Czarcone: you do have a point, perimeter security is not enough. But has it
ever really been enough? For how many years have we had to deal with
backdoor modem connections? For how many years have we had to deal with
viruses coming in from floppy disks or even shrink wrapped cds? I don't
think firewalls will ever be a magic bullet that will stop all, or even most
of the bad guys. It pains me to see people who say "we don't need security
on our internal hosts, we have a firewall", and then to find out that the
firewall more resembles a router because of all the swiss cheese holes in it
("you allow incoming telnet, bidirectional ftp, freaking rpc on all the
higher level ports, and you think your secure? Why?", response "because its
all going through the firewall"). But I will say that firewalls provide an
important component in enforcing policies and providing a "safER", not
"safe", method of connecting to the Internet. But, just like the human
body, we can not rely on one layer of defense alone. We need a hard outer
shell, but we also need network and host based intrusion detection systems.
We need signature generators to detect modifications of system files on
servers. We need anti-virus code on the pc's and on email attachments. We
need wardial testing of all the company phone numbers. We need application
vendors to write code that isn't so damn optimistic and that does not need
root privs for everything. We need to enforce periodic upgrading to the
latest release level of all servers and routers and all infrastructure on a
periodic basis to fix old bugs. We need programs like ssh and ssl and
pgp/gpg to do strong encryption, to hide sensitive data, to do strong
authentication, etc. We need to get other people to understand that their
little hole combined with someone elses little hole makes for a big hole,
and the harder part, to make them see that the big hole is their
responsibility.
Now to turn this thread to something useful: what other mailing lists are
there for various aspects of security like war dialing, host intruder
detection, etc?
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 27, 1999 10:45 AM
> To: [EMAIL PROTECTED]
> Subject: Re: DCOM on Gauntlet
>
>
>
> >Using a firewall, you add a layer of security, even if it's not
> >perfect. For example, you can specify what addresses are allowed to use
> >the protocol, and also the direction of communication (I believe the
> >original poster wanted to be able to use DCOM outgoing, not incoming).
> >While this isn't perfect, I hope you'll agree that it's far better than
> >having no firewall at all.
>
> Agreed, but if you're going to use your firewall like a glorified router,
> you might as well just be using a router. ACLs (especially Cisco's
> reflexive ACLs) could support your DCOM application just as well as a
> firewall. I'll submit that firewall logging can provide you with useful
> knowledge about your network, but otherwise your firewall isn't really
> adding any value. The firewall's "layer of security" becomes increasingly
> thin.
>
> Indeed, if there's one common theme running through these various and
> sundry posts, it's that perimeter security alone isn't enough to provide
> acceptable security. The explosion of new, complicated and untested
> protocols complicates the firewall's job. This, coupled with the vendor
> rush to "support" all of these new protocols, IMHO results in
> watered-down,
> least-common-denominator products. ("What, your firewall doesn't support
> the new FOOBAR.32359846736 Bitwise Inverse Transient Data Punch-Through
> and
> Corruption Protocol? Well, we're not going to buy it unless it does!")
>
> So, do the best you can with the firewall you've got, but at the end of
> the
> day you're still going to have a gap. You'll have to use other tools (host
> security, application security, data and/or network encryption, strong
> authentication, additional filtering, app proxies, any or all of the
> above)
> at the client end and the back-end to close that gap.
>
> Maybe it's time we renamed the list "General-Purpose Network Security"
> instead of "Firewalls." Think GNAC will go for it?
>
> My 0.019999998 cents worth (Pentium Error)
>
> Regards,
>
> Christopher Zarcone
> Network Security Consultant
> RPM Consulting, Inc.
> My opinions are not necessarily the opinions of my employer
> #include <std.disclaimer.h>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
