Re: [fw-wiz] A fun smackdown...
From: Chuck Swiger (chuck_at_codefab.com)
Date: 05/20/05
- Previous message: ArkanoiD: "Re: [fw-wiz] Thoughts on the new Cisco ASA 5500 firewalls"
- In reply to: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Reply: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Reply: Devdas Bhagat: "Re: [fw-wiz] A fun smackdown..."
- Reply: Carson Gaspar: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Joseph S D Yao <jsdy@center.osis.gov> Date: Fri, 20 May 2005 11:55:38 -0400
Joseph S D Yao wrote:
> On Thu, May 19, 2005 at 09:57:42AM -0400, Chuck Swiger wrote:
>> On May 19, 2005, at 9:04 AM, Paul D. Robertson wrote:
>>> On Tue, 17 May 2005, Martin wrote:
>>>> "Be liberal in what you accept; be strict in what you send."
>>>
>>> _All_ effective security controls break that tenet. The more liberal
>>> your controls, the more risk you assume.
>>
>>There is more to an effective security control than only denying stuff!
>
> ...
>
> I'm not sure what all the argument is about. Perhaps we are agreeing at
> the top of our lungs?
Nope. I am convinced that there is some real disagreement lurking amoungst the
loud agreement. :-)
> I remember a discussion in the 1970s which concluded that PURE security
> is exactly opposed to PURE utility. The most secure computer would be
> unplugged and buried beneath tonnes of rock. Not particularly usable.
> The most usable computer would have open access for everybody. Not
> particularly secure. I don't think anyone here was in that discussion,
> but it kind of clarified the pure concepts.
Sure, this defines security much the way that Paul does: the more stuff the
system denies, the more "secure" it is. A door lock which rejects all keys,
even a good key, is more "secure" than a lock which rejects only invalid keys.
I find this definition to be self-consistent, but lacking, and would argue that
security consists of more than just being able to deny stuff really well.
Rule #1: Figure out what you are protecting.
Rule #2: Figure out what you are protecting against.
This includes risk of disclosure, risk of unauthorized access/modification,
loss of data, and loss of service availability, etc.
> Soon after the firewall idea was made known, and after people who
> weren't clear on the balance of security and utility started getting
> hold of it, Marcus Ranum introduced his Ultimately Secure Firewall -
> which does indeed disallow all network traffic.
>
> <URL: http://www.ranum.com/security/computer_security/papers/a1-firewall/>
Heh...I've passed on two or three times where I wanted to bring up Marcus'
wirecutters. :-)
But I think the fact that people are buying expensive 1U firewall boxes from
vendors rather than making Marcus rich from setting wirecutters proves my point
that permitting access is something that a security device needs to do to be
*useful*, barring exceptional cases.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: ArkanoiD: "Re: [fw-wiz] Thoughts on the new Cisco ASA 5500 firewalls"
- In reply to: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Reply: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Reply: Devdas Bhagat: "Re: [fw-wiz] A fun smackdown..."
- Reply: Carson Gaspar: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
