I believe that there are some discussing this who have never delt with
security in the real world. Sometimes people take a "Certified Engineer"
class and feel that makes them knowledgeable. Others, are perhaps engineers
who have never focused on security, merely leaving it as a secondary point
to any project. However, they feel that they can comment on security and
actually say something useful. This is not the case.
The theory of security through obsecurity has long since gone the way of
the theory of a flat earth. The idea that a challenge to the bunch of
overworked engineers, analysts and assorted list members, proves the sucess
of a product is nonsense. Open review in lab environments, with access to
all code and design information is what is needed to test a security
product. If there are holes easily visible in the code, or implementation
of the code, then it's only a matter of time before it's found. There are
many examples of products that have been reviewed and have passed (see PGP,
in the field of encryption).
In this situation we are discussing firewalls. Is MS Proxy the firewall
solution I should use? To answer, let's look at an example:
ACME motor company makes an easy to use shiny new line of cars, everyone
rushes to buy them... they've been tested by ACME engineers... then they
begin exploding on impact. ACME recalls them and fixes them... they still
explode on impact. ACME brings out a new line of cars, again they're shiny,
new and tested by ACME engineers, but the engine mysteriously drops out of
them after 10,000 miles. ACME recalls them and fixes them, when you look at
the fix, you realize that they used duct tape and angle iron to hold the
engine in place. Now they come out with the ACME Mini-van... will you buy it?
A company's track record NEEDS TO BE CONSIDERED, and when it comes to
security MS falls flat on it's face.
Would you feel better if you pulled the mini-van into a garage and told the
mechanics to take a look at it if they got a chance.... Since the mechanics
usually have alot to do, they may give it a glance, maybe even take it for
a test drive... but that's all. They will base their opinion on the company
that manufactured the van, as well as what they know of the van.
Wouldn't it be more intelligent to simply buy a van that comes from a
reputable company? One that's been in production for a few years? One that
mechanics suggest?
If you buy the MS-Proxy mini-van... I hope the engine doesn't fall out at
10,000 miles.
D. Clyde Williamson
http://www.interhack.net/people/dclydew/
--------------------------------------------
Quidquid latine dictum sit, altum viditur. |
(Anything in Latin sounds profound.) |
--------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
