From: "Neil Schneider" <[EMAIL PROTECTED]>
Gabriel Sechan said:
>
>
>
>>From: "Neil Schneider" <[EMAIL PROTECTED]>
>>Gabriel Sechan said:
>> >
>> > One problem with his enumerating badness point- if you do
>> > the opposite and lock down anything but a list of apps, it
>> > can be hard to get things done. Who here hasn't needed to
>> > write a quick program, or dl one from the web to get
>> > something done before? Multiply that by everyone in a
>> > company. If you had to get approval for every little app,
>> > you'd be in major trouble.
>>
>>You're a programmer, right? This is a typical programmer's point of
>>view. Marcus Ranum is a security expert. His point of view is in
>>securing the network from intrusion. I can relate. I can't count
>> the
>>number of times I've had requests to create holes in firewalls
>> without
>>regard to the security consequences. I don't consider myself to be
>> the
>>kind of expert that Marcus is, but I know enough to know that he is
>>right.
>>
>>You can't predict all the possible threats to your network from the
>>outside, so you have to start from a deny everything, allow what is
>>required baseline. Otherwise you won't even see the attacks coming,
>>because they're so numerous. I've monitored the logs of a new
>> firewall
>>I brought on-line, with a new connection, on a newly assigned IP. The
>>attacks are almost instantaneous with the connection.
>
> Yes, I'm a programmer. But did you RTA? That section
> wasn't about ports and network traffic, but about virus
> checkers, spyware preventers, etc. The point was that
> nothing should *run* on the computer unless it was
> pre-authorized. THen we wouldn't need the above. Sure, its
> one hell of a lot more secure, but it has a huge negative
> impact on productivity.
Everyone thinks they know what's secure and safe to run, but very few
users actually do. It's much simpler and easier to enforce a rule that
says "unauthorized software shall not be installed" than to try to
make a list of software that can be installed and a list of software
that can't. I think that's Marcus' point. Productivity is impacted
heavily by systems that become unusable due to unauthorized software
being installed. Productivity is impacted by systems that are infected
with worms, viruses and trojan horses. And these things arrive inside
a network, through the installation of unauthorized software, all the
time.
Productivity is more impacted if I can't download simple programs that I
need to do my job. My daily salary is a few hundred dollars. Reimaging my
disk once a week (or month) is far lower. Not that even that would be
necessary- I've never had a virus on my work machine, and only through zero
day vulnerabilities on my home.
> I'd say
> (and think most would agree) that the negative impact on productivity
> outweighs the positive on security. On the other hand, for external
> requests through the firewall I can understand your point (but wait,
> here
> comes SOAP and tunneling everything over port 80 to screw it all up
> anyway).
I think you're confusing productivity with convenience.
Not really. I mean productivity. For example- a few days ago, I needed to
download and open a .tar.gz on my windows box. I did what every reasonable
person would do- I downloaded a program to do it for me (in my case,
WinZip). If we used his idea, I couldn't have done that. In that case, I
would have been UNABLE to work on my project until the program was approved.
A simiar situation hits every few weeks- either a dl is necessary to do my
job, or will save me hours->days of work. And its not always as trivial as
an unzipper (which you could easily say should have been on the list
already).
Absolute security would be nice. Unfortunately, its not possible. With the
current state of the art, we need to draw the line somewhere. I say
complete lockdown of a desktop is too far, and costs more than it gains,
both in dollars and in user frustration.
As for your comments on SOAP- I didn't say I like SOAP. I don't. But
welcome to psychology- make something too inconvenient, and people will find
ways around it. And those ways will probably screw up reasonable actions at
the same time.
Gabe
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
