Gabriel Sechan said: > > > >>From: "Neil Schneider" <[EMAIL PROTECTED]> >>Gabriel Sechan said: >> > >> > One problem with his enumerating badness point- if you do >> > the opposite and lock down anything but a list of apps, it >> > can be hard to get things done. Who here hasn't needed to >> > write a quick program, or dl one from the web to get >> > something done before? Multiply that by everyone in a >> > company. If you had to get approval for every little app, >> > you'd be in major trouble. >> >>You're a programmer, right? This is a typical programmer's point of >>view. Marcus Ranum is a security expert. His point of view is in >>securing the network from intrusion. I can relate. I can't count >> the >>number of times I've had requests to create holes in firewalls >> without >>regard to the security consequences. I don't consider myself to be >> the >>kind of expert that Marcus is, but I know enough to know that he is >>right. >> >>You can't predict all the possible threats to your network from the >>outside, so you have to start from a deny everything, allow what is >>required baseline. Otherwise you won't even see the attacks coming, >>because they're so numerous. I've monitored the logs of a new >> firewall >>I brought on-line, with a new connection, on a newly assigned IP. The >>attacks are almost instantaneous with the connection. > > Yes, I'm a programmer. But did you RTA? That section > wasn't about ports and network traffic, but about virus > checkers, spyware preventers, etc. The point was that > nothing should *run* on the computer unless it was > pre-authorized. THen we wouldn't need the above. Sure, its > one hell of a lot more secure, but it has a huge negative > impact on productivity.
Everyone thinks they know what's secure and safe to run, but very few users actually do. It's much simpler and easier to enforce a rule that says "unauthorized software shall not be installed" than to try to make a list of software that can be installed and a list of software that can't. I think that's Marcus' point. Productivity is impacted heavily by systems that become unusable due to unauthorized software being installed. Productivity is impacted by systems that are infected with worms, viruses and trojan horses. And these things arrive inside a network, through the installation of unauthorized software, all the time. > I'd say > (and think most would agree) that the negative impact on productivity > outweighs the positive on security. On the other hand, for external > requests through the firewall I can understand your point (but wait, > here > comes SOAP and tunneling everything over port 80 to screw it all up > anyway). I think you're confusing productivity with convenience. No, I wouldn't agree, and that's the point. Security always impacts useability. That's why so much of Microsoft's software has so many security holes, because they emphasize useability at the expense of security. If programmers continue to abuse port 80, corporate firewalls will soon block all access to port 80 or install full stateful proxies that can detect non-http traffic on that port and block it. If you want to talk about inconvenience, try operating with a full proxy firewall for a while and see how it inconveniences you. >> >> > Another with his penetrate and patch point- there is no >> > other way. Writing 100% secure software is at a minimum >> > extremely difficult. It may not even be possible (how do >> > you prove a negative? What if someone comes up with a >> > whole new technique?). >> >>I think what he's trying to point out is that standard good >>programming practices, that should be taught in most courses, will >>stop more exploits, than trying to patch to the exploit, already >> badly >>written software. >> > I didn't get that at all. If that was his point, he needs a lot of > work at > editing his articles. > > > Gabe > > > > -- > [email protected] > http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list > -- Neil Schneider pacneil_at_linuxgeek_dot_net http://www.paccomp.com Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D Secrecy, being an instrument of conspiracy, ought never to be the system of a regular government. - Jeremy Bentham, jurist and philosopher (1748-1832) -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
