I'd like to understand what makes security hard. Is it gluing security islands
together? is more knowledge required? Is it time constraints?

what?

lemme know!

Cheers, MH

When implementing security well requires time that other think is useless
because their less secure idea is easier to implement.
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:39cba91a$1@news.devx.com...
>
> I'd like to understand what makes security hard. Is it gluing security
islands
> together? is more knowledge required? Is it time constraints?
>
> what?
>
> lemme know!
>
> Cheers, MH

Personal firewall. People seem to over react to any random packet.
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:39cba91a$1@news.devx.com...
>
> I'd like to understand what makes security hard. Is it gluing security
islands
> together? is more knowledge required? Is it time constraints?
>
> what?
>
> lemme know!
>
> Cheers, MH

Hi all,

I am completing an Information science degree, focused more
towards business and clients, our University also offers a
Computer Science degree which is focused towards programming.
Throughout this last year I have been getting into security as I
finish my Uni degree, this is now my main interest and focus and
is the career path I want to follow. One problem is that there
is only 1 security course in my degree which is an optional
postgraduate course and one optional networking course at the
final year of the undergrad degree.

This is one of the first issues that makes security hard, as it
is not being taught enough, it should be a part of an undergrad
degree from an earlier stage.

Secondly, to learn I do a lot of research on the net about
security, however I keep running into things that are
programming related (like overloading or overstacking memory??)
that I do not have a clue about,due to lack of knowledge of
programming and various languages.

What I have found to be the hardset aspect of security overall is the
there is just so much to learn. Even though the avenues of
attack are limited there are so many posible threats and types
of threats to discover and know about.
The content itself is not hard it is just the volume of content
to keep up with.

Hope this give you an insight to what is going on inside a
newbies head.

Ciao,
P.

your first point, lack of education is a valid one. i remember speaking to
an 'esteemed' professor some years back, he mentioned that the industry needs
to do more to beef up security. i agreed. but i also pointed out that we
need to teach this stuff too!!

cheers, mh

"Paul McKitrick" <paul.mckitrick@stonebow.otago.ac.nz> wrote:
>
>Hi all,
>
>I am completing an Information science degree, focused more
>towards business and clients, our University also offers a
>Computer Science degree which is focused towards programming.
>Throughout this last year I have been getting into security as I
>finish my Uni degree, this is now my main interest and focus and
>is the career path I want to follow. One problem is that there
>is only 1 security course in my degree which is an optional
>postgraduate course and one optional networking course at the
>final year of the undergrad degree.
>
>This is one of the first issues that makes security hard, as it
>is not being taught enough, it should be a part of an undergrad
>degree from an earlier stage.
>
>Secondly, to learn I do a lot of research on the net about
>security, however I keep running into things that are
>programming related (like overloading or overstacking memory??)
>that I do not have a clue about,due to lack of knowledge of
>programming and various languages.
>
>What I have found to be the hardset aspect of security overall is the
>there is just so much to learn. Even though the avenues of
>attack are limited there are so many posible threats and types
>of threats to discover and know about.
>The content itself is not hard it is just the volume of content
>to keep up with.
>
>Hope this give you an insight to what is going on inside a
>newbies head.
>
>Ciao,
>P.
>

The universities are too worried about theory to do much with security
besides doing the crypto algorithms. Or at least thats what I've seen so
far at Maryland.
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:39f74d0d$1@news.devx.com...
>
> your first point, lack of education is a valid one. i remember speaking to
> an 'esteemed' professor some years back, he mentioned that the industry
needs
> to do more to beef up security. i agreed. but i also pointed out that we
> need to teach this stuff too!!
>
> cheers, mh

>>doing the crypto algorithms

that's funny! crypto is no panacea - in fact the best crypto is lousy if
you don't store the keys well!

"Eli Allen" <eallen@bcpl.net> wrote:
>The universities are too worried about theory to do much with security
>besides doing the crypto algorithms. Or at least thats what I've seen so
>far at Maryland.
>--
>Eli Allen
>eallen@bcpl.net
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:39f74d0d$1@news.devx.com...
>>
>> your first point, lack of education is a valid one. i remember speaking
to
>> an 'esteemed' professor some years back, he mentioned that the industry
>needs
>> to do more to beef up security. i agreed. but i also pointed out that
we
>> need to teach this stuff too!!
>>
>> cheers, mh
>
>
>

Thats protocol. Thats why I said I'm annoyed with the way its taught. You
can know the algorithms well but if the rest isn't implemented right its
still insecure. Plus screwing up the algorithm itself is kind of hard not
to mention the math behind it doesn't help with using it.
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3a06f0c0$1@news.devx.com...
>
> >>doing the crypto algorithms
>
> that's funny! crypto is no panacea - in fact the best crypto is lousy if
> you don't store the keys well!
>

So, if security is such a big subject, then where do you start? What should
the normal small company that has web sites do for security?

I think it's the tendancy of people to gloss over details when they sell things,
and then have to deal with the real world complexity when they implement
them. For example, lots of people think 'ldap' somehow solves security and
functionality problems for web apps. It does neither, it's just data. The
biggest challenge is integrating the security models of these islands: ldap,
operating system, and services eg email or personalization. The only integrated
solutions today are proprietary, eg Microsoft Site Server ldap + NT (or 2000)
system security plus Site Server personalization. These all enforce the
same security no matter what the access mode. The funny thing about alternatives
using 'open' soltuions today, is that they are also all independently proprietary
because each carries it's own security model island. Solutions? I'm looking
to XML security (whatever evolves) to provide standard interfaces for both
the security model and the security context - across languages, platforms,
and services....

"Eli Allen" <eallen@bcpl.net> wrote:
>Personal firewall. People seem to over react to any random packet.
>--
>Eli Allen
>eallen@bcpl.net
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:39cba91a$1@news.devx.com...
>>
>> I'd like to understand what makes security hard. Is it gluing security
>islands
>> together? is more knowledge required? Is it time constraints?
>>
>> what?
>>
>> lemme know!
>>
>> Cheers, MH
>
>

Yup. Examples include the stupidity of not enforcing SSL in FTP logons, not
enforcing SSL in web logons, and the assumption that web servers are by default
not secure (why shouldn't they be?) so any trivial thin layer of security
like role based URL access is seen as better than nothing....

"Eli Allen" <eallen@bcpl.net> wrote:
>When implementing security well requires time that other think is useless
>because their less secure idea is easier to implement.
>--
>Eli Allen
>eallen@bcpl.net
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:39cba91a$1@news.devx.com...
>>
>> I'd like to understand what makes security hard. Is it gluing security
>islands
>> together? is more knowledge required? Is it time constraints?
>>
>> what?
>>
>> lemme know!
>>
>> Cheers, MH
>
>

rule #1 - Analyze your threats. There's an two-part article at security.devx.com
to get you started.

rule #2 - Defense in Depth. Assume everything in front of you has been destroyed
and you have to protect yourself.

rule #3 - don't be afraid to ask for advice!

"Brad Good" <good@penn-america.com> wrote:
>
>So, if security is such a big subject, then where do you start? What should
>the normal small company that has web sites do for security?

>>not enforcing SSL in FTP logons

There is no server/client combo that I know of that supports FTP over SSL.


<snip>

There are ways of getting ftp to go over ssh though
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3a22ff5d$1@news.devx.com...
>
> >>not enforcing SSL in FTP logons
>
> There is no server/client combo that I know of that supports FTP over SSL.
>
>
> <snip>

and IPSec :-) the good news about IPSec is ALL apps access remote servers
securely and transparently.

"Eli Allen" <eallen@bcpl.net> wrote:
>There are ways of getting ftp to go over ssh though
>--
<snip>

What if the server's IP address changes while its domain name stays the
same? For example FTP in a cluster situation where the domain name resolves
to different IP addresses to spread the load. You wouldn't want to make
the IP address list public so IPSec won't work very well since its based on
a set IP address and port number.
--
Eli Allen
eallen@bcpl.net



"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3a5ce5b6$1@news.devx.com...
>
> and IPSec :-) the good news about IPSec is ALL apps access remote servers
> securely and transparently.
>
> "Eli Allen" <eallen@bcpl.net> wrote:
> >There are ways of getting ftp to go over ssh though
> >--
> <snip>
>

it completely depends on how you configure IPSec. If you have a rule that
sayd, I will do IPSec with anyone whoe (a) knows this secret or (b) has this
kind of cert issued by foo, then it will all work correctly. clusters will
work, regardless of ip address.

if you have a *filtering* rule that says, i only trust this ip address, then
yeah, it'll break. it's supposed to!

"Eli Allen" <eallen@bcpl.net> wrote:
>What if the server's IP address changes while its domain name stays the
>same? For example FTP in a cluster situation where the domain name resolves
>to different IP addresses to spread the load. You wouldn't want to make
>the IP address list public so IPSec won't work very well since its based
on
>a set IP address and port number.
>--
>Eli Allen
>eallen@bcpl.net
>
>
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:3a5ce5b6$1@news.devx.com...
>>
>> and IPSec :-) the good news about IPSec is ALL apps access remote servers
>> securely and transparently.
>>
>> "Eli Allen" <eallen@bcpl.net> wrote:
>> >There are ways of getting ftp to go over ssh though
>> >--
>> <snip>
>>
>
>