Re: [fw-wiz] A fun smackdown...

From: Carson Gaspar (carson_at_taltos.org)
Date: 05/20/05

  • Next message: Martin: "Re: [fw-wiz] A fun smackdown..." 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 20 May 2005 17:45:52 -0400

    OK, I've kept my mouth shut so far, but...

    --On Friday, May 20, 2005 11:55 AM -0400 Chuck Swiger <chuck@codefab.com>
    wrote:

    > Sure, this defines security much the way that Paul does: the more stuff
    > the system denies, the more "secure" it is. A door lock which rejects
    > all keys, even a good key, is more "secure" than a lock which rejects
    > only invalid keys.
    >
    > I find this definition to be self-consistent, but lacking, and would
    > argue that security consists of more than just being able to deny stuff
    > really well.

    It comes down to how one defines "security". I think it's time to bring
    back the "security stool" analogy (I wish I could give proper attribution,
    but those neurons have gone missing...). Security consists of multiple
    attributes, this analogy breaks them down into 4 "legs" of the "stool":

    - Authentication (who are you)
    - Authorization (what are you allowed to do)
    - Availability (is the data accessible)
    - Authenticity (is the data intact)

    Attacking any of the "legs" seriously weakens or breaks the "stool". The
    nasty bit (and the source of the contention it seems) is the
    "availability" part... and it all comes down to a risk decision. Which is
    worse, that an authorized person can't see the data, or than an
    unauthorized person can see it (and possibly damage it)? The answer is
    different for each case. 

    -- 
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Martin: "Re: [fw-wiz] A fun smackdown..."