From: "Neil Schneider" <[EMAIL PROTECTED]>
Gabriel Sechan said:
>
> One problem with his enumerating badness point- if you do
> the opposite and lock down anything but a list of apps, it
> can be hard to get things done. Who here hasn't needed to
> write a quick program, or dl one from the web to get
> something done before? Multiply that by everyone in a
> company. If you had to get approval for every little app,
> you'd be in major trouble.
You're a programmer, right? This is a typical programmer's point of
view. Marcus Ranum is a security expert. His point of view is in
securing the network from intrusion. I can relate. I can't count the
number of times I've had requests to create holes in firewalls without
regard to the security consequences. I don't consider myself to be the
kind of expert that Marcus is, but I know enough to know that he is
right.
You can't predict all the possible threats to your network from the
outside, so you have to start from a deny everything, allow what is
required baseline. Otherwise you won't even see the attacks coming,
because they're so numerous. I've monitored the logs of a new firewall
I brought on-line, with a new connection, on a newly assigned IP. The
attacks are almost instantaneous with the connection.
Yes, I'm a programmer. But did you RTA? That section wasn't about ports
and network traffic, but about virus checkers, spyware preventers, etc. The
point was that nothing should *run* on the computer unless it was
pre-authorized. THen we wouldn't need the above. Sure, its one hell of a
lot more secure, but it has a huge negative impact on productivity. I'd say
(and think most would agree) that the negative impact on productivity
outweighs the positive on security. On the other hand, for external
requests through the firewall I can understand your point (but wait, here
comes SOAP and tunneling everything over port 80 to screw it all up anyway).
> Another with his penetrate and patch point- there is no
> other way. Writing 100% secure software is at a minimum
> extremely difficult. It may not even be possible (how do
> you prove a negative? What if someone comes up with a
> whole new technique?).
I think what he's trying to point out is that standard good
programming practices, that should be taught in most courses, will
stop more exploits, than trying to patch to the exploit, already badly
written software.
I didn't get that at all. If that was his point, he needs a lot of work at
editing his articles.
Gabe
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
