Damian,
Please do note that the opinion I was defending is not passive at all.
(yes, [EMAIL PROTECTED] qualified this as passive, but his address suggests
that he works for ESC, a company that sells the product he mentioned;
and anyway, I wouldn't be proud of a message like his. See Ben's reply).
I argued that it's no good to waste resources/CPU/time/..., it's dangerous
to allow an attacker to get somewhere even volontarily, ...
If you feel this is passive, then why not open wide your network,
and try to catch anyone getting in. Is this active defense?
so you agree there is a trade-off somewhere? Where to put it is the subject
of this discussion. no method is passive or active.
My opinion (and it is certainly shared by many many people) is:
- read documentation, get software, ...
- use rigourous analysis to derive a satisfactory security policy
- implement this security policy
- check logs, read documentation, upgrade your soft, ....
That's the "rational one-shot" method
as opposed to:
- set up a covert server
- wait for intruders to come and catch them
- then us that to improve your security policy
which is the "trial & error" method.
[I am not trying to use fancy name "rational..." for my choice and a less
fancy one
for the other to manipulate your judgement. Although this is a classical
approach in
communication, it will hardly work within this community. I am simply trying
to
express my feeling about each one]
A fundamental difference is that the first approach focuses on securing
one's net;
while the second focuses on catching crackers. One does not set up security
measures
because he hates crackers, but because he wants to stay secure.
Assume that the covert approach allows you to catch more and more crackers.
Then what?
There are new ones everyday. Amazingly, children do grow and people
change...
The world war example does not count here. The ennemy was fully identified,
and not
because anyone sat up a covert country to make him think he is gaining some
space.
He was not hiding himself as do net crackers... so is the US army going to
build
aake new-york city and when "suspected" people come in the US, they are
"diverted"
there... ? This is not active security, this is X-Files.
For me, I'd go with the famous chess principle: do not rely on your
opponent's errors.
sure this does not make a great grand master, but acting the opposite way
won't either...
> From: Damian Gerow [mailto:[EMAIL PROTECTED]]
>
> I've really got to interrupt on this argument.
[text suppressed for brevity]
> World War. There's a flip side to everything.
>
> Just my two cents.
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
