Re: [fw-wiz] Firewalling at the domain users level instead of network level

• Previous message: Dana Nowell: "Re: [fw-wiz] iso 17799"
• In reply to: Chuck Swiger: "Re: [fw-wiz] Firewalling at the domain users level instead of network level"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Chuck Swiger <chuck@codefab.com>
Date: Tue, 20 Jul 2004 14:40:22 -0400 (EDT)

On Tue, 20 Jul 2004, Chuck Swiger wrote:

> There exists a multitude of reasons, agreed. To the extent that the reasons
> are valid and relevant to the situation at hand, then having a policy which
> reflects these per-user concerns is reasonable.
>

Thanks, I was a little worried by what seemed initially to be a "let them
all eat cake!" security policy.

[snip]

> ACK!! For shame, Paul! :-)
>
> The right way to think about this is that there should be zero people who have
> the Administrator password, and only the simple necessity of needing to login
> as admin for the machine once in a while means that somebody-- hopefully an
> admin who cares about security-- has to know what the password is.

That was a "Heck, if they can all do what any of them can do"
illustration- I just like to illustrate with blunt force trauma.

>
> For that matter, MacOS X does a pretty good job of "not having an admin
> passord or root user at all" for a Unix-derived operating system.
> Recommending sudo by default and also providing reasonable integration of
> re-asking the user to type in a password to obtain privileges when running the
> GUI package installer or system patch tool beats the heck out of most
> alternatives in terms of security.

I'm not sure that's all that true. I can probably get root on OSX
relatively easily if I need it (I enable it on my laptop anyway) the real
key is to stop from being vulnerable, and Apple needs to be a bit quicker
on updates and a bit more open about communication (I tried to find out if
OSX was vulnerable to a BSD stack issue a while back and got *nowhere*.

> If Windows made components downloaded in IE bring up a password dialog before
> installing/running them, that platform's security would suck less than it
> currently does. But I could be wrong about this, too: some people seem to
> think that a web browser which auto-downloads and runs plugins without asking
> for user confirmation just because you got emailed a link is fine and dandy
> and user-friendly and all. [3]

There'd be a "Save my password" checkbox anyway...

> [1]: Perhaps I am biased towards concluding that "per-user firewall stuff
> isn't worth the cost", but if so, that bias is towards being too safe, and is
> thus more tolerable than being biased towards poor security. I don't really
> trust Microsoft's ISA Server to be secure on the box itself, much less offer
> per-user firewall capabilities that I would choose to rely on over PF/IPFW.

As I said, I wouldn't use it as a primary device, but the per-application
permissioning stuff looks really interesting.

> [2]: Does anyone evaluate security products in terms of their security
> anymore, rather than their claimed feature set and performance?

Yes. Our ICSALabs certifications don't include GUIs, performance or
number of checkboxes...

> Maybe the kindly vendor hosting their mailing list has some opinions, but
> there's a certain amount of pay-to-play with their certifications that's not
> so different from the ISO-17799 consultants and certifications we were just
> talking about in a parallel thread. [ Not trying to pick on anybody, but fair
> is fair... ]

I've looked at the Labs programs, some of them in a fair amount of detail,
and I've contributed my .02 cents here and there. I think, for the most
part, they're a good measure of "must be this functional to play in this
space." I certainly wouldn't pick anything that didn't pass our criteria
in AV, Firewall or IPSec (those are the programs I'm most familiar with)
without significant trust[1.]

Sure, there's pay-to-play and it can equate to "the only ones getting rich
are the consultants" - except, we're not getting rich off of it, and the
state of the art is better for it- I'd be happy to ramble on, but it's
probably not appropriate on-list, given that I get to choose what gets
posted ;)

Paul
[1] My home firewall isn't a certified product.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Dana Nowell: "Re: [fw-wiz] iso 17799"
• In reply to: Chuck Swiger: "Re: [fw-wiz] Firewalling at the domain users level instead of network level"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]