Hi Ben,
At 08:53 05/09/00 +0930, Ben Nagy wrote:
>[many people asserting that perfect firewalls exist]
can you give us names? Cos' I don't see who said that!
Personally, I said:
"in theory, perfect firewalls do exist. This means that there is hope
to see one someday, and also that this is a good thing to work on."
so, check the words: "in theory", "there is hope", "work on". none of
these induces actual existence.
>Nah.
Ben, if you find someone in this thread who have said that
a perfect security solution exists, I'll ask you to tell me,
cos' I probably missed some messages here :)
In case you think that's me, let me just clarify things.
In my language, vocabulary, opinion, ... a firewall is a tool
that implements network access control, nothing more.
It is not a policeman running in the office to "arrest" security
attacks. I don't think I invented this definition, since it is
similar to that found in http://www.interhack.net/pubs/fwfaq
for example.
Moreover, "theoritical existence" means it is a model, and doesn't mean
you can reach it. so one has to work to try reach it...
>I'm with the Mikes.
I'm with myself...
>Faith and Optimism are both dangerous traits in a security person, IMO. One
but who ever claimed to have faith in security products?
I feel my words are used in completely different contexts. grrrr:{
I talked about faith in a completely different context: I was meaning that
I can hardly give a proof of something that would exist, so it's
a matter of faith, that is, feeling: you can agree, you can disagree,
but you can't argue.
>should never have "faith" that a system is secure because that reduces ones
>drive to audit. One should never be optimistic about the likelihood of a
>class of attack - that reduces ones comittment to close the hole.
we agree on this, but still don't see how this related to the thread.
Besides, I have faith that a system will always do what the compiler tell
it to do,
and I'm optimistic that things will get better someday. But this doesn't
make me
an irresponsible guy: I won't assume a product is secure just because it's
written
in the documentation...
>Security is about smart people who are good at assessing risks. Never forget
>what a _business_ wants out of security - they want a managed risk position
>without spending more money than is required. They don't perfect security -
>they want ENOUGH security. It's working out exactly how much is "enough"
>that's the hard part.
so here we come! you're talking about "security" when I'm talking about
"firewalls".
While these are related, you can't interchange words. a complete security
solution
may contain one or more firewalls, but may also contain IDS,
host-based-security solutions,
skilled administrators, user education, ...
Cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
