their craft and I have reaped the rewards of well designed applications to aid me in my daily tasks and they take in a profit for that hard work. I believe this to be a system that works in this case.

    On occassion there have been issues for which we required a little support, but making the call was almost easy; the hardest part of the process was using the rolodex to find the name and number I needed.

    I have had little occassion to call for support as of late however having to monitor several updates of different products on a regular basis is tedious. We work to refine and patch our systems all the time. I am torn by the idea that I could alleviate some of my daily workload. Knowing that, at least in theory, all the patches and updates from one vendor should work with all the modules comprising your collection of their application suite. Not having run multiple update services, creating several batch files to run updates, or (the one I hate most) having to manually navigate separate websites and then run installers is more than just appealing.

    No to bash microsoft, we use many of their products because they work, but they do tend to be a little slow getting their patches out. I have suffered delays at the hands of other vendors and have dropped them like bad habits. I am often frightened that I have done all that I can but there is still one patch I need but can't have because my vendor is not helping me through.

    I believe that as we move forward we will see more attempts to provide aggregate suites as well as comprehensive suites from individual vendors. Until such time as they can be proven as any more secure, I will continue test in a safe, disconnected test environment before implementing and only when I'm sure will I allow full implementation. I suppose I'm a masochist, I would rather suffer through the less than productive expenditure of my time while I wait it out and see what happens.

    Just my opinion though.
    \"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"


  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    well, the problem is, when one company takes of a market place (microsoft in this case) the product quality tends to drop becasue of lack of competition. that is my biggest concern.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    zen, it sounds almost like Cyberinsecurity: The Cost of Monopoly. Reality is we've been doing this for quite a while to varying degrees (e.g., BIND for DNS, Apache for HTTP). Although I will say that I haven't seen anyone take it to the degree that Microsoft has. I worry about putting everything into one since it removes, to a degree, the idea of layers of security. One of the reasons why, IMO, Linux/Unix doesn't have as many overriding threats (besides smaller audience/usage) is the diversity that exists. While to a newbie it may seem daunting, the reality is that there is safety in numbers so to speak.

    Sybari has told me that they will continue to product their product as they have but I wonder how long that will last or how quickly it will change. When you have an attitude that "vulnerabilities don't exist until someone knows about them", you can get worried.

    I have found, unfortunately, that there is a triangle to security. The three sides are: security, ease of use and stability. You can, however, only pick two. So which ones do you gamble on?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Excellent!

    I have found, unfortunately, that there is a triangle to security. The three sides are: security, ease of use and stability. You can, however, only pick two. So which ones do you gamble on?
    That's rich! It reminds me of an old craft sign at the state fair.
    "We do three kinds of work here:
    Quick
    Good
    Cheap
    You can have any two"

    So far I'm hearing positions that seem akin to mine. I agree that multiple vendors makes for more work, simply because you have different venues to subscribe to for information of vulnerabilities and updates. There are many more reasons, but thats the simplest to point out. The idea that you should use a differentent brand of firewall at every instance of one is...ridiculous. I mean, if there's a legitimate need, or if you've got a legacy heterogenerous environment that's been hobbled together over time, I can see how that would happen...but to do so as a matter of policy? That's crazy work.

    When I refer to a the 'magic attack sequence' it was more of a nod to the recent Symantec announcement. That was quite a long list of products affected, and I could see how many of them would be deployed at different points within an organization. Now I was just making a reference, we don't use anything from them so I didn't spend a lot of time with it, and I don't really know what the specific vulnerability was. It was an example.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Zen: You have some great points but I think the problem is much larger.
    I manage 100s of hosts running UNIX, MS, Novell, and so on. Properly configured, they all
    run as intended with very little downtime, viruses, worms, spyware yadda yadda yadda.

    I think the focus should start getting away from network operating systems and their supporting softwares, and move towards the fact the TCP/IP and IP4 in particular with their many protocols and sub protocols whos RFC's are still held in high regard is garbage. We continue to limp along with SMTP for example. The vast majority of Inet traffic + problems is SMTP based. Garbage is garbage regardless of how many band-aids you strap on it. IDS, IPS, AV, PFW they are all just bandages to try to stop the bleeding.

    Zen, nice work on getting a decent discussion going. While this forum is too often MS bitchfest cliche, discussions like this are a great addition.

  8. #8
    Member
    Join Date
    Dec 2003
    Posts
    97
    Another value in staying with one vendor is there is that your tech support folks and security professionals are more likely to know all the ins and outs of that vendors product. This should reduce the number of security holes that are open due to misconfiguration.

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    The idea that you should use a differentent brand of firewall at every instance of one is...ridiculous. I mean, if there's a legitimate need, or if you've got a legacy heterogenerous environment that's been hobbled together over time, I can see how that would happen...but to do so as a matter of policy?
    I don't think that's necessary as it seems rather overboard. It's the opposite extreme to having all your "security answers" from one source. I believe that if there is enough variety -- say a mix of CISCO devices (Pix, routers, etc.) along with say Sourcefire for an IDS, Linux server to serve MySQL and Apache, Email on AS/400 with Windows XP for Desktops.

    I also think this depends on how large the company is. Smaller organizations will be more dependent on uniform environments for a cost factor. Larger environments need more "heavy duty" server types (RS/6000, AS/400, etc. -- to me, Microsoft Servers, while I know they have Datacenter versions and the like, are a medium strength server). I think OS monopolies work better and can be controlled better when you are only dealing with a small handful of servers compared to if you are deaing with 100 or more.

    Another value in staying with one vendor is there is that your tech support folks and security professionals are more likely to know all the ins and outs of that vendors product. This should reduce the number of security holes that are open due to misconfiguration.
    At the same time, it might lead to a false sense of security because they "know all the ins and outs". While being extremely knowledgeable and it may reduce some risks, I still believe there is a higher risk if a worm is able to go through the "shop" (Linux shop, Windows shop, etc.). You need only to see the effect of slammer/sapphire to see what happens when we put all our eggs in a basket. (keep in mind that the MDSE is found in other sources than just Microsoft SQL)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Member
    Join Date
    Dec 2003
    Posts
    97
    Excellent point, a threat like SQL Slammer or Blaster is much greater in a single vendor shop.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •