Re: [fw-wiz] A fun smackdown...
From: Joseph S D Yao (jsdy_at_center.osis.gov)
Date: 05/20/05
- Previous message: Tichomir Kotek: "Re: [fw-wiz] Thoughts on the new Cisco ASA 5500 firewalls"
- In reply to: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
- Reply: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
- Reply: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Chuck Swiger <chuck@codefab.com> Date: Fri, 20 May 2005 10:16:04 -0400
On Thu, May 19, 2005 at 09:57:42AM -0400, Chuck Swiger wrote:
> On May 19, 2005, at 9:04 AM, Paul D. Robertson wrote:
> >On Tue, 17 May 2005, Martin wrote:
> >>"Be liberal in what you accept; be strict in what you send."
> >
> >_All_ effective security controls break that tenet. The more liberal
> >your
> >controls, the more risk you assume.
>
> There is more to an effective security control than only denying stuff!
...
I'm not sure what all the argument is about. Perhaps we are agreeing at
the top of our lungs?
I remember a discussion in the 1970s which concluded that PURE security
is exactly opposed to PURE utility. The most secure computer would be
unplugged and buried beneath tonnes of rock. Not particularly usable.
The most usable computer would have open access for everybody. Not
particularly secure. I don't think anyone here was in that discussion,
but it kind of clarified the pure concepts.
Soon after the firewall idea was made known, and after people who
weren't clear on the balance of security and utility started getting
hold of it, Marcus Ranum introduced his Ultimately Secure Firewall -
which does indeed disallow all network traffic.
<URL: http://www.ranum.com/security/computer_security/papers/a1-firewall/>
Ah, I see he has now made it the Ultimately Secure Intrusion Prevention
System ("featuring signature-less anomaly detection and blocking
technology!!"). ;-)
The SECURITY PERSON'S JOB, along with the systems and networks
administrators, is to achieve the best balance between maximum security
and maximum utility. Chuck, I think that this is what you were thinking
of, vice Paul's insistence on what the pure functions were. I think
that Paul would agree with this, if he has not been all along.
-- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Tichomir Kotek: "Re: [fw-wiz] Thoughts on the new Cisco ASA 5500 firewalls"
- In reply to: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
- Reply: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
- Reply: Marcus J. Ranum: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
