Stewart Stremler wrote:
<snip>
Let's say you dump the firewall in favor of host-based security. It
is difficult to configure the host-based security to let you print
to the network printer, so you turn it _off_ to print. If you're
printing a bunch of stuff, you'll turn it off and leave it off, and
when you're done, you _might_ rememeber to turn it back on.
I agree with all of the above. To make host based security work you need
a system to enforce the host based security and ensure that people do
not turn it off. Mere users should not have access to the security
policy of a system and should not be able to turn things off. It should
also be able to configure the security policy so that people can print
without giving up all of their security. The reason we don't use more
host based security is because our OS suppliers do not give us the tools
to manage it or when they do the tools are too complicated.
How long can an unprotected machine be on the Internet before it gets
compromised, assuming it has no protection in place? One minute? Two?
That depends greatly on the kind of machine. Someone did a pretty decent
study on this. Windows boxes were taken down in minutes and Linux and
other Unix's took days to weeks or something like that. Anyone have the
pointer on this?
I'll take crunchy-on-the-outside-chewey-on-the-inside any day of the
week over crunchy-for-all-but-an-hour-a-day-when-I-drop-my-pants. If
I'm going to blow holes in my firewall so that "stuff will work", I'm
going to do equally stupid things if I dispense with the firewall. So
it's not a fair comparison to whine about how firewalls don't protect
our networks from stupid network administrators and malicious users.
You are right that firewalls don't protect networks from stupid
adminstrators and malicious inside users. My point was that they are
over-hyped, as you pointed out.
--
Tracy R Reed
http://ultraviolet.org
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
