On Wed, May 26, 1999 at 07:29:07PM -0700, Jen wrote:
| Marcus,
|
| So I guess what you're saying is we're all doomed? ;-)
No, Marcus knows that if he said that someone would come back with an
exception to show how smart they are. He's saying most of us are
doomed. :)
| Firewalls do logging, etc., which routers generally don't. I think this
| is at least half the value of a firewall. That said, your point about a
| firewall providing no better protection than a well configured router is
| well taken. However, the vast majority of the people responsible for
| network security have neither the time nor the skill to do that kind of
| configuration. Yes, that's a sad state of affairs, but I don't think
| that as a result we should all lie down and wait for death. We'll make
| do with what we have, even if it's not the best.
There are programs available to write firewalling rules for routers.
If you can't use them, what makes you confident that you can configure
and test your firewall properly?
| Ultimately, I think what most of us on this list are after is a degree
| of acceptable security, not absolute security (which I'd argue is not
| possible). Saying that we need to use protocols designed to be secure
| is a nice ideal, but it's not practical -- what we actually need is to
| bring in revenue, which always entails risks.
So the question should be, is adding a firewall sufficiently useful to
make it worth the cost?
| This isn't a pessimistic outlook, just a pragmatic one. Security is
| about improving the odds, not removing all risk. So when we discuss
| things like allowing DCOM (or allowing modems behind the firewall) --
| sure, it's good to point out reasons you wouldn't want to do this. This
| info might even help someone convince management not to do it. But, in
| the end, if the business decides to go forward with the plan even
| knowing the risks, let's help the poor person who's stuck with a bad
| situation make it less bad.
Rob Kolstad, in his ;login column this month talks about one of the
risks of competence: Competent people, eager to demonstrate their
skills, do dumb ass shit to prove they can do it. (He gives the
example of someone putting a garbage disposal on the net.) In doing
so, they create massive headaches for themselves and others.
There is, analogously, a case to be made for not making these things
less bad, so that people are bitten by their own set of
"requirements." Not sprinkling magic security dust on it, and simply
saying "This is beyond redemption" may not make your bosses happy, but
there are *lots* of jobs for security people.
| As an aside, here's something to ponder: Yes, it's sad that most folks
| responsible for security aren't experts. But are sophisticated hackers
| multiplying at a greater rate than expert security professionals? Or are
| they mostly novices, too? I suspect that, to a large degree, what we're
| using firewalls to protect against is hacker tools. Kind of ironic,
| isn't it? We have security tools for novices to protect against hacking
| tools for novices.
Sophisticated hackers are proliferating faster because no one
is forcing them to use dumb tools, and waste their time fighting the
wrong battles. This allows them to focus on the things that they
ought to be doing to gain skills, rather than the things someone
thinks they should be doing to make money. Not that most kiddies ever
advance beyond that stage, but the pressures keeping them there are
smaller.
Also, the dark side have better channels of communication than
we do.
| P.S. I fall into that category you despair over -- a novice who's doing
| security (actually, I'm worse -- I'm a manager of novices doing
| security). There's no way any of us could configure a router to be more
| secure than our firewall is (or should I say to be less insecure than
| our firewall is?). But I'll bet our network is more secure than most.
If you're a novice, how can you say that?
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
