Paul Robertson wrote:
>
> On Fri, 5 Apr 2002, Mikael Olsson wrote:
> > [shoot manglement, shoot clueless developers]
>
> If we shoot all the lusers, the problem resolves itself ;)
Bwhaha.. [1]
> [on L7 inspection]
> There's an interesting counter-argument that entails giving up trying to
> control what the lusers do. Give them AV, give them a desktop protection
> product, and make them gateway in to the corporate resources, or give them
> "remote display" access only (Citrix, Terminal Server, Xwindows...)
Interesting. I think I hate it, but, nevertheless, interesting.
Doesn't this sort of break horribly as soon as someone lands a trojan
on one of those desktops?
(I myself generally use remote display type stuff to tunnel OUT to
less secure networks rather than the other way around so I haven't
given too much thought to it.)
> > But then again, the everyday admin wants to run so darn many
> > protocols, and so insecure apps, that I'm unsure that a
>
> It's not the admin that wants that stuff, it's the admin that has to
> enable that stuff, and when it's a checkbox with no consistancy of
> inspection or tracking it doesn't matter which type of firewall you have.
> There are enough bad examples on all sides.
Sheesh, aren't you staying current? ;)
The everyday admin these days isn't getting high blood pressure over
users and management demanding new services. The everyday admin these
days is the tech-savvy luser that wants to run kazaa to get movies and
games, and then play said games, and that swears over firewall vendors
being slow in supporting SIP and NAT traversal through UPnP [2].
> The companion rant is about trying to do security on general-purpose OSen.
> But that battle is either lost or yet to be fought well- depending on your
> level of optimism.
Nicely put :)
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
[1] For bored sysadmins: http://lart.badf00d.org
[2] UPnP looks like a nice can of worms. I wonder who'll be first in
convincing some internal application to bore inbound holes through
UPnP-enabled firewalls for them.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
