The view from the other side of the fence

### On Wed, 13 Mar 2002 08:00:41 -0500 (EST), Sean Donelan
### <> casually decided to expound upon Rajesh Talpade
### <> the following thoughts about "Re: The view
### from the other side of the fence":

> A network is only as secure as its weakest link....
> sounds like a cliche, but am afraid this least-common-denominator rule
> will hold as networks converge.

Is there anything we can do to improve this? How can we make sure
the people who "need-to-know" find out how to secure their weakest
links instead of waiting for each company to stumble along their
learning curve.

That's a good question. Unlike the system's world where there seems to be
quite a few free as well as commercial toolkits alongside stuff that gets
distributed OEM to run security audits (many OSes are preconfigured as part
of their installation process to generate periodic audits), there doesn't
seem to be many such toolkits for auditting networks as a whole. I think
this stems from several reasons (and I'm probably missing a few).

[1] Diversity in network designs force security folks to tailor their
    auditing tools to a particular network.

[2] Exposure of homegrown auditting methods and procedures viewed as a
    security breach so such things simply are kept in secrecy. I suspect
    however that no one has really developed a comprehensive generic
    auditting tool or toolkit but instead relies on a combination of
    handcrafted scripts and security policies to run manual audits instead
    of automated ones. Someone please prove me wrong.

[3] Networks are not really thought of hollistically like a server is in the
    system's world. Security tools are targetted more towards auditting
    devices in an individual manner because modelling the entire network is
    too difficult.

I suppose some of the folks doing IDS and/or distributed firewall (Oh Mr.
Bellovin? |8^) development may be able to shed better light on the subject.
But IDS seems to be a reactive measure rather than a proactive one and
distributed firewalls may address some issues with device security but
doesn't seem to really touch on enforcing sane routing practises.