Vulnerability statistics for Mac and Windows

ZDNet ^ | February 28, 2006 | George Ou

[elfman2]

Thanks for all that. It was pretty informative.

I may have an incorrect conception of “firewall failure”. I was under the presumption that a firewall failure is when it’s configured to allow only traffic of specific types (port, IPs etc...) and if fails to do so. (That’s why I was taken aback by your 10-20 percent failure estimate.) But they’ve apparently grown more sophisticated than the one I tried to lock down 8 years ago, and now their anti-trojan anti-virus feature failures are considered a failure of the firewall. If I read you right, you’re also including management failure. If I understand you correctly, I’m not sure how hybridizing the network has a beneficial effect in and of itself. Good administration and tools intuitively seem to be an answer, not hybridization.

8 years ago I purchased a book on network security using MS Proxy Server. I forgot almost everything, but remember one line where the author said that people place too much emphasis on firewalls for network security. He said something to the effect that, “it’s better to not have a firewall at all and correctly configure each station and educate each user than to lock down a firewall and think the job’s complete”. With more sophisticated threats and personal firewalls, that's probably just as true today.

[Natty Bumppo@frontier.net]

My original post was:

"The BEST Firewalls have a 10 -20% probability of stopping a sophisticated attack."

That statement remains true even if the firewalls are properly configured and don't fail (according to your definition).

As regards hybrid versus homogeneous networks:

If the network is homogeneous, the hacker can jump from box to box with a very high degree of confidence of the configuration of the hardware and software he will find. This greatly increases his chance for success and greatly decreases the probability of detection. A vulnerability found on one box in a homogeneous network is likely to be found on several (if not all) boxes. And once elevated privileges are established on one box in a homogeneous network, exploiting the trust relationship to other identical boxes is trivial. Also, homogeneous networks tend to have the same unnecessary ports and services running on identical configurations across the network. This tends to provide a convenient, reliable, (and largely covert) "transportation grid" across the network and allows for tuning automatic scans and tools to minimize detection. For an elite hacker, "compromise is failure."

Stumbling across a "non-standard" router, server, or computer can ruin a hacker's whole day (or months and weeks of work). The probability of detection just went way up, because this box will not be susceptible to the same methods that worked on all the other boxes, and because his careful efforts to mask his activity against the other identical boxes, may highlight his activity against this box.

Variety among firewalls and IDS is even more important. If several different brands and technologies are used in firewalls and IDS, their weaknesses tend to cancel out, especially if they are deployed in a non-uniform (ideally random) manner.

Predictability is the hacker's friend and unpredictability his enemy.