They key here is not the exploitation of a vulnerability in a single product line. It is that even home users need to consider DiD. I've seen many businesses that have fallen for the "integrated management" offered by single source vendors and so have one style of security product in each defence category, top to bottom. The same compromise that gets through the external layer also lets you into the innermost protected sanctum.

FWIW, I have a packet filter, bastion host (locked down hard, packet sniffer and port scanner active, AV & spam filters, NAT), hardware firewall (outbound ports open, nothing permitted to open inbound connections) and then my home network, which also has a packet sniffer active and port scanners on most machines, with AV on Windows systems.

I'm concerned that even that isn't enough because of the weakness of the two AV solutions I use (mail server scanner and desktop). A DayZero attack will blast through the primitive signature recognition of both AV scanners and implant the payload deep in my defences. It's happened once this year, already.

That's the real risk - even with a DiD approach, there are still weaknesses. IMO the main one remains primitive virus recognition. Signatures may have been usable in the world of sneaker-net, but is simply not credible with 2Mb/s (A|S)DSL cheap and getting cheaper.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/232/25733#25733