Ryan Russell wrote:
>>I don't think a firewall is an answer to _any_ question, anymore.
>
>You're being a perfectionist... not normally a bad thing, but..
I wish I was. :( I haven't had a chance to be a perfectionist
for a looong time. :(
More precisely, I am being a cynic. I am no longer working for
a firewall vendor, so I no longer have to keep trying to make
excuses for the things. All firewalls have done is dumbed down
a complex problem to the point where it's actually more dangerous
because it offers the novice the premise that they can survive
in a hostile environment, without having a clue.
>You're asserting that if there is one hole (say, a really big one), then the
>entire firewall might as well not be there. This is, of course, untrue.
Of course I am! And I'm right, unfortunately. If there is a
single hole, especially a big one, someone can get behind the
firewall and make the whole firewall a moot point. Indeed, if
it's a repeatable, programmable hole, then it can render whole
flocks of firewalls moot with a single mouse-click.
So it's not untrue. A firewall with a vulnerability is an
exercise in hope and self-deception, not a security solution.
>In a security class I once took, the instructor claimed that a proxy
>is not a firewall. A proxy is something that lets things through. A
>firewall is something that stops them. He claimed there were different
>components, though complimentary. I tend to like that train of thought,
>though it's not popular when we get into philosophical discussions like
>this.
Whoever coined the term "proxy" for a firewall component
must have been a drooling idiot. ;)
>Are you running NFR with no firewall? :)
NFR's network has a mix of screening routers with SSH. We've
also had problems in the past from people who wanted to count
coup on us/me. I myself do my web stuff from largely disposable
machines using an ISP that hasn't got very good security (yes, you
who've been reading my mail, someday we'll discuss that privately...)
Nothing's perfect. One of the reasons I've been focussing my
energy on audit/intrusion detection is because I realized that
nobody has a clue how bad security _really_ is.
>(This is more Marcus-bait. He probably wrote a new one from scratch
>for this purpose...)
If I write another firewall product, it will only support attachment
free Email, DNS (via a "proxy") and SSH. It'll require challenge/response
authentication for every outgoing packet. :)
mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
