Well, I thought it was time to do a proper blog rather than just do the magazine articles and then Tweet about them.
I'm getting really underwhelmed by this industry - I keep hearing "we've bought a new XXXX device that does packet inspection/filtering/some other check on a single packet". Please tell me how this cane help? I can quite easily use the sockets API and PF_PACKET option, with an ioctl to allow writing, to rip off accurate existing packets and change them to look however I want. So, how will packet inspection help there?
The only answer to distributed denial of service attacks is to distribute the response. After all, that is how IP was designed - to distribute the packets and loads when a failure occurs.
I also keep hearing about how companies secure their external interfaces (to some extent), lock down the machines of their staff, but then assume everything is secure internally. Recently I wrote a kind of mini Wireshark for WiFi that just listens for broadcast wireless signals and then subtly changes them and broadcasts its own signal - pretending to be the same networks as it hears - essentially disabling the wireless networks it clones. I don't attach to anything - I just stand outside a building and run my utility on my Linux netbook or Raspberry Pi. My point is simply that it is a broadcast medium and if I choose to broadcast something like someone already does then I probably aren't breaking any laws. However, I've just killed their WiFi. Assuming internal networks are secure and protected is a very, very bad idea.
So, embed security throughout the enterprise architecture. Lock down every host and only allow through what is needed. Secure the networks with ACLs throughout. Assume that the internal users are more dangerous than the external users and that you WILL be compromised.
Think secure!
