Which, once again, leads us down an interesting path...
You're pointing out, in a way, the basic problem with current OSes. There
are no stable desktop OSes that people want to leave in production for a
couple of years. We can do it with some servers, but that's only a fraction
of the battle. That means that we're forever trying to patch desktop OSes on
the fly. Worse still, we'll not be done patching before a new version comes
out and we "have" to upgrade.
Clearly you find this moving target battle frustrating. Lots of people do.
The fact still remains, though, that to provide best effort security it's
more and more important to harden the whole network. That includes the OS.
It sucks, yes, but you just can't fix this problem with a firewall as we
talk about the term today.
Essentially, until someone with a Giant Brain can work out a way to provide
ubiquitous protection for networks that doesn't rely on a single chokepoint
and can do something about tunneling, trojans and virii, there are only two
choices.
1. You patch everything, all the time and you run harsh policies about
untrusted code
OR
2. You don't have a secure network.
Lots of people forget, though, that it's OKAY not to have a secure network.
It really is. if you're not a high threat target and if you've done the risk
assessments on your existing model and if you're comfortable that a breach
won't sink your business you can just live with it. Secure networks suck,
anyway - who wants to work in one? They're a pain in the ass. Sadly, some
people need them. You may be one of those people. However, if you're NOT
then just take an appropriate risk position - it's knowing that you've got
the "appropriate" bit right that's critical, IMO.
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Loren Wagner [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 14 December 2000 12:27
> To: [EMAIL PROTECTED]
> Subject: Re: Undesired outbound data "leaking" - the next frontier?
>
>
> Boy, do I agree with the first comments from elvene! I get
> so tired and
> frustrated with the arrogant drivel thinking that everyone
> connected to
> anything is going to have or buy or hire everything that it
> takes to be
> "secure" based on who's opinion??!! The concept that if we
> don't jump and
> install every product patch that comes out for every
> potential vulnerability
> whenever it occurs is ridiculous. I think the latest DoS
> attack is one that
> adheres to the following model: let's just keep throwing
> crap at them until
> they can't do anything but apply the latest patch that will no doubt
> introduce new bugs/vunerabilities and the hackers (if you
> want to call them
> that) have infinite entertainment!! PLEASE.... give me a
> break. JMHO....
>
> Loren
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
